[Swan] libreswan 3.8 (netkey) and modules
Pavel Kopchyk
pkopchyk at gmail.com
Fri Feb 28 10:11:53 EET 2014
Hi,
I test libreswan 3.8 on a CentOS 6.5
# cat /etc/redhat-release
CentOS release 6.5 (Final)
# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.8 (netkey) on 2.6.32-431.5.1.el6.i686
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
When try to restart:
# service ipsec restart
Shutting down pluto IKE daemon
002 shutting down
ERROR: Module xfrm4_mode_tunnel is in use
ERROR: Module esp4 is in use
FAILURE to unload NETKEY esp4/esp6 module
Starting pluto IKE daemon for IPsec: [ OK ]
For me it is not critical since I only use NETKEY (in this case).
But if I want try to use KLIPS after NETKEY?
I also have blocked IPv6.
# /var/log/messages
...
Feb 28 08:47:30 test kernel: padlock: VIA PadLock not detected.
Feb 28 08:47:30 test kernel: padlock: VIA PadLock Hash Engine not detected.
Feb 28 08:47:30 test kernel: Intel AES-NI instructions are not detected.
Feb 28 08:47:30 test kernel: Intel AES-NI instructions are not detected.
Feb 28 08:47:30 test kernel: padlock: VIA PadLock not detected.
Feb 28 08:47:30 test kernel: tunnel6: Unknown symbol icmpv6_send
Feb 28 08:47:30 test kernel: tunnel6: Unknown symbol icmpv6_send
Feb 28 08:47:30 test kernel: xfrm6_mode_tunnel: Unknown symbol
xfrm6_prepare_output
Feb 28 08:47:30 test kernel: xfrm6_mode_beet: Unknown symbol
xfrm6_prepare_output
Feb 28 08:47:30 test kernel: esp6: Unknown symbol xfrm6_rcv
Feb 28 08:47:30 test kernel: esp6: Unknown symbol xfrm6_find_1stfragopt
Feb 28 08:47:30 test kernel: ah6: Unknown symbol xfrm6_rcv
Feb 28 08:47:30 test kernel: ah6: Unknown symbol xfrm6_find_1stfragopt
Feb 28 08:47:30 test kernel: NET: Registered protocol family 15
May make sense to check the ipv6?
Thanks!
More information about the Swan
mailing list