[Swan] Cannot start ipsec service using systemd

Philippe Vouters philippe.vouters at laposte.net
Fri Jan 4 15:07:00 EET 2013


Dear Elison,

pluto fails to correctly start on your side on:
  /usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
whack failing on stop is just a consequence.

Because $PLUTO_OPTIONS comes from:
EnvironmentFile=-/etc/sysconfig/pluto

can you *$ cat /etc/sysconfig/pluto*

$ *export PLUTO_OPTIONS=*<the right side of the assignment in your 
PLUTO_OPTIONS in your /etc/sysconfig/pluto file>

and manually perform:

*/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
**--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
*
from a root account ????

You provide us the output of what you did and read.
Thank you so much in advance.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 04/01/2013 13:22, Elison Niven a écrit :
> SELinux is disabled.
> $ getenforce
> Disabled
> $ ls /etc/rc.d/init.d/ipsec*
> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>
> Thanks.
>
> On Friday 04 January 2013 05:35 PM, Philippe Vouters wrote:
>> Dear Elison,
>>
>> I am running Fedora 17 i686 with SELinux policy set to permissive. I
>> just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
>> and performed the following commands from my user account:
>>
>> $ sudo yum remove libreswan
>> $ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
>> $ tar -zxvf download/libreswan-3.0.tar.gz
>> $ cd libreswan-3.0/
>> $ make programs
>> $ sudo make install
>> $ sudo systemctl start ipsec.service
>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>            Loaded: loaded (/usr/lib/systemd/system/ipsec.service; 
>> disabled)
>>            Active: active (running) since Fri, 04 Jan 2013 12:42:54
>> +0100; 14s ago
>>           Process: 2154
>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
>> status=0/SUCCESS)
>>           Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>          Main PID: 2215 (sh)
>>            CGroup: name=systemd:/system/ipsec.service
>>                     2215 /usr/bin/sh -c eval
>> `/usr/local/libexec/ipsec/plut...
>>                     2216 /usr/bin/sh -c eval
>> `/usr/local/libexec/ipsec/plut...
>>                     2217 /usr/local/libexec/ipsec/pluto --config
>> /etc/ipsec...
>>                     2242 _pluto_adns
>>
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>> find_host_pair_conn ...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
>> descr...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
>> helpe...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>> connect_to_host_pair...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
>> comp...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>> connect_to_host_pair...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
>> comp...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>> connect_to_host_pair...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
>> comp...
>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>> connect_to_host_pair...
>> [philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>            Loaded: loaded (/usr/lib/systemd/system/ipsec.service; 
>> disabled)
>>            Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
>> +0100; 2s ago
>>           Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>> (code=exited, status=0/SUCCESS)
>>           Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>> (code=exited, status=0/SUCCESS)
>>           Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>> (code=exited, status=0/SUCCESS)
>>           Process: 2215 ExecStart=/usr/bin/sh -c eval
>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>> $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
>>           Process: 2154
>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
>> status=0/SUCCESS)
>>           Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>            CGroup: name=systemd:/system/ipsec.service
>>
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>> connectio...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "roadwarrior":
>> deletin...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>> connectio...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "macintosh-l2tp":
>> dele...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>> connectio...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>> "roadwarrior-l2tp": de...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>> connectio...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>> "roadwarrior-l2tp-upda...
>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
>> request li...
>>
>> So would it happen you still have /etc/rc.d/init.d/ipsec* ?
>> On my side:
>> [philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>> Would it also happen but it looks at first glance unlikely that you are
>> facing some SELinux issue ?
>> Can you give us the output of the following:
>> [philippe at victor libreswan-3.0]$ sudo getenforce
>> Permissive
