[Swan] Libreswan on Raspbian issues ?

jchludzinski jchludzinski at vivaldi.net
Wed Apr 3 04:30:59 UTC 2019 

I built libreswan on a Raspberry Pi 3 under Raspbian. I used 
libreswan-3.25 because libreswan-3.27 wouldn't build under Debian (there 
are known issues) and the other machine I want to establish peer-to-peer 
communication with is running CentOS 7.4 and uses libreswan-3.25.

At first I couldn't get ipsec.service to properly start: pluto would 
immediately die. So I ran:

$ sudo /usr/local/libexec/ipsec/pluto --leak-detective --config 
/etc/ipsec.conf --nofork  --debug-all --stderrlog

and got:

"Failed to initialize unbound libevent ABI, please recompile libunbound 
with libevent support or recompile libreswan without USE_DNSSEC".

So I set: USE_DNSSEC=false
and rebuild libreswan-3.25.

I started libreswan-3.25:

$ sudo systemctl start ipsec

Everything looked good when I ran:

$ systemctl status ipsec

BUT then I ran and got:

$ ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                       [OK]
Libreswan 3.25 (netkey) on 4.14.98-v7+
Checking for IPsec support in kernel                  [OK]
  NETKEY: Testing XFRM related proc values
          ICMP default/send_redirects                  [NOT DISABLED]

   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on 
or cause sending of bogus ICMP redirects!

          ICMP default/accept_redirects                [NOT DISABLED]

   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act 
on or cause sending of bogus ICMP redirects!

          XFRM larval drop                             [OK]
Pluto ipsec.conf syntax                               [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                    [OK]
Checking that pluto is running                        [OK]
  Pluto listening for IKE on udp 500                   [FAILED]
  Pluto listening for IKE/NAT-T on udp 4500            [DISABLED]
  Pluto ipsec.secret syntax                            [UNKNOWN]
  (run ipsec verify as root to test ipsec.secrets)
Checking 'ip' command                                 [OK]
Checking 'iptables' command                           [OK]
Checking 'prelink' command does not interfere with FIPS    [OK]
Checking for obsolete ipsec.conf options              [OBSOLETE KEYWORD]
warning: could not open include filename: '/etc/ipsec.d/*.conf'

ipsec verify: encountered 4 errors - see 'man ipsec_verify' for help


What REALLY concerns me is: "Pluto listening for IKE on udp 500  
[FAILED]"

How much of a problem it this?

More information about the Swan mailing list