[Swan] ipsec won't stay running
Mike Johnston
mjohnston at wiktel.com
Mon Jun 9 19:12:19 EEST 2014
I used to have openswan installed on my ubuntu 12.04 server and I ran
apt-get remove openswan to remove it. I then installed libreswan-3.8
from source and rebooted the server. After the reboot, I found that the
ipsec service was not running.
Running service ipsec start gives me something like this:
ipsec start/running, process 4933
Then if I immediately run service ipsec status I get this:
ipsec stop/waiting
So the ipsec service never really gets going...it must fail almost right
away.
What can I do to troubleshoot this situation and get libreswan going on
this server?
The logs show these entries:
Jun 9 11:02:14 gamma kernel: [ 1136.017915] intel_rng: FWH not detected
Jun 9 11:02:14 gamma kernel: [ 1136.213599] padlock_sha: VIA PadLock
Hash Engine not detected.
Jun 9 11:02:14 gamma kernel: [ 1136.313834] Intel AES-NI instructions
are not detected.
Jun 9 11:02:14 gamma kernel: [ 1136.383964] Intel AES-NI instructions
are not detected.
Jun 9 11:02:14 gamma kernel: [ 1136.562989] init: ipsec main process
(4933) terminated with status 10
Jun 9 11:02:14 gamma kernel: [ 1136.563012] init: ipsec main process
ended, respawning
Jun 9 11:02:14 gamma kernel: [ 1136.567396] init: ipsec post-stop
process (4996) terminated with status 1
ipsec verify looks like this:
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.8 (netkey) on 3.2.0-64-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0.3/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1.3/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/bond0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [FAILED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
My /etc/ipsec.conf file looks like this:
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.100.105.0/27
oe=off
protostack=netkey
conn mainoffice
authby=secret
auto=start
type=tunnel
left=1.1.1.1
leftsourceip=10.100.105.1
leftsubnet=10.100.105.0/27
right=2.2.2.2
rightsourceip=10.100.100.1
rightsubnet=10.100.100.0/23
ike=aes128-sha1
phase2=esp
phase2alg=aes128-sha1
pfs=no
More information about the Swan
mailing list