[Swan] Cannot start ipsec service using systemd
Philippe Vouters
philippe.vouters at laposte.net
Fri Jan 4 15:51:22 EET 2013
Dear Elison,
If # ipsec addconn --autoall fails, my guess is that you ought to also
get the root cause of your problem with this line in bold:
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.0 (netkey) on 3.6.10-2.fc17.i686
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
*Pluto ipsec.conf syntax [OK]*
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 04/01/2013 14:31, Philippe Vouters a écrit :
> Dear Elison,
>
> I queried Google with "systemctl status=203/EXEC" which is the pluto
> exit code you report us and found this discussion at
> http://forums.fedoraforum.org/showthread.php?t=272075 This is specific
> to Fedora 16 but my guess is that it can also apply to Fedora 17.
>
> It happens that the pluto code forks and exec's "addconn --autoall".
> From a root account or sudo'ing, can you also perform:
> # ipsec addconn --autoall
> # echo $?
> On my side:
> [philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
> --autoall
> 002 "roadwarrior-l2tp-updatedwin": deleting connection
> 002 added connection description "roadwarrior-l2tp-updatedwin"
> 002 "roadwarrior-l2tp": deleting connection
> 002 added connection description "roadwarrior-l2tp"
> 002 "macintosh-l2tp": deleting connection
> 002 added connection description "macintosh-l2tp"
> 002 "roadwarrior": deleting connection
> 002 added connection description "roadwarrior"
> [philippe at victor libreswan-3.0]$ echo $?
> 0
>
> You may as well check your /var/log/secure so that we can get more
> information on the pluto failure.
>
> Yours truly,
> Philippe Vouters (Fontainebleau/France)
> URL:http://vouters.dyndns.org/
> SIP:sip:Vouters at sip.linphone.org
> Le 04/01/2013 14:07, Philippe Vouters a écrit :
>> Dear Elison,
>>
>> pluto fails to correctly start on your side on:
>> /usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>> whack failing on stop is just a consequence.
>>
>> Because $PLUTO_OPTIONS comes from:
>> EnvironmentFile=-/etc/sysconfig/pluto
>>
>> can you *$ cat /etc/sysconfig/pluto*
>>
>> $ *export PLUTO_OPTIONS=*<the right side of the assignment in your
>> PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
>>
>> and manually perform:
>>
>> */usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
>> **--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
>> *
>> from a root account ????
>>
>> You provide us the output of what you did and read.
>> Thank you so much in advance.
>> Philippe Vouters (Fontainebleau/France)
>> URL:http://vouters.dyndns.org/
>> SIP:sip:Vouters at sip.linphone.org
>> Le 04/01/2013 13:22, Elison Niven a écrit :
>>> SELinux is disabled.
>>> $ getenforce
>>> Disabled
>>> $ ls /etc/rc.d/init.d/ipsec*
>>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>>
>>> Thanks.
>>>
>>> On Friday 04 January 2013 05:35 PM, Philippe Vouters wrote:
>>>> Dear Elison,
>>>>
>>>> I am running Fedora 17 i686 with SELinux policy set to permissive. I
>>>> just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
>>>> and performed the following commands from my user account:
>>>>
>>>> $ sudo yum remove libreswan
>>>> $ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
>>>> $ tar -zxvf download/libreswan-3.0.tar.gz
>>>> $ cd libreswan-3.0/
>>>> $ make programs
>>>> $ sudo make install
>>>> $ sudo systemctl start ipsec.service
>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>> disabled)
>>>> Active: active (running) since Fri, 04 Jan 2013 12:42:54
>>>> +0100; 14s ago
>>>> Process: 2154
>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>> (code=exited,
>>>> status=0/SUCCESS)
>>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>>> Main PID: 2215 (sh)
>>>> CGroup: name=systemd:/system/ipsec.service
>>>> 2215 /usr/bin/sh -c eval
>>>> `/usr/local/libexec/ipsec/plut...
>>>> 2216 /usr/bin/sh -c eval
>>>> `/usr/local/libexec/ipsec/plut...
>>>> 2217 /usr/local/libexec/ipsec/pluto --config
>>>> /etc/ipsec...
>>>> 2242 _pluto_adns
>>>>
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> find_host_pair_conn ...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added
>>>> connection
>>>> descr...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped
>>>> addconn
>>>> helpe...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> connect_to_host_pair...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> find_host_pair:
>>>> comp...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> connect_to_host_pair...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> find_host_pair:
>>>> comp...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> connect_to_host_pair...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> find_host_pair:
>>>> comp...
>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>> connect_to_host_pair...
>>>> [philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>> disabled)
>>>> Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
>>>> +0100; 2s ago
>>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
>>>> --shutdown
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 2215 ExecStart=/usr/bin/sh -c eval
>>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>>> $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
>>>> Process: 2154
>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>> (code=exited,
>>>> status=0/SUCCESS)
>>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>>> CGroup: name=systemd:/system/ipsec.service
>>>>
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>> connectio...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "roadwarrior":
>>>> deletin...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>> connectio...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>> "macintosh-l2tp":
>>>> dele...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>> connectio...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>> "roadwarrior-l2tp": de...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>> connectio...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>> "roadwarrior-l2tp-upda...