>> If getenforce returns Enforcing, can you perform the following commands:
>> [philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
>> [philippe at victor libreswan-3.0]$ sudo restorecon
>> /usr/local/libexec/ipsec -Rv
>> [philippe at victor libreswan-3.0]$
>>
>> Once the above points clean,
>>
>> [philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
>> [philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>            Loaded: loaded (/usr/lib/systemd/system/ipsec.service; 
>> disabled)
>>            Active: active (running) since Fri, 04 Jan 2013 12:58:55
>> +0100; 6s ago
>>           Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>> (code=exited, status=0/SUCCESS)
>>           Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>> (code=exited, status=0/SUCCESS)
>>           Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>> (code=exited, status=0/SUCCESS)
>>           Process: 2947
>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
>> status=0/SUCCESS)
>>           Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>          Main PID: 3011 (sh)
>>            CGroup: name=systemd:/system/ipsec.service
>>                     3011 /usr/bin/sh -c eval
>> `/usr/local/libexec/ipsec/plut...
>>                     3012 /usr/bin/sh -c eval
>> `/usr/local/libexec/ipsec/plut...
>>                     3013 /usr/local/libexec/ipsec/pluto --config
>> /etc/ipsec...
>>                     3038 _pluto_adns
>>
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>> find_host_pair_conn ...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
>> descr...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
>> helpe...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>> connect_to_host_pair...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
>> comp...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>> connect_to_host_pair...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
>> comp...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>> connect_to_host_pair...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
>> comp...
>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>> connect_to_host_pair...
>>
>> Thank you so much in advance to keep us informed.
>> Best regards,
>>
>> Philippe Vouters (Fontainebleau/France)
>> URL: http://vouters.dyndns.org/
>> SIP: sip:Vouters at sip.linphone.org
>>
>> Le 04/01/2013 10:51, Elison Niven a écrit :
>>> Hi,
>>>
>>> I downloaded libreswan and installed from source on Fedora 16.
>>> # Install dependencies
>>> $ yum install unbound-devel libcap-ng-devel xmto
>>>
>>> # Remove openswan, racoon
>>> $ yum remove openswan ipsec-tools
>>>
>>> # Make and install libreswan
>>> # make programs
>>> $ make install
>>>
>>> $ systemctl --system daemon-reload
>>> $ systemctl enable ipsec.service
>>> $ service ipsec start
>>> Redirecting to /bin/systemctl  start ipsec.service
>>>
>>> $ service ipsec status
>>> Redirecting to /bin/systemctl  status ipsec.service
>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>       Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
>>>       Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
>>>      Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
>>> (code=exited, status=0/SUCCESS)
>>>      Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
>>> (code=exited, status=0/SUCCESS)
>>>      Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>> (code=exited, status=1/FAILURE)
>>>      Process: 13438 ExecStart=/usr/bin/sh -c eval
>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>> $PLUTO_OPTIONS` (code=exited, status=203/EXEC)
>>>      Process: 13379
>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>> (code=exited, status=0/SUCCESS)
>>>      Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>>       CGroup: name=systemd:/system/ipsec.service
>>>
>>>
>>> I can start pluto manually by executing the commands in the systemd
>>> unit file marked for ExecStartPre and ExecStart.
>>>
>>> $ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
>>> [Unit]
>>> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>> After=syslog.target
>>> After=network.target
>>> #After=remote-fs.target
>>>
>>> [Service]
>>> Type=simple
>>> Restart=always
>>> EnvironmentFile=-/etc/sysconfig/pluto
>>> #Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
>>> #Environment=IPSEC_SBINDIR=/usr/local/sbin
>>> #Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
>>> #PIDFile=/var/run/pluto/pluto.pid
>>> #
>>> ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
>>> --checkconfig
>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>>> ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>> ExecStopPost=/sbin/ip xfrm policy flush
>>> ExecStopPost=/sbin/ip xfrm state flush
>>> ExecReload=/usr/local/sbin/ipsec whack --listen
>>>
>>> [Install]
>>> WantedBy=multi-user.target
>>> Alias=syslog.service
>>>
>>> Any help?
>>>
>>
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/28b612af/attachment-0001.html>


More information about the Swan mailing list