[Swan] Problems with CentOS5/RHEL5
Nels Lindquist
nlindq at maei.ca
Tue Sep 23 18:22:47 EEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good morning.
I'm trying to get LibreSWAN 3.10 working on an older gateway running
CentOS5 (x86_64).
As the RHEL5/CentOS5 binaries don't seem to be available in the
repository yet, I decided to build my own.
First issue of note--neither the libreswan-3.9-1.el5.x86_64.rpm nor the
libreswan-3.9-1.el5.src.rpm passed the signature check, despite my
importing RPM-GPG-KEY-libreswan. Not sure what's up there.
Anyway, I (possibly foolishly) bypassed the failing signature check,
extracted the spec file from the 3.9 source package, tweaked it for
3.10, built a 3.10 source RPM and then finally built the binary RPMs
on CentOS5. I disabled DNSSEC in the spec file rather than trying to
find compatible unbound packages in various repositories.
The problem arises when trying to bring up a tunnel. Either using an
L2TP connection or XAUTH + RSA, the connection fails with the following:
> Sep 23 06:28:50 yycgate pluto[14414]: read from crypto helper 0
> failed with short length 2048 of 2768. Killing helper.
I tried forcing "nhelpers=1" in ipsec.conf, but it made no difference.
I'm also seeing these:
> Sep 23 06:28:52 yycgate pluto[14414]: "L2TP-Win2KXP"[1]
> 75.158.74.198 #1: discarding packet received during asynchronous
> work (DNS or crypto) in STATE_MAIN_R1
"ipsec verify" passes everything except for "XFRM larval drop [NOT
ENABLED]"; I haven't been able to determine whether that's a big
problem or what I might do about it; Google is reticent this morning.
- --
Nels Lindquist
<nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
iEYEARECAAYFAlQhkEEACgkQh6z5POoOLgQ1oQCgvVXICBj5RN4srBR7QTCyJP8j
VW4AoIrmRWxxe/5+ljfcfFsLjQ625pv8
=Vj5l
-----END PGP SIGNATURE-----
More information about the Swan
mailing list