>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
>>>> request li...
>>>>
>>>> So would it happen you still have /etc/rc.d/init.d/ipsec* ?
>>>> On my side:
>>>> [philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
>>>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>>> Would it also happen but it looks at first glance unlikely that you
>>>> are
>>>> facing some SELinux issue ?
>>>> Can you give us the output of the following:
>>>> [philippe at victor libreswan-3.0]$ sudo getenforce
>>>> Permissive
>>>> If getenforce returns Enforcing, can you perform the following
>>>> commands:
>>>> [philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
>>>> [philippe at victor libreswan-3.0]$ sudo restorecon
>>>> /usr/local/libexec/ipsec -Rv
>>>> [philippe at victor libreswan-3.0]$
>>>>
>>>> Once the above points clean,
>>>>
>>>> [philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
>>>> [philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>> disabled)
>>>> Active: active (running) since Fri, 04 Jan 2013 12:58:55
>>>> +0100; 6s ago
>>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
>>>> --shutdown
>>>> (code=exited, status=0/SUCCESS)
>>>> Process: 2947
>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>> (code=exited,
>>>> status=0/SUCCESS)
>>>> Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>>>> Main PID: 3011 (sh)
>>>> CGroup: name=systemd:/system/ipsec.service
>>>> 3011 /usr/bin/sh -c eval
>>>> `/usr/local/libexec/ipsec/plut...
>>>> 3012 /usr/bin/sh -c eval
>>>> `/usr/local/libexec/ipsec/plut...
>>>> 3013 /usr/local/libexec/ipsec/pluto --config
>>>> /etc/ipsec...
>>>> 3038 _pluto_adns
>>>>
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> find_host_pair_conn ...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added
>>>> connection
>>>> descr...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped
>>>> addconn
>>>> helpe...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> connect_to_host_pair...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> find_host_pair:
>>>> comp...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> connect_to_host_pair...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> find_host_pair:
>>>> comp...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> connect_to_host_pair...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> find_host_pair:
>>>> comp...
>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>> connect_to_host_pair...
>>>>
>>>> Thank you so much in advance to keep us informed.
>>>> Best regards,
>>>>
>>>> Philippe Vouters (Fontainebleau/France)
>>>> URL: http://vouters.dyndns.org/
>>>> SIP: sip:Vouters at sip.linphone.org
>>>>
>>>> Le 04/01/2013 10:51, Elison Niven a écrit :
>>>>> Hi,
>>>>>
>>>>> I downloaded libreswan and installed from source on Fedora 16.
>>>>> # Install dependencies
>>>>> $ yum install unbound-devel libcap-ng-devel xmto
>>>>>
>>>>> # Remove openswan, racoon
>>>>> $ yum remove openswan ipsec-tools
>>>>>
>>>>> # Make and install libreswan
>>>>> # make programs
>>>>> $ make install
>>>>>
>>>>> $ systemctl --system daemon-reload
>>>>> $ systemctl enable ipsec.service
>>>>> $ service ipsec start
>>>>> Redirecting to /bin/systemctl start ipsec.service
>>>>>
>>>>> $ service ipsec status
>>>>> Redirecting to /bin/systemctl status ipsec.service
>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>>> Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
>>>>> Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
>>>>> Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>>> (code=exited, status=1/FAILURE)
>>>>> Process: 13438 ExecStart=/usr/bin/sh -c eval
>>>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>>>> $PLUTO_OPTIONS` (code=exited, status=203/EXEC)
>>>>> Process: 13379
>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>> status=0/SUCCESS)
>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>>
>>>>>
>>>>> I can start pluto manually by executing the commands in the systemd
>>>>> unit file marked for ExecStartPre and ExecStart.
>>>>>
>>>>> $ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
>>>>> [Unit]
>>>>> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>>> After=syslog.target
>>>>> After=network.target
>>>>> #After=remote-fs.target
>>>>>
>>>>> [Service]
>>>>> Type=simple
>>>>> Restart=always
>>>>> EnvironmentFile=-/etc/sysconfig/pluto
>>>>> #Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
>>>>> #Environment=IPSEC_SBINDIR=/usr/local/sbin
>>>>> #Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
>>>>> #PIDFile=/var/run/pluto/pluto.pid
>>>>> #
>>>>> ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
>>>>> --checkconfig
>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>>>>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>>>>> ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>>> ExecStopPost=/sbin/ip xfrm policy flush
>>>>> ExecStopPost=/sbin/ip xfrm state flush
>>>>> ExecReload=/usr/local/sbin/ipsec whack --listen
>>>>>
>>>>> [Install]
>>>>> WantedBy=multi-user.target
>>>>> Alias=syslog.service
>>>>>
>>>>> Any help?
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/d450de93/attachment-0001.html>
More information about the Swan
mailing list