[Swan] Cannot start ipsec service using systemd
Philippe Vouters
philippe.vouters at laposte.net
Fri Jan 4 15:31:57 EET 2013
Dear Elison,
I queried Google with "systemctl status=203/EXEC" which is the pluto
exit code you report us and found this discussion at
http://forums.fedoraforum.org/showthread.php?t=272075 This is specific
to Fedora 16 but my guess is that it can also apply to Fedora 17.
It happens that the pluto code forks and exec's "addconn --autoall".
From a root account or sudo'ing, can you also perform:
# ipsec addconn --autoall
# echo $?
On my side:
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
--autoall
002 "roadwarrior-l2tp-updatedwin": deleting connection
002 added connection description "roadwarrior-l2tp-updatedwin"
002 "roadwarrior-l2tp": deleting connection
002 added connection description "roadwarrior-l2tp"
002 "macintosh-l2tp": deleting connection
002 added connection description "macintosh-l2tp"
002 "roadwarrior": deleting connection
002 added connection description "roadwarrior"
[philippe at victor libreswan-3.0]$ echo $?
0
You may as well check your /var/log/secure so that we can get more
information on the pluto failure.
Yours truly,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 04/01/2013 14:07, Philippe Vouters a écrit :
> Dear Elison,
>
> pluto fails to correctly start on your side on:
> /usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
> whack failing on stop is just a consequence.
>
> Because $PLUTO_OPTIONS comes from:
> EnvironmentFile=-/etc/sysconfig/pluto
>
> can you *$ cat /etc/sysconfig/pluto*
>
> $ *export PLUTO_OPTIONS=*<the right side of the assignment in your
> PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
>
> and manually perform:
>
> */usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
> **--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
> *
> from a root account ????
>
> You provide us the output of what you did and read.
> Thank you so much in advance.
> Philippe Vouters (Fontainebleau/France)
> URL:http://vouters.dyndns.org/
> SIP:sip:Vouters at sip.linphone.org
> Le 04/01/2013 13:22, Elison Niven a écrit :
>> SELinux is disabled.
>> $ getenforce
>> Disabled
>> $ ls /etc/rc.d/init.d/ipsec*
>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>
>> Thanks.
>>
>> On Friday 04 January 2013 05:35 PM, Philippe Vouters wrote:
>>> Dear Elison,
>>>
>>> I am running Fedora 17 i686 with SELinux policy set to permissive. I
>>> just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
>>> and performed the following commands from my user account:
>>>
>>> $ sudo yum remove libreswan
>>> $ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
>>> $ tar -zxvf download/libreswan-3.0.tar.gz
>>> $ cd libreswan-3.0/
>>> $ make programs
>>> $ sudo make install
>>> $ sudo systemctl start ipsec.service
>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>> disabled)
>>> Active: active (running) since Fri, 04 Jan 2013 12:42:54
>>> +0100; 14s ago
>>> Process: 2154
>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
>>> status=0/SUCCESS)
>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>> Main PID: 2215 (sh)
>>> CGroup: name=systemd:/system/ipsec.service
>>> 2215 /usr/bin/sh -c eval
>>> `/usr/local/libexec/ipsec/plut...
>>> 2216 /usr/bin/sh -c eval
>>> `/usr/local/libexec/ipsec/plut...
>>> 2217 /usr/local/libexec/ipsec/pluto --config
>>> /etc/ipsec...
>>> 2242 _pluto_adns
>>>
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> find_host_pair_conn ...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
>>> descr...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
>>> helpe...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> connect_to_host_pair...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> find_host_pair:
>>> comp...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> connect_to_host_pair...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> find_host_pair:
>>> comp...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> connect_to_host_pair...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> find_host_pair:
>>> comp...
>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>> connect_to_host_pair...
>>> [philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>> disabled)
>>> Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
>>> +0100; 2s ago
>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>> (code=exited, status=0/SUCCESS)
>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>> (code=exited, status=0/SUCCESS)
>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>> (code=exited, status=0/SUCCESS)
>>> Process: 2215 ExecStart=/usr/bin/sh -c eval
>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>> $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
>>> Process: 2154
>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
>>> status=0/SUCCESS)
>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>> CGroup: name=systemd:/system/ipsec.service
>>>
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>> connectio...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "roadwarrior":
>>> deletin...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>> connectio...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>> "macintosh-l2tp":
>>> dele...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>> connectio...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>> "roadwarrior-l2tp": de...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>> connectio...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>> "roadwarrior-l2tp-upda...
>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
>>> request li...
