[Swan] Problems with CentOS5/RHEL5
Paul Wouters
paul at nohats.ca
Wed Sep 24 23:17:34 EEST 2014
On Tue, 23 Sep 2014, Nels Lindquist wrote:
> I'm trying to get LibreSWAN 3.10 working on an older gateway running
> CentOS5 (x86_64).
>
> As the RHEL5/CentOS5 binaries don't seem to be available in the
> repository yet, I decided to build my own.
Ah were we building those. I might have just forgotten.
> First issue of note--neither the libreswan-3.9-1.el5.x86_64.rpm nor the
> libreswan-3.9-1.el5.src.rpm passed the signature check, despite my
> importing RPM-GPG-KEY-libreswan. Not sure what's up there.
That might be because of a md5 versus sha1 issue? I'll look into it.
> Anyway, I (possibly foolishly) bypassed the failing signature check,
> extracted the spec file from the 3.9 source package, tweaked it for
> 3.10, built a 3.10 source RPM and then finally built the binary RPMs
> on CentOS5. I disabled DNSSEC in the spec file rather than trying to
> find compatible unbound packages in various repositories.
Sure. that's prob for the best.
> The problem arises when trying to bring up a tunnel. Either using an
> L2TP connection or XAUTH + RSA, the connection fails with the following:
>
>> Sep 23 06:28:50 yycgate pluto[14414]: read from crypto helper 0
>> failed with short length 2048 of 2768. Killing helper.
Odd. Perhaps Hugh can shed some light on that?
> I tried forcing "nhelpers=1" in ipsec.conf, but it made no difference.
Try nhelpers=0 instead?
> I'm also seeing these:
>
>> Sep 23 06:28:52 yycgate pluto[14414]: "L2TP-Win2KXP"[1]
>> 75.158.74.198 #1: discarding packet received during asynchronous
>> work (DNS or crypto) in STATE_MAIN_R1
that seems a side effect or the earlier bug.
> "ipsec verify" passes everything except for "XFRM larval drop [NOT
> ENABLED]";
that only affects delays on dynamic tunnels.
Paul
More information about the Swan
mailing list