[Swan] Adapting libreswan for Openstack VPNaaS Juno

Matias R. Cuenca del Rey maticue at gmail.com
Tue Feb 3 04:31:44 EET 2015


Hello,
I'm trying to run Openstack VPNaaS on Centos 7 with
libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan, so there
are some options that are different. I've been working to adapt them, for
example 'ipsec pluto' didn't work because there weren't nssdb,
Right now, I have running pluto, but I'm not sure if it is running like I
want. The command that I execute to start pluto is:

# ipsec pluto --ctlbase
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
--ipsecdir
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
--config
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf
--uniqueids --nat_traversal --secretsfile
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24

Although I execute ipsec pluto with --config option, when I execute ipsec
whack --status I read the default config file and directory:

# ipsec whack --ctlbase
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
--status
000 using kernel interface: netkey
000 interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX
000 interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf,
secrets=/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets,
ipsecdir=/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d,
dumpdir=/var/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec,
libexecdir=/usr/libexec/ipsec
000 pluto_version=3.8, pluto_vendorid=OE-Libreswan-3.8
000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0,
listen=XXX.XXX.XXX.XXX
000 secctx_attr_value=32001
000 myid = (none)
[more output here...]
000
000 Connection list:
000
000
000 State list:
000
000 Shunt list:
000


When I execute ipsec pluto with --nofork option I have the following output

# ipsec pluto --ctlbase
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
--ipsecdir
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
--config
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf
--uniqueids --nat_traversal --secretsfile
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24 --nofork
--debug-all --stderrlog

adjusting ipsec.d to
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d

Pluto initialized

Cannot open logfile '(null)': Bad file descriptornss directory plutomain:
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d

NSS Initialized

libcap-ng support [enabled]

FIPS HMAC integrity verification test passed

FIPS: pluto daemon NOT running in FIPS mode

libcap-ng support [enabled]

Linux audit support [disabled]

Starting Pluto (Libreswan Version 3.8 XFRM(netkey) KLIPS NSS DNSSEC
FIPS_CHECK LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST
CURL(non-NSS) LDAP(non-NSS)) pid:9483

core dump dir: /var/run/pluto

secrets file:
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets

LEAK_DETECTIVE support [disabled]

OCF support for IKE [disabled]

SAref support [disabled]: Protocol not available

SAbind support [disabled]: Protocol not available

NSS crypto [enabled]

XAUTH PAM support [enabled]

Setting NAT-Traversal port-4500 floating to on

   port floating activation criteria nat_t=1/port_float=1

   NAT-Traversal support  [enabled]

| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds

| event added at head of queue

| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds

| event added at head of queue

| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds

| event added after event EVENT_PENDING_DDNS

ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)

ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)

ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)

starting up 15 cryptographic helpers

started helper (thread) pid=139704128128768 (fd:5)

started helper (thread) pid=139704119736064 (fd:7)

| status value returned by setting the priority of this thread (id=0) 22

| helper 0 waiting on fd: 6

| status value returned by setting the priority of this thread (id=1) 22

| helper 1 waiting on fd: 8

| status value returned by setting the priority of this thread (id=2) 22

| helper 2 waiting on fd: 10

started helper (thread) pid=139704111343360 (fd:9)

started helper (thread) pid=139704102950656 (fd:11)

started helper (thread) pid=139704094557952 (fd:14)

| status value returned by setting the priority of this thread (id=3) 22

| helper 3 waiting on fd: 12

started helper (thread) pid=139703877629696 (fd:16)

| status value returned by setting the priority of this thread (id=5) 22

| helper 5 waiting on fd: 17

| status value returned by setting the priority of this thread (id=4) 22

| helper 4 waiting on fd: 15

started helper (thread) pid=139703869236992 (fd:18)

started helper (thread) pid=139703860844288 (fd:20)

| status value returned by setting the priority of this thread (id=6) 22

| helper 6 waiting on fd: 19

started helper (thread) pid=139703852451584 (fd:22)

| status value returned by setting the priority of this thread (id=7) 22

| helper 7 waiting on fd: 21

| status value returned by setting the priority of this thread (id=8) 22

| helper 8 waiting on fd: 23

started helper (thread) pid=139703844058880 (fd:24)

| status value returned by setting the priority of this thread (id=9) 22

| helper 9 waiting on fd: 25

started helper (thread) pid=139703835666176 (fd:26)

