[Swan] Cannot start ipsec service using systemd
Elison Niven
elison.niven at cyberoam.com
Fri Jan 4 16:04:20 EET 2013
Thanks for your support and time.
$ cat /etc/sysconfig/pluto
# Put extra pluto command line options you want here
PLUTO_OPTIONS=" "
$ ipsec addconn --autoall
$ echo $?
0
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.0 (netkey) on 3.1.0-7.fc16.i686.PAE
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause
act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/p18p1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/vmnet1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/vmnet8/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/virbr0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/virbr0-nic/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [FAILED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 19 errors - see 'man ipsec_verify' for help
On Friday 04 January 2013 07:21:22 PM IST, Philippe Vouters wrote:
> Dear Elison,
>
> If # ipsec addconn --autoall fails, my guess is that you ought to also
> get the root cause of your problem with this line in bold:
> [philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec verify
> Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 3.0 (netkey) on 3.6.10-2.fc17.i686
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [OK]
> ICMP default/accept_redirects [OK]
> XFRM larval drop [OK]
> *Pluto ipsec.conf syntax [OK]*
> Hardware random device [N/A]
> Checking rp_filter [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
> Pluto listening for IKE/NAT-T on udp 4500 [OK]
> Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
> Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
> Pluto ipsec.secret syntax [OK]
> Checking NAT and MASQUERADEing [TEST INCOMPLETE]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking for obsolete ipsec.conf options [OK]
> Opportunistic Encryption [DISABLED]
>
> Philippe Vouters (Fontainebleau/France)
> URL:http://vouters.dyndns.org/
> SIP:sip:Vouters at sip.linphone.org
> Le 04/01/2013 14:31, Philippe Vouters a écrit :
>> Dear Elison,
>>
>> I queried Google with "systemctl status=203/EXEC" which is the pluto
>> exit code you report us and found this discussion at
>> http://forums.fedoraforum.org/showthread.php?t=272075 This is
>> specific to Fedora 16 but my guess is that it can also apply to
>> Fedora 17.
>>
>> It happens that the pluto code forks and exec's "addconn --autoall".
>> From a root account or sudo'ing, can you also perform:
>> # ipsec addconn --autoall
>> # echo $?
>> On my side:
>> [philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
>> --autoall
>> 002 "roadwarrior-l2tp-updatedwin": deleting connection
>> 002 added connection description "roadwarrior-l2tp-updatedwin"
>> 002 "roadwarrior-l2tp": deleting connection
>> 002 added connection description "roadwarrior-l2tp"
>> 002 "macintosh-l2tp": deleting connection
>> 002 added connection description "macintosh-l2tp"
>> 002 "roadwarrior": deleting connection
>> 002 added connection description "roadwarrior"
>> [philippe at victor libreswan-3.0]$ echo $?
>> 0
>>
>> You may as well check your /var/log/secure so that we can get more
>> information on the pluto failure.
>>
>> Yours truly,
>> Philippe Vouters (Fontainebleau/France)
>> URL:http://vouters.dyndns.org/
>> SIP:sip:Vouters at sip.linphone.org
>> Le 04/01/2013 14:07, Philippe Vouters a écrit :
>>> Dear Elison,
>>>
>>> pluto fails to correctly start on your side on:
>>> /usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>>> whack failing on stop is just a consequence.
>>>
>>> Because $PLUTO_OPTIONS comes from:
>>> EnvironmentFile=-/etc/sysconfig/pluto
>>>
>>> can you *$ cat /etc/sysconfig/pluto*
>>>
>>> $ *export PLUTO_OPTIONS=*<the right side of the assignment in your
>>> PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
>>>
>>> and manually perform:
>>>
>>> */usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
>>> **--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
>>> *
>>> from a root account ????
>>>
>>> You provide us the output of what you did and read.
>>> Thank you so much in advance.
