[Swan] Is libreswan lying to me ?
Paul Wouters
paul at nohats.ca
Mon Apr 8 21:07:20 UTC 2019
On Mon, 8 Apr 2019, jchludzinski wrote:
> I built libreswan 3.25 on Raspbian to be consistent with the "other" IPSec box I'm trying to establish a peer-to-peer connection with. This wasn't exactly painless. There appears to be a Red Hat bias to the
> build instructions.
>
> Anyway, after I installed libreswan 3.25 and ran ipsec.service, I then ran:
>
> # ipsec verify
>
> and got: "Pluto listening for IKE on udp 500 [FAILED]".
>
> BUT, if I run:
>
> # lsof -i UDP:500
> pluto 6139 root 15u IPv4 52975 0t0 UDP 192.168.254.3:isakmp
>
> or:
>
> # netstat -tunlp
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> pluto 6139 root 15u IPv4 52975 0t0 UDP 192.168.254.3:isakmp
>
> Both tell me that pluto is listening on port 500 using UDP.
>
> Is "ipsec verify" lying to me?
ipsec verify is a pretty simplistic tool. It is likely lying to you
because it was expecting some kind of different output, or one of the
tools it uses wasn't installed.
It is using the "ss" tool for this specific task, which might not be
installed on your system?
Paul
More information about the Swan
mailing list