[Swan] Libreswan on Raspbian issues ?
jchludzinski
jchludzinski at vivaldi.net
Wed Apr 3 04:30:59 UTC 2019
I built libreswan on a Raspberry Pi 3 under Raspbian. I used
libreswan-3.25 because libreswan-3.27 wouldn't build under Debian (there
are known issues) and the other machine I want to establish peer-to-peer
communication with is running CentOS 7.4 and uses libreswan-3.25.
At first I couldn't get ipsec.service to properly start: pluto would
immediately die. So I ran:
$ sudo /usr/local/libexec/ipsec/pluto --leak-detective --config
/etc/ipsec.conf --nofork --debug-all --stderrlog
and got:
"Failed to initialize unbound libevent ABI, please recompile libunbound
with libevent support or recompile libreswan without USE_DNSSEC".
So I set: USE_DNSSEC=false
and rebuild libreswan-3.25.
I started libreswan-3.25:
$ sudo systemctl start ipsec
Everything looked good when I ran:
$ systemctl status ipsec
BUT then I ran and got:
$ ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 4.14.98-v7+
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto ipsec.secret syntax [UNKNOWN]
(run ipsec verify as root to test ipsec.secrets)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
warning: could not open include filename: '/etc/ipsec.d/*.conf'
ipsec verify: encountered 4 errors - see 'man ipsec_verify' for help
What REALLY concerns me is: "Pluto listening for IKE on udp 500
[FAILED]"
How much of a problem it this?
More information about the Swan
mailing list