>>> Philippe Vouters (Fontainebleau/France)
>>> URL:http://vouters.dyndns.org/
>>> SIP:sip:Vouters at sip.linphone.org
>>> Le 04/01/2013 13:22, Elison Niven a écrit :
>>>> SELinux is disabled.
>>>> $ getenforce
>>>> Disabled
>>>> $ ls /etc/rc.d/init.d/ipsec*
>>>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>>>
>>>> Thanks.
>>>>
>>>> On Friday 04 January 2013 05:35 PM, Philippe Vouters wrote:
>>>>> Dear Elison,
>>>>>
>>>>> I am running Fedora 17 i686 with SELinux policy set to permissive. I
>>>>> just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
>>>>> and performed the following commands from my user account:
>>>>>
>>>>> $ sudo yum remove libreswan
>>>>> $ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
>>>>> $ tar -zxvf download/libreswan-3.0.tar.gz
>>>>> $ cd libreswan-3.0/
>>>>> $ make programs
>>>>> $ sudo make install
>>>>> $ sudo systemctl start ipsec.service
>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>>> disabled)
>>>>> Active: active (running) since Fri, 04 Jan 2013 12:42:54
>>>>> +0100; 14s ago
>>>>> Process: 2154
>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>> (code=exited,
>>>>> status=0/SUCCESS)
>>>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>> status=0/SUCCESS)
>>>>> Main PID: 2215 (sh)
>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>> 2215 /usr/bin/sh -c eval
>>>>> `/usr/local/libexec/ipsec/plut...
>>>>> 2216 /usr/bin/sh -c eval
>>>>> `/usr/local/libexec/ipsec/plut...
>>>>> 2217 /usr/local/libexec/ipsec/pluto --config
>>>>> /etc/ipsec...
>>>>> 2242 _pluto_adns
>>>>>
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> find_host_pair_conn ...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added
>>>>> connection
>>>>> descr...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped
>>>>> addconn
>>>>> helpe...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> connect_to_host_pair...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> find_host_pair:
>>>>> comp...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> connect_to_host_pair...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> find_host_pair:
>>>>> comp...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> connect_to_host_pair...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> find_host_pair:
>>>>> comp...
>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>> connect_to_host_pair...
>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>>> disabled)
>>>>> Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
>>>>> +0100; 2s ago
>>>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
>>>>> --shutdown
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 2215 ExecStart=/usr/bin/sh -c eval
>>>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>>>> $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
>>>>> Process: 2154
>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>> (code=exited,
>>>>> status=0/SUCCESS)
>>>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>> status=0/SUCCESS)
>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>>
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>> connectio...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "roadwarrior":
>>>>> deletin...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>> connectio...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>>> "macintosh-l2tp":
>>>>> dele...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>> connectio...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>>> "roadwarrior-l2tp": de...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>> connectio...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>>> "roadwarrior-l2tp-upda...
>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
>>>>> request li...
>>>>>
>>>>> So would it happen you still have /etc/rc.d/init.d/ipsec* ?
>>>>> On my side:
>>>>> [philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
>>>>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>>>> Would it also happen but it looks at first glance unlikely that
>>>>> you are
>>>>> facing some SELinux issue ?
>>>>> Can you give us the output of the following:
>>>>> [philippe at victor libreswan-3.0]$ sudo getenforce
>>>>> Permissive
>>>>> If getenforce returns Enforcing, can you perform the following
>>>>> commands:
>>>>> [philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
>>>>> [philippe at victor libreswan-3.0]$ sudo restorecon
>>>>> /usr/local/libexec/ipsec -Rv
>>>>> [philippe at victor libreswan-3.0]$
>>>>>
>>>>> Once the above points clean,
>>>>>
>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl --system
>>>>> daemon-reload
>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>>> disabled)
>>>>> Active: active (running) since Fri, 04 Jan 2013 12:58:55
>>>>> +0100; 6s ago
>>>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
>>>>> --shutdown
>>>>> (code=exited, status=0/SUCCESS)
>>>>> Process: 2947
>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>> (code=exited,
>>>>> status=0/SUCCESS)
>>>>> Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>> status=0/SUCCESS)
>>>>> Main PID: 3011 (sh)
>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>> 3011 /usr/bin/sh -c eval
>>>>> `/usr/local/libexec/ipsec/plut...
