[Swan] libreswan 3.8 (netkey) and modules

Pavel Kopchyk pkopchyk at gmail.com
Fri Feb 28 10:11:53 EET 2014 

Hi,

I test libreswan 3.8 on a CentOS 6.5

# cat /etc/redhat-release
CentOS release 6.5 (Final)

# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.8 (netkey) on 2.6.32-431.5.1.el6.i686
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Hardware random device                            	[N/A]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[DISABLED]
 Pluto ipsec.secret syntax                        	[OK]
Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options          	[OK]
Opportunistic Encryption                          	[DISABLED]


When try to restart:

# service ipsec restart
Shutting down pluto IKE daemon
002 shutting down

ERROR: Module xfrm4_mode_tunnel is in use
ERROR: Module esp4 is in use
FAILURE to unload NETKEY esp4/esp6 module
Starting pluto IKE daemon for IPsec:                       [  OK  ]

For me it is not critical since I only use NETKEY (in this case).
But if I want try to use KLIPS after NETKEY?


I also have blocked IPv6.
# /var/log/messages
...
Feb 28 08:47:30 test kernel: padlock: VIA PadLock not detected.
Feb 28 08:47:30 test kernel: padlock: VIA PadLock Hash Engine not detected.
Feb 28 08:47:30 test kernel: Intel AES-NI instructions are not detected.
Feb 28 08:47:30 test kernel: Intel AES-NI instructions are not detected.
Feb 28 08:47:30 test kernel: padlock: VIA PadLock not detected.
Feb 28 08:47:30 test kernel: tunnel6: Unknown symbol icmpv6_send
Feb 28 08:47:30 test kernel: tunnel6: Unknown symbol icmpv6_send
Feb 28 08:47:30 test kernel: xfrm6_mode_tunnel: Unknown symbol
xfrm6_prepare_output
Feb 28 08:47:30 test kernel: xfrm6_mode_beet: Unknown symbol
xfrm6_prepare_output
Feb 28 08:47:30 test kernel: esp6: Unknown symbol xfrm6_rcv
Feb 28 08:47:30 test kernel: esp6: Unknown symbol xfrm6_find_1stfragopt
Feb 28 08:47:30 test kernel: ah6: Unknown symbol xfrm6_rcv
Feb 28 08:47:30 test kernel: ah6: Unknown symbol xfrm6_find_1stfragopt
Feb 28 08:47:30 test kernel: NET: Registered protocol family 15

May make sense to check the ipv6?

Thanks!

More information about the Swan mailing list