[Swan] libreswan 3.21 error?
Charles Van Dusen
charlie at imdgn.com
Sun Sep 24 15:22:54 UTC 2017
Hi,
I recently moved to libreswan 3.21 on a new machine and transferred my configuration files from a 3.18 machine to the new machine. All appeared to be working normally.
Until this morning, although northing changed
This morning the VPN will not come up and it seems to fail with the following error when I try to bring it up with the following command:
Command:
/usr/local/sbin/ipsec auto --up IMD-L2TP-PSK
Error:
whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused).
This is what I am seeing in the /var/log/auth.log :
Sep 24 11:08:02 rpiNC CRON[7993]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 24 11:08:05 rpiNC pluto[8381]: NSS DB directory: sql:/etc/ipsec.d
Sep 24 11:08:05 rpiNC pluto[8381]: Initializing NSS
Sep 24 11:08:05 rpiNC pluto[8381]: Opening NSS database "sql:/etc/ipsec.d" read-only
Sep 24 11:08:05 rpiNC pluto[8381]: NSS initialized
Sep 24 11:08:05 rpiNC pluto[8381]: NSS crypto library initialized
Sep 24 11:08:05 rpiNC pluto[8381]: FIPS HMAC integrity support [disabled]
Sep 24 11:08:05 rpiNC pluto[8381]: libcap-ng support [enabled]
Sep 24 11:08:05 rpiNC pluto[8381]: Linux audit support [disabled]
Sep 24 11:08:05 rpiNC pluto[8381]: Starting Pluto (Libreswan Version 3.21 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS DNSSEC SYSTEMD_WATCHDOG LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8381
Sep 24 11:08:05 rpiNC pluto[8381]: core dump dir: /var/run/pluto/
Sep 24 11:08:05 rpiNC pluto[8381]: secrets file: /etc/ipsec.secrets
Sep 24 11:08:05 rpiNC pluto[8381]: leak-detective enabled
Sep 24 11:08:05 rpiNC pluto[8381]: NSS crypto [enabled]
Sep 24 11:08:05 rpiNC pluto[8381]: XAUTH PAM support [enabled]
Sep 24 11:08:05 rpiNC pluto[8381]: NAT-Traversal support [enabled]
Sep 24 11:08:05 rpiNC pluto[8381]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Sep 24 11:08:05 rpiNC pluto[8381]: Encryption algorithms:
Sep 24 11:08:05 rpiNC pluto[8381]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
Sep 24 11:08:05 rpiNC pluto[8381]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)
Sep 24 11:08:05 rpiNC pluto[8381]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
Sep 24 11:08:05 rpiNC pluto[8381]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_GCM_16 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_GCM_12 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_GCM_8 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)
Sep 24 11:08:05 rpiNC pluto[8381]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)
Sep 24 11:08:05 rpiNC pluto[8381]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)
Sep 24 11:08:05 rpiNC pluto[8381]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
Sep 24 11:08:05 rpiNC pluto[8381]: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)
Sep 24 11:08:05 rpiNC pluto[8381]: NULL IKEv1: ESP IKEv2: ESP []
Sep 24 11:08:05 rpiNC pluto[8381]: Hash algorithms:
Sep 24 11:08:05 rpiNC pluto[8381]: MD5 IKEv1: IKE IKEv2:
Sep 24 11:08:05 rpiNC pluto[8381]: SHA1 IKEv1: IKE IKEv2: FIPS (sha)
Sep 24 11:08:05 rpiNC pluto[8381]: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)
Sep 24 11:08:05 rpiNC pluto[8381]: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)
Sep 24 11:08:05 rpiNC pluto[8381]: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)
Sep 24 11:08:05 rpiNC pluto[8381]: PRF algorithms:
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)
Sep 24 11:08:05 rpiNC pluto[8381]: Integrity algorithms:
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_XCBC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_xcbc)
Sep 24 11:08:05 rpiNC pluto[8381]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)
Sep 24 11:08:05 rpiNC pluto[8381]: DH algorithms:
Sep 24 11:08:05 rpiNC pluto[8381]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)
Sep 24 11:08:05 rpiNC pluto[8381]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)
Sep 24 11:08:05 rpiNC pluto[8381]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
Sep 24 11:08:05 rpiNC pluto[8381]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
Sep 24 11:08:05 rpiNC pluto[8381]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
Sep 24 11:08:05 rpiNC pluto[8381]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
Sep 24 11:08:05 rpiNC pluto[8381]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
Sep 24 11:08:05 rpiNC pluto[8381]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)
Sep 24 11:08:05 rpiNC pluto[8381]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)
Sep 24 11:08:05 rpiNC pluto[8381]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)
Sep 24 11:08:05 rpiNC pluto[8381]: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
Sep 24 11:08:05 rpiNC pluto[8381]: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
Sep 24 11:08:05 rpiNC pluto[8381]: starting up 3 crypto helpers
Sep 24 11:08:05 rpiNC pluto[8381]: started thread for crypto helper 0 (master fd 11)
Sep 24 11:08:05 rpiNC pluto[8381]: seccomp security for crypto helper not supported
Sep 24 11:08:05 rpiNC pluto[8381]: started thread for crypto helper 1 (master fd 13)
Sep 24 11:08:05 rpiNC pluto[8381]: seccomp security for crypto helper not supported
Sep 24 11:08:05 rpiNC pluto[8381]: started thread for crypto helper 2 (master fd 15)
Sep 24 11:08:05 rpiNC pluto[8381]: seccomp security for crypto helper not supported
Sep 24 11:08:05 rpiNC pluto[8381]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.41-v7+
Sep 24 11:08:05 rpiNC pluto[8381]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Sep 24 11:08:05 rpiNC pluto[8381]: watchdog: sending probes every 100 secs
Sep 24 11:08:05 rpiNC pluto[8381]: ABORT: ASSERTION FAILED: dns_ctx != NULL (in unbound_event_init() at unbound.c:188)
Sep 24 11:08:05 rpiNC pluto[8381]: ABORT: ASSERTION FAILED: dns_ctx != NULL (in unbound_event_init() at unbound.c:188)
This series of errors appears to repeat 3 or so times.
Nothing has changed on this machine, or on the machine to which it is trying to connect.
Ideas?
TIA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170924/e4a78b79/attachment-0001.html>
More information about the Swan
mailing list