>>>>> 3012 /usr/bin/sh -c eval
>>>>> `/usr/local/libexec/ipsec/plut...
>>>>> 3013 /usr/local/libexec/ipsec/pluto --config
>>>>> /etc/ipsec...
>>>>> 3038 _pluto_adns
>>>>>
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> find_host_pair_conn ...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added
>>>>> connection
>>>>> descr...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped
>>>>> addconn
>>>>> helpe...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> connect_to_host_pair...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> find_host_pair:
>>>>> comp...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> connect_to_host_pair...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> find_host_pair:
>>>>> comp...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> connect_to_host_pair...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> find_host_pair:
>>>>> comp...
>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>> connect_to_host_pair...
>>>>>
>>>>> Thank you so much in advance to keep us informed.
>>>>> Best regards,
>>>>>
>>>>> Philippe Vouters (Fontainebleau/France)
>>>>> URL: http://vouters.dyndns.org/
>>>>> SIP: sip:Vouters at sip.linphone.org
>>>>>
>>>>> Le 04/01/2013 10:51, Elison Niven a écrit :
>>>>>> Hi,
>>>>>>
>>>>>> I downloaded libreswan and installed from source on Fedora 16.
>>>>>> # Install dependencies
>>>>>> $ yum install unbound-devel libcap-ng-devel xmto
>>>>>>
>>>>>> # Remove openswan, racoon
>>>>>> $ yum remove openswan ipsec-tools
>>>>>>
>>>>>> # Make and install libreswan
>>>>>> # make programs
>>>>>> $ make install
>>>>>>
>>>>>> $ systemctl --system daemon-reload
>>>>>> $ systemctl enable ipsec.service
>>>>>> $ service ipsec start
>>>>>> Redirecting to /bin/systemctl start ipsec.service
>>>>>>
>>>>>> $ service ipsec status
>>>>>> Redirecting to /bin/systemctl status ipsec.service
>>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for
>>>>>> IPsec
>>>>>> Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
>>>>>> Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
>>>>>> Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>>>> (code=exited, status=1/FAILURE)
>>>>>> Process: 13438 ExecStart=/usr/bin/sh -c eval
>>>>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>>>>> $PLUTO_OPTIONS` (code=exited, status=203/EXEC)
>>>>>> Process: 13379
>>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>>> status=0/SUCCESS)
>>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>>>
>>>>>>
>>>>>> I can start pluto manually by executing the commands in the systemd
>>>>>> unit file marked for ExecStartPre and ExecStart.
>>>>>>
>>>>>> $ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
>>>>>> [Unit]
>>>>>> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>>>> After=syslog.target
>>>>>> After=network.target
>>>>>> #After=remote-fs.target
>>>>>>
>>>>>> [Service]
>>>>>> Type=simple
>>>>>> Restart=always
>>>>>> EnvironmentFile=-/etc/sysconfig/pluto
>>>>>> #Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
>>>>>> #Environment=IPSEC_SBINDIR=/usr/local/sbin
>>>>>> #Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
>>>>>> #PIDFile=/var/run/pluto/pluto.pid
>>>>>> #
>>>>>> ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
>>>>>> --checkconfig
>>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>>> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>>>>>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>>>>>> ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>>>> ExecStopPost=/sbin/ip xfrm policy flush
>>>>>> ExecStopPost=/sbin/ip xfrm state flush
>>>>>> ExecReload=/usr/local/sbin/ipsec whack --listen
>>>>>>
>>>>>> [Install]
>>>>>> WantedBy=multi-user.target
>>>>>> Alias=syslog.service
>>>>>>
>>>>>> Any help?
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>
--
Best Regards,
Elison Niven
More information about the Swan
mailing list