| status value returned by setting the priority of this thread (id=10) 22

| helper 10 waiting on fd: 27

started helper (thread) pid=139703827273472 (fd:28)

started helper (thread) pid=139703273649920 (fd:30)

| status value returned by setting the priority of this thread (id=11) 22

| helper 11 waiting on fd: 29

| status value returned by setting the priority of this thread (id=12) 22

| helper 12 waiting on fd: 31

started helper (thread) pid=139703265257216 (fd:32)

started helper (thread) pid=139703256864512 (fd:34)

| status value returned by setting the priority of this thread (id=13) 22

| helper 13 waiting on fd: 33

| status value returned by setting the priority of this thread (id=14) 22

| helper 14 waiting on fd: 35

Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-123.13.2.el7.x86_64

| process 9483 listening for PF_KEY_V2 on file descriptor 38

| finish_pfkey_msg: K_SADB_REGISTER message 1 for AH

|   02 07 00 02  02 00 00 00  01 00 00 00  0b 25 00 00

| pfkey_get: K_SADB_REGISTER message 1

| AH registered with kernel.

| finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP

|   02 07 00 03  02 00 00 00  02 00 00 00  0b 25 00 00

| pfkey_get: K_SADB_REGISTER message 2

| alg_init():memset(0x7f0f6e09d580, 0, 2048) memset(0x7f0f6e09dd80, 0,
2048)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22
sadb_supported_len=72

| kernel_alg_add():satype=3, exttype=14, alg_id=251(ESP_KAME_NULL)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=14, alg_id=2(ESP_DES)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=14, alg_id=3(ESP_3DES)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=14, alg_id=5(ESP_IDEA)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=14, alg_id=6(ESP_CAST)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=14, alg_id=7(ESP_BLOWFISH)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=14, alg_id=8(ESP_3IDEA)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14,
satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=14, alg_id=9(ESP_DES_IV32)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14,
satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0,
ret=1

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22
sadb_supported_len=88

| kernel_alg_add():satype=3, exttype=15, alg_id=11(ESP_NULL)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=2(ESP_DES)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=3(ESP_3DES)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=6(ESP_CAST)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=7(ESP_BLOWFISH)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15,
satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=12(ESP_AES)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15,
satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=252(ESP_SERPENT)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15,
satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=22(ESP_CAMELLIA)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15,
satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=253(ESP_TWOFISH)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15,
satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=13(ESP_AES_CTR)

| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15,
satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0,
ret=1

| kernel_alg_add():satype=3, exttype=15, alg_id=18(ESP_AES_GCM_A)

| kernel_alg_add():satype=3, exttype=15, alg_id=19(ESP_AES_GCM_B)

| kernel_alg_add():satype=3, exttype=15, alg_id=20(ESP_AES_GCM_C)

| kernel_alg_add():satype=3, exttype=15, alg_id=14(ESP_AES_CCM_A)

| kernel_alg_add():satype=3, exttype=15, alg_id=15(ESP_AES_CCM_B)

| kernel_alg_add():satype=3, exttype=15, alg_id=16(ESP_AES_CCM_C)

ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)

Warning: failed to register algo_aes_ccm_8 for IKE

ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)

Warning: failed to register algo_aes_ccm_12 for IKE

ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)

Warning: failed to register algo_aes_ccm_16 for IKE

ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)

Warning: failed to register algo_aes_gcm_8 for IKE

ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)

Warning: failed to register algo_aes_gcm_12 for IKE

ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)

Warning: failed to register algo_aes_gcm_16 for IKE

| Registered AEAD AES CCM/GCM algorithms

| ESP registered with kernel.

| finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP

|   02 07 00 09  02 00 00 00  03 00 00 00  0b 25 00 00

| pfkey_get: K_SADB_REGISTER message 3

| IPCOMP registered with kernel.

| Registered AH, ESP and IPCOMP

| Changed path to directory
'/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d/cacerts'

| Changing to directory
'/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d/crls'

| selinux support is NOT enabled.

