[Swan] Adapting libreswan for Openstack VPNaaS Juno
Matias R. Cuenca del Rey
maticue at gmail.com
Tue Feb 3 04:31:44 EET 2015
Hello,
I'm trying to run Openstack VPNaaS on Centos 7 with
libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan, so there
are some options that are different. I've been working to adapt them, for
example 'ipsec pluto' didn't work because there weren't nssdb,
Right now, I have running pluto, but I'm not sure if it is running like I
want. The command that I execute to start pluto is:
# ipsec pluto --ctlbase
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
--ipsecdir
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
--config
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf
--uniqueids --nat_traversal --secretsfile
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24
Although I execute ipsec pluto with --config option, when I execute ipsec
whack --status I read the default config file and directory:
# ipsec whack --ctlbase
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
--status
000 using kernel interface: netkey
000 interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX
000 interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf,
secrets=/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets,
ipsecdir=/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d,
dumpdir=/var/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec,
libexecdir=/usr/libexec/ipsec
000 pluto_version=3.8, pluto_vendorid=OE-Libreswan-3.8
000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0,
listen=XXX.XXX.XXX.XXX
000 secctx_attr_value=32001
000 myid = (none)
[more output here...]
000
000 Connection list:
000
000
000 State list:
000
000 Shunt list:
000
When I execute ipsec pluto with --nofork option I have the following output
# ipsec pluto --ctlbase
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto
--ipsecdir
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
--config
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf
--uniqueids --nat_traversal --secretsfile
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
--virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24 --nofork
--debug-all --stderrlog
adjusting ipsec.d to
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
Pluto initialized
Cannot open logfile '(null)': Bad file descriptornss directory plutomain:
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
NSS Initialized
libcap-ng support [enabled]
FIPS HMAC integrity verification test passed
FIPS: pluto daemon NOT running in FIPS mode
libcap-ng support [enabled]
Linux audit support [disabled]
Starting Pluto (Libreswan Version 3.8 XFRM(netkey) KLIPS NSS DNSSEC
FIPS_CHECK LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST
CURL(non-NSS) LDAP(non-NSS)) pid:9483
core dump dir: /var/run/pluto
secrets file:
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS crypto [enabled]
XAUTH PAM support [enabled]
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
| event added at head of queue
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 15 cryptographic helpers
started helper (thread) pid=139704128128768 (fd:5)
started helper (thread) pid=139704119736064 (fd:7)
| status value returned by setting the priority of this thread (id=0) 22
| helper 0 waiting on fd: 6
| status value returned by setting the priority of this thread (id=1) 22
| helper 1 waiting on fd: 8
| status value returned by setting the priority of this thread (id=2) 22
| helper 2 waiting on fd: 10
started helper (thread) pid=139704111343360 (fd:9)
started helper (thread) pid=139704102950656 (fd:11)
started helper (thread) pid=139704094557952 (fd:14)
| status value returned by setting the priority of this thread (id=3) 22
| helper 3 waiting on fd: 12
started helper (thread) pid=139703877629696 (fd:16)
| status value returned by setting the priority of this thread (id=5) 22
| helper 5 waiting on fd: 17
| status value returned by setting the priority of this thread (id=4) 22
| helper 4 waiting on fd: 15
started helper (thread) pid=139703869236992 (fd:18)
started helper (thread) pid=139703860844288 (fd:20)
| status value returned by setting the priority of this thread (id=6) 22
| helper 6 waiting on fd: 19
started helper (thread) pid=139703852451584 (fd:22)
| status value returned by setting the priority of this thread (id=7) 22
| helper 7 waiting on fd: 21
| status value returned by setting the priority of this thread (id=8) 22
| helper 8 waiting on fd: 23
started helper (thread) pid=139703844058880 (fd:24)
| status value returned by setting the priority of this thread (id=9) 22
| helper 9 waiting on fd: 25
started helper (thread) pid=139703835666176 (fd:26)
| status value returned by setting the priority of this thread (id=10) 22
| helper 10 waiting on fd: 27
started helper (thread) pid=139703827273472 (fd:28)
started helper (thread) pid=139703273649920 (fd:30)
| status value returned by setting the priority of this thread (id=11) 22
| helper 11 waiting on fd: 29
| status value returned by setting the priority of this thread (id=12) 22
| helper 12 waiting on fd: 31
started helper (thread) pid=139703265257216 (fd:32)
started helper (thread) pid=139703256864512 (fd:34)
| status value returned by setting the priority of this thread (id=13) 22
| helper 13 waiting on fd: 33
| status value returned by setting the priority of this thread (id=14) 22
| helper 14 waiting on fd: 35
Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-123.13.2.el7.x86_64
| process 9483 listening for PF_KEY_V2 on file descriptor 38
| finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
| 02 07 00 02 02 00 00 00 01 00 00 00 0b 25 00 00
| pfkey_get: K_SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
| 02 07 00 03 02 00 00 00 02 00 00 00 0b 25 00 00
| pfkey_get: K_SADB_REGISTER message 2
| alg_init():memset(0x7f0f6e09d580, 0, 2048) memset(0x7f0f6e09dd80, 0,
2048)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22
sadb_supported_len=72
