[Swan] Adapting libreswan for Openstack VPNaaS Juno

Paul Wouters paul at nohats.ca
Tue Feb 3 05:49:49 EET 2015

On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:

> Hello,I'm trying to run Openstack VPNaaS on Centos 7 with libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan,
> so there are some options that are different. I've been working to adapt them, for example 'ipsec pluto' didn't work
> because there weren't nssdb,
> Right now, I have running pluto, but I'm not sure if it is running like I want. The command that I execute to start pluto
> is:

We put it a few fixes specifically for openstack and non-root ownership
of files and dropping capabilities later on. Please use libreswan-3.12
to ensure you haev all those fixes! You're mixing at least

* pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]

> # ipsec pluto --ctlbase /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto --ipsecdir
> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d --config
> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile
> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets --virtual_private
> %v4:,%v4:
> Although I execute ipsec pluto with --config option, when I execute ipsec whack --status I read the default config file
> and directory:

The order matters. If you specify --config and then --ctlbase, the
ctlbase will override the configuration. if you specify --ctlbase
before --config, the config file version will get used.

> Cannot open logfile '(null)': Bad file descriptornss directory plutomain:
> /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d

Those might be the caused by the capabilities fix.

If this does not fix your issues, ping me on pwouters at redhat.com and
I'll bring you in contact with our redhat/openstack guy that was part
of fixing these issues.


More information about the Swan mailing list