| inserting event EVENT_LOG_DAILY, timeout in 78344 seconds

| event added after event EVENT_REINIT_SECRET

listening for IKE messages

| Inspecting interface lo

| found lo with address 127.0.0.1

| Inspecting interface qr-b9e50b74-8d

| found qr-b9e50b74-8d with address 192.168.1.1

| Inspecting interface qg-b0dafe22-e4

| found qg-b0dafe22-e4 with address XXX.XXX.XXX.XXX

| Only looking to listen on XXX.XXX.XXX.XXX

| NAT-Traversal: Trying new style NAT-T

| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4
(errno=19)

| NAT-Traversal: Trying old style NAT-T

| NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4

adding interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX:500

| NAT-Traversal: Trying new style NAT-T

| NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4
(errno=19)

| NAT-Traversal: Trying old style NAT-T

| NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4

adding interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX:4500

skipping interface qr-b9e50b74-8d with 192.168.1.1

skipping interface lo with 127.0.0.1

| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001

| Only looking to listen on XXX.XXX.XXX.XXX

skipping interface lo with ::1

| Only looking to listen on XXX.XXX.XXX.XXX

| certs and keys locked by 'free_preshared_secrets'

| certs and keys unlocked by 'free_preshard_secrets'

loading secrets from
"/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets"

| id type added to secret(0x7f0f6eb8a250) PPK_PSK: XXX.XXX.XXX.XXX

| id type added to secret(0x7f0f6eb8a250) PPK_PSK: YYY.YYY.YYY.YYY

| Processing PSK at line 2: passed

| certs and keys locked by 'process_secret'

| certs and keys unlocked by 'process_secret'

| next event EVENT_PENDING_DDNS in 60 seconds

| calling addconn helper using execve

can not load config '/etc/ipsec.conf': can't load file '/etc/ipsec.conf'

| next event EVENT_PENDING_DDNS in 59 seconds

| reaped addconn helper child

|

| *received whack message

| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce

| * processed 0 messages from cryptographic helpers

| next event EVENT_PENDING_DDNS in 0 seconds

| *time to handle event

| handling event EVENT_PENDING_DDNS

| event after this is EVENT_PENDING_PHASE2 in 60 seconds

| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds

| event added at head of queue

| next event EVENT_PENDING_DDNS in 60 seconds

|

| *received whack message

| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce

| * processed 0 messages from cryptographic helpers

| next event EVENT_PENDING_DDNS in 60 seconds

| next event EVENT_PENDING_DDNS in 60 seconds

|

| *received whack message

| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce

| * processed 0 messages from cryptographic helpers

| next event EVENT_PENDING_DDNS in 60 seconds

| next event EVENT_PENDING_DDNS in 60 seconds

|

| *received whack message

| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce

| * processed 0 messages from cryptographic helpers

| next event EVENT_PENDING_DDNS in 0 seconds

| *time to handle event

| handling event EVENT_PENDING_DDNS

| event after this is EVENT_PENDING_PHASE2 in 0 seconds

| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds

| event added after event EVENT_PENDING_PHASE2

| handling event EVENT_PENDING_PHASE2

| event after this is EVENT_PENDING_DDNS in 60 seconds

| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds

| event added after event EVENT_PENDING_DDNS

| next event EVENT_PENDING_DDNS in 60 seconds

|

| next event EVENT_PENDING_DDNS in 0 seconds

| *time to handle event

| handling event EVENT_PENDING_DDNS

| event after this is EVENT_PENDING_PHASE2 in 60 seconds

| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds

| event added at head of queue

| next event EVENT_PENDING_DDNS in 60 seconds

|

| *received whack message

| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce

| * processed 0 messages from cryptographic helpers

| next event EVENT_PENDING_DDNS in 60 seconds

| next event EVENT_PENDING_DDNS in 60 seconds

|

| *received whack message

| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce

| * processed 0 messages from cryptographic helpers

| next event EVENT_PENDING_DDNS in 0 seconds

| *time to handle event

| handling event EVENT_PENDING_DDNS

| event after this is EVENT_PENDING_PHASE2 in 0 seconds

| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds

| event added after event EVENT_PENDING_PHASE2

| handling event EVENT_PENDING_PHASE2

| event after this is EVENT_PENDING_DDNS in 60 seconds

| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds

| event added after event EVENT_PENDING_DDNS

| next event EVENT_PENDING_DDNS in 60 seconds

|

| *received whack message

| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce

| * processed 0 messages from cryptographic helpers

| next event EVENT_PENDING_DDNS in 0 seconds

| *time to handle event

| handling event EVENT_PENDING_DDNS

| event after this is EVENT_PENDING_PHASE2 in 60 seconds

| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds

| event added at head of queue

| next event EVENT_PENDING_DDNS in 60 seconds




Is it using
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf ?

Thanks!!

Matías R. Cuenca del Rey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150202/ed3b1e52/attachment-0001.html>


More information about the Swan mailing list