[Swan] CentOS 5 Migrate to Libreswan 3.0-1 from Openswan - include statement not working

Tom Robinson tom.robinson at motec.com.au
Thu Oct 29 21:29:21 UTC 2015


On 29/10/15 10:37, Paul Wouters wrote:
> You can change the spec and disable DNSSEC so you don't need unbound,

I tried building the RPM without DNSSEC and succeeded. However, I got runtime errors:

pluto[19918]: "seattle" #4: can not start crypto helper: failed to find any available worker
pluto[19918]: "seattle" #4: message in state STATE_MAIN_R1 ignored due to cryptographic overload

Which led me to this:

"More sites with same problem. All el5 based where libreswan is
compiled without unbound support."

https://lists.libreswan.org/pipermail/swan-dev/2014-July/000423.html

I then found unbound on EPEL:

unbound-libs-1.4.20-2.el5
unbound-devel-1.4.20-2.el5

To install them you'll need a few other things:

ldns-devel-1.6.16-1.el5
libevent-1.4.13-1
ldns-1.6.16-1.el5

and perhaps a few others (depending on your system).

Anyway, I build the libreswan-3.9 package again and it succeeded.

I still got these errors though on Road Warrior connections:

pluto[22628]: "l2tp"[1] 165.228.94.4 #4: can not start crypto helper: failed to find any available
worker
pluto[22628]: "l2tp"[1] 165.228.94.4 #4: message in state STATE_MAIN_R1 ignored due to cryptographic
overload

So I ended up putting nhelpers=0 in the main config section of ipsec.conf. It is now working but I
don't understand fully what the default is and why I need to set this.

From the man page:

nhelpers
              how many pluto helpers are started to help with cryptographic operations. Pluto will
start (n-1) of them, where
              n is the number of CPU’s you have (including hypherthreaded CPU’s). A value of 0
forces pluto to do all
              operations in the main process. A value of -1 tells pluto to perform the above
calculation. Any other value
              forces the number to that amount.

Our VPN server has only one CPU so, from the man page, nhelpers should start n-1 where n = number of
CPUs. If I'm understanding correctly that would mean nhelpers=0 in my case but I had to set that
explicitly.

What are the helpers and what are the workers. Should I have more than 0 here and why do I have to
set that explicitly?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151030/5dbca31b/attachment-0001.sig>


More information about the Swan mailing list