| kernel_alg_add():satype=3, exttype=14, alg_id=251(ESP_KAME_NULL)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=2(ESP_DES)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=3(ESP_3DES)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=5(ESP_IDEA)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=6(ESP_CAST)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=7(ESP_BLOWFISH)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=8(ESP_3IDEA)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14,
satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=9(ESP_DES_IV32)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14,
satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0,
ret=1
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22
sadb_supported_len=88
| kernel_alg_add():satype=3, exttype=15, alg_id=11(ESP_NULL)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=2(ESP_DES)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=3(ESP_3DES)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=6(ESP_CAST)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=7(ESP_BLOWFISH)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15,
satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=12(ESP_AES)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15,
satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=252(ESP_SERPENT)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15,
satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=22(ESP_CAMELLIA)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15,
satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=253(ESP_TWOFISH)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15,
satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=13(ESP_AES_CTR)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15,
satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=18(ESP_AES_GCM_A)
| kernel_alg_add():satype=3, exttype=15, alg_id=19(ESP_AES_GCM_B)
| kernel_alg_add():satype=3, exttype=15, alg_id=20(ESP_AES_GCM_C)
| kernel_alg_add():satype=3, exttype=15, alg_id=14(ESP_AES_CCM_A)
| kernel_alg_add():satype=3, exttype=15, alg_id=15(ESP_AES_CCM_B)
| kernel_alg_add():satype=3, exttype=15, alg_id=16(ESP_AES_CCM_C)
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Warning: failed to register algo_aes_ccm_8 for IKE
ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)
Warning: failed to register algo_aes_ccm_12 for IKE
ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)
Warning: failed to register algo_aes_ccm_16 for IKE
ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)
Warning: failed to register algo_aes_gcm_8 for IKE
ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)
Warning: failed to register algo_aes_gcm_12 for IKE
ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)
Warning: failed to register algo_aes_gcm_16 for IKE
| Registered AEAD AES CCM/GCM algorithms
| ESP registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
| 02 07 00 09 02 00 00 00 03 00 00 00 0b 25 00 00
| pfkey_get: K_SADB_REGISTER message 3
| IPCOMP registered with kernel.
| Registered AH, ESP and IPCOMP
| Changed path to directory
'/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d/cacerts'
| Changing to directory
'/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d/crls'
| selinux support is NOT enabled.
| inserting event EVENT_LOG_DAILY, timeout in 78344 seconds
| event added after event EVENT_REINIT_SECRET
listening for IKE messages
| Inspecting interface lo
| found lo with address 127.0.0.1
| Inspecting interface qr-b9e50b74-8d
| found qr-b9e50b74-8d with address 192.168.1.1
| Inspecting interface qg-b0dafe22-e4
| found qg-b0dafe22-e4 with address XXX.XXX.XXX.XXX
| Only looking to listen on XXX.XXX.XXX.XXX
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4
(errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
adding interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX:500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4
(errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
adding interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX:4500
skipping interface qr-b9e50b74-8d with 192.168.1.1
skipping interface lo with 127.0.0.1
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
| Only looking to listen on XXX.XXX.XXX.XXX
skipping interface lo with ::1
| Only looking to listen on XXX.XXX.XXX.XXX
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshard_secrets'
loading secrets from
"/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets"
| id type added to secret(0x7f0f6eb8a250) PPK_PSK: XXX.XXX.XXX.XXX
| id type added to secret(0x7f0f6eb8a250) PPK_PSK: YYY.YYY.YYY.YYY
| Processing PSK at line 2: passed
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| next event EVENT_PENDING_DDNS in 60 seconds
| calling addconn helper using execve
can not load config '/etc/ipsec.conf': can't load file '/etc/ipsec.conf'
| next event EVENT_PENDING_DDNS in 59 seconds
| reaped addconn helper child
|
| *received whack message
| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 60 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 0 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added after event EVENT_PENDING_PHASE2
| handling event EVENT_PENDING_PHASE2
| event after this is EVENT_PENDING_DDNS in 60 seconds
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
| next event EVENT_PENDING_DDNS in 60 seconds
|
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 60 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 0 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added after event EVENT_PENDING_PHASE2
| handling event EVENT_PENDING_PHASE2
| event after this is EVENT_PENDING_DDNS in 60 seconds
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| SElinux: disabled, could not open /sys/fs/selinux/enforce or
/selinux/enforce
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 60 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| next event EVENT_PENDING_DDNS in 60 seconds
Is it using
/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf ?
Thanks!!
Matías R. Cuenca del Rey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150202/ed3b1e52/attachment-0001.html>
More information about the Swan
mailing list