>>>
>>> So would it happen you still have /etc/rc.d/init.d/ipsec* ?
>>> On my side:
>>> [philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
>>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>> Would it also happen but it looks at first glance unlikely that you are
>>> facing some SELinux issue ?
>>> Can you give us the output of the following:
>>> [philippe at victor libreswan-3.0]$ sudo getenforce
>>> Permissive
>>> If getenforce returns Enforcing, can you perform the following
>>> commands:
>>> [philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
>>> [philippe at victor libreswan-3.0]$ sudo restorecon
>>> /usr/local/libexec/ipsec -Rv
>>> [philippe at victor libreswan-3.0]$
>>>
>>> Once the above points clean,
>>>
>>> [philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
>>> [philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>> disabled)
>>> Active: active (running) since Fri, 04 Jan 2013 12:58:55
>>> +0100; 6s ago
>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>> (code=exited, status=0/SUCCESS)
>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>> (code=exited, status=0/SUCCESS)
>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>> (code=exited, status=0/SUCCESS)
>>> Process: 2947
>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
>>> status=0/SUCCESS)
>>> Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>> Main PID: 3011 (sh)
>>> CGroup: name=systemd:/system/ipsec.service
>>> 3011 /usr/bin/sh -c eval
>>> `/usr/local/libexec/ipsec/plut...
>>> 3012 /usr/bin/sh -c eval
>>> `/usr/local/libexec/ipsec/plut...
>>> 3013 /usr/local/libexec/ipsec/pluto --config
>>> /etc/ipsec...
>>> 3038 _pluto_adns
>>>
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> find_host_pair_conn ...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
>>> descr...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
>>> helpe...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> connect_to_host_pair...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> find_host_pair:
>>> comp...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> connect_to_host_pair...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> find_host_pair:
>>> comp...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> connect_to_host_pair...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> find_host_pair:
>>> comp...
>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>> connect_to_host_pair...
>>>
>>> Thank you so much in advance to keep us informed.
>>> Best regards,
>>>
>>> Philippe Vouters (Fontainebleau/France)
>>> URL: http://vouters.dyndns.org/
>>> SIP: sip:Vouters at sip.linphone.org
>>>
>>> Le 04/01/2013 10:51, Elison Niven a écrit :
>>>> Hi,
>>>>
>>>> I downloaded libreswan and installed from source on Fedora 16.
>>>> # Install dependencies
>>>> $ yum install unbound-devel libcap-ng-devel xmto
>>>>
>>>> # Remove openswan, racoon
>>>> $ yum remove openswan ipsec-tools
>>>>
>>>> # Make and install libreswan
>>>> # make programs
>>>> $ make install
>>>>
>>>> $ systemctl --system daemon-reload
>>>> $ systemctl enable ipsec.service
>>>> $ service ipsec start
>>>> Redirecting to /bin/systemctl start ipsec.service
>>>>
>>>> $ service ipsec status
>>>> Redirecting to /bin/systemctl status ipsec.service
>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>> Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
>>>> Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
>>>> Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>> (code=exited, status=1/FAILURE)
>>>> Process: 13438 ExecStart=/usr/bin/sh -c eval
>>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>>> $PLUTO_OPTIONS` (code=exited, status=203/EXEC)
>>>> Process: 13379
>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>>> CGroup: name=systemd:/system/ipsec.service
>>>>
>>>>
>>>> I can start pluto manually by executing the commands in the systemd
>>>> unit file marked for ExecStartPre and ExecStart.
>>>>
>>>> $ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
>>>> [Unit]
>>>> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>> After=syslog.target
>>>> After=network.target
>>>> #After=remote-fs.target
>>>>
>>>> [Service]
>>>> Type=simple
>>>> Restart=always
>>>> EnvironmentFile=-/etc/sysconfig/pluto
>>>> #Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
>>>> #Environment=IPSEC_SBINDIR=/usr/local/sbin
>>>> #Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
>>>> #PIDFile=/var/run/pluto/pluto.pid
>>>> #
>>>> ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
>>>> --checkconfig
>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>>>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>>>> ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>> ExecStopPost=/sbin/ip xfrm policy flush
>>>> ExecStopPost=/sbin/ip xfrm state flush
>>>> ExecReload=/usr/local/sbin/ipsec whack --listen
>>>>
>>>> [Install]
>>>> WantedBy=multi-user.target
>>>> Alias=syslog.service
>>>>
>>>> Any help?
>>>>
>>>
>>>
>>>
>>
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/f4326f3d/attachment-0001.html>
More information about the Swan
mailing list