[Swan] Cannot start ipsec service using systemd
Elison Niven
elison.niven at cyberoam.com
Fri Jan 4 14:22:22 EET 2013
SELinux is disabled.
$ getenforce
Disabled
$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Thanks.
On Friday 04 January 2013 05:35 PM, Philippe Vouters wrote:
> Dear Elison,
>
> I am running Fedora 17 i686 with SELinux policy set to permissive. I
> just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
> and performed the following commands from my user account:
>
> $ sudo yum remove libreswan
> $ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
> $ tar -zxvf download/libreswan-3.0.tar.gz
> $ cd libreswan-3.0/
> $ make programs
> $ sudo make install
> $ sudo systemctl start ipsec.service
> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
> Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
> Active: active (running) since Fri, 04 Jan 2013 12:42:54
> +0100; 14s ago
> Process: 2154
> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
> status=0/SUCCESS)
> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
> Main PID: 2215 (sh)
> CGroup: name=systemd:/system/ipsec.service
> 2215 /usr/bin/sh -c eval
> `/usr/local/libexec/ipsec/plut...
> 2216 /usr/bin/sh -c eval
> `/usr/local/libexec/ipsec/plut...
> 2217 /usr/local/libexec/ipsec/pluto --config
> /etc/ipsec...
> 2242 _pluto_adns
>
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
> find_host_pair_conn ...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
> descr...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
> helpe...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
> connect_to_host_pair...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
> comp...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
> connect_to_host_pair...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
> comp...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
> connect_to_host_pair...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
> comp...
> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
> connect_to_host_pair...
> [philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
> Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
> Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
> +0100; 2s ago
> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
> (code=exited, status=0/SUCCESS)
> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
> (code=exited, status=0/SUCCESS)
> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
> (code=exited, status=0/SUCCESS)
> Process: 2215 ExecStart=/usr/bin/sh -c eval
> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
> $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
> Process: 2154
> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
> status=0/SUCCESS)
> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
> CGroup: name=systemd:/system/ipsec.service
>
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
> connectio...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "roadwarrior":
> deletin...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
> connectio...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "macintosh-l2tp":
> dele...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
> connectio...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
> "roadwarrior-l2tp": de...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
> connectio...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
> "roadwarrior-l2tp-upda...
> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
> request li...
>
> So would it happen you still have /etc/rc.d/init.d/ipsec* ?
> On my side:
> [philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
> Would it also happen but it looks at first glance unlikely that you are
> facing some SELinux issue ?
> Can you give us the output of the following:
> [philippe at victor libreswan-3.0]$ sudo getenforce
> Permissive
> If getenforce returns Enforcing, can you perform the following commands:
> [philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
> [philippe at victor libreswan-3.0]$ sudo restorecon
> /usr/local/libexec/ipsec -Rv
> [philippe at victor libreswan-3.0]$
>
> Once the above points clean,
>
> [philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
> [philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
> Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
> Active: active (running) since Fri, 04 Jan 2013 12:58:55
> +0100; 6s ago
> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
> (code=exited, status=0/SUCCESS)
> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
> (code=exited, status=0/SUCCESS)
> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
> (code=exited, status=0/SUCCESS)
> Process: 2947
> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
> status=0/SUCCESS)
> Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
> Main PID: 3011 (sh)
> CGroup: name=systemd:/system/ipsec.service
> 3011 /usr/bin/sh -c eval
> `/usr/local/libexec/ipsec/plut...
> 3012 /usr/bin/sh -c eval
> `/usr/local/libexec/ipsec/plut...
> 3013 /usr/local/libexec/ipsec/pluto --config
> /etc/ipsec...
> 3038 _pluto_adns
>
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
> find_host_pair_conn ...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
> descr...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
> helpe...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
> connect_to_host_pair...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
> comp...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
> connect_to_host_pair...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
> comp...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
> connect_to_host_pair...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
> comp...
> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
> connect_to_host_pair...
>
> Thank you so much in advance to keep us informed.
> Best regards,
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 04/01/2013 10:51, Elison Niven a écrit :
>> Hi,
>>
>> I downloaded libreswan and installed from source on Fedora 16.
>> # Install dependencies
>> $ yum install unbound-devel libcap-ng-devel xmto
>>
>> # Remove openswan, racoon
>> $ yum remove openswan ipsec-tools
>>
>> # Make and install libreswan
>> # make programs
>> $ make install
>>
>> $ systemctl --system daemon-reload
>> $ systemctl enable ipsec.service
>> $ service ipsec start
>> Redirecting to /bin/systemctl start ipsec.service
>>
>> $ service ipsec status
>> Redirecting to /bin/systemctl status ipsec.service
>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>> Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
>> Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
>> Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
>> (code=exited, status=0/SUCCESS)
>> Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
>> (code=exited, status=0/SUCCESS)
>> Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>> (code=exited, status=1/FAILURE)
>> Process: 13438 ExecStart=/usr/bin/sh -c eval
>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>> $PLUTO_OPTIONS` (code=exited, status=203/EXEC)
>> Process: 13379
>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>> (code=exited, status=0/SUCCESS)
>> Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>> CGroup: name=systemd:/system/ipsec.service
>>
>>
>> I can start pluto manually by executing the commands in the systemd
>> unit file marked for ExecStartPre and ExecStart.
>>
>> $ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
>> [Unit]
>> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
>> After=syslog.target
>> After=network.target
>> #After=remote-fs.target
>>
>> [Service]
>> Type=simple
>> Restart=always
>> EnvironmentFile=-/etc/sysconfig/pluto
>> #Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
>> #Environment=IPSEC_SBINDIR=/usr/local/sbin
>> #Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
>> #PIDFile=/var/run/pluto/pluto.pid
>> #
>> ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
>> --checkconfig
>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>> ExecStop=/usr/local/sbin/ipsec whack --shutdown
>> ExecStopPost=/sbin/ip xfrm policy flush
>> ExecStopPost=/sbin/ip xfrm state flush
>> ExecReload=/usr/local/sbin/ipsec whack --listen
>>
>> [Install]
>> WantedBy=multi-user.target
>> Alias=syslog.service
>>
>> Any help?
>>
>
>
>
--
Best Regards,
Elison Niven
More information about the Swan
mailing list