[Swan] ipsec won't stay running

Mike Johnston mjohnston at wiktel.com
Mon Jun 9 19:12:19 EEST 2014 

I used to have openswan installed on my ubuntu 12.04 server and I ran 
apt-get remove openswan to remove it.  I then installed libreswan-3.8 
from source and rebooted the server.  After the reboot, I found that the 
ipsec service was not running.

Running service ipsec start gives me something like this:
ipsec start/running, process 4933

Then if I immediately run service ipsec status I get this:
ipsec stop/waiting

So the ipsec service never really gets going...it must fail almost right 
away.

What can I do to troubleshoot this situation and get libreswan going on 
this server?


The logs show these entries:
Jun  9 11:02:14 gamma kernel: [ 1136.017915] intel_rng: FWH not detected
Jun  9 11:02:14 gamma kernel: [ 1136.213599] padlock_sha: VIA PadLock 
Hash Engine not detected.
Jun  9 11:02:14 gamma kernel: [ 1136.313834] Intel AES-NI instructions 
are not detected.
Jun  9 11:02:14 gamma kernel: [ 1136.383964] Intel AES-NI instructions 
are not detected.
Jun  9 11:02:14 gamma kernel: [ 1136.562989] init: ipsec main process 
(4933) terminated with status 10
Jun  9 11:02:14 gamma kernel: [ 1136.563012] init: ipsec main process 
ended, respawning
Jun  9 11:02:14 gamma kernel: [ 1136.567396] init: ipsec post-stop 
process (4996) terminated with status 1

ipsec verify looks like this:
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.8 (netkey) on 3.2.0-64-generic
Checking for IPsec support in kernel                    [OK]
  NETKEY: Testing XFRM related proc values
          ICMP default/send_redirects                    [OK]
          ICMP default/accept_redirects                  [OK]
          XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [ENABLED]
  /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
  /proc/sys/net/ipv4/conf/lo/rp_filter                   [ENABLED]
  /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
  /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
  /proc/sys/net/ipv4/conf/dummy0/rp_filter               [ENABLED]
  /proc/sys/net/ipv4/conf/eth0.3/rp_filter               [ENABLED]
  /proc/sys/net/ipv4/conf/eth1.3/rp_filter               [ENABLED]
  /proc/sys/net/ipv4/conf/bond0/rp_filter                [ENABLED]
   rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [FAILED]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for 
obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

My /etc/ipsec.conf file looks like this:
config setup
         dumpdir=/var/run/pluto/
         nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.100.105.0/27
         oe=off
         protostack=netkey

conn mainoffice
         authby=secret
         auto=start
         type=tunnel
         left=1.1.1.1
         leftsourceip=10.100.105.1
         leftsubnet=10.100.105.0/27
         right=2.2.2.2
         rightsourceip=10.100.100.1
         rightsubnet=10.100.100.0/23
         ike=aes128-sha1
         phase2=esp
         phase2alg=aes128-sha1
         pfs=no

More information about the Swan mailing list