[Swan] Libreswan 5.0rc2 cannot start on debian bullseye
antonio
asilva at wirelessmundi.com
Thu Mar 28 23:24:04 EET 2024
Hi,
I’m trying to install libreswan 5.0rc2 on a debian bullseye but I got the error when trying to start it:
systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
Active: failed (Result: signal) since Thu 2024-03-28 19:13:20 CET; 2s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 20341 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Process: 20342 ExecStartPre=/usr/sbin/ipsec checknss (code=exited, status=0/SUCCESS)
Process: 20344 ExecStartPre=/usr/sbin/ipsec checknflog (code=exited, status=0/SUCCESS)
Process: 20360 ExecStart=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork (code=killed, signal=ABRT)
Process: 20365 ExecStopPost=/usr/sbin/ipsec stopnflog (code=exited, status=0/SUCCESS)
Main PID: 20360 (code=killed, signal=ABRT)
Status: "PLUTO_EXIT=9"
Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Failed with result 'signal'.
Mar 28 19:13:20 vps228428.ovh.net ipsec[20368]: [1711649600] libunbound[20368:0] error: nettle random(yarrow) cannot initialize, getentropy failed: Function not implemented
Mar 28 19:13:20 vps228428.ovh.net ipsec[20368]: FATAL: ASSERTION FAILED: dns_ctx != ((void *)0) (unbound_sync_init() +208 lib/libswan/unbound.c)
Mar 28 19:13:20 vps228428.ovh.net ipsec[20367]: Aborted
Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Scheduled restart job, restart counter is at 5.
Mar 28 19:13:20 vps228428.ovh.net systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Start request repeated too quickly.
Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Failed with result 'signal'.
Mar 28 19:13:20 vps228428.ovh.net systemd[1]: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Executing the command that fails: ipsec pluto --stderrlog --nofork
ipsec pluto --stderrlog --nofork
Pluto initialized
Mar 28 19:13:40.656745: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
Mar 28 19:13:40.661725: FIPS Mode: OFF
Mar 28 19:13:40.661932: NSS crypto library initialized
Mar 28 19:13:40.662137: FIPS mode disabled for pluto daemon
Mar 28 19:13:40.662227: FIPS HMAC integrity support [not required]
Mar 28 19:13:40.662446: libcap-ng support [enabled]
Mar 28 19:13:40.662524: Linux audit support [enabled]
Mar 28 19:13:40.662604: Starting Pluto (Libreswan Version 5.0~rc2 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS) NFTABLES CAT NFLOG) pid:20384
Mar 28 19:13:40.662744: core dump dir: /run/pluto
Mar 28 19:13:40.662798: secrets file: /etc/ipsec.secrets
Mar 28 19:13:40.662850: leak-detective disabled
Mar 28 19:13:40.662898: NSS crypto [enabled]
Mar 28 19:13:40.662967: XAUTH PAM support [enabled]
Mar 28 19:13:40.663032: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
Mar 28 19:13:40.663151: NAT-Traversal support [enabled]
Mar 28 19:13:40.663405: Encryption algorithms:
Mar 28 19:13:40.663487: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
Mar 28 19:13:40.663566: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b
Mar 28 19:13:40.663623: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a
Mar 28 19:13:40.663677: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des
Mar 28 19:13:40.663741: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP
Mar 28 19:13:40.663799: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia
Mar 28 19:13:40.663861: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c
Mar 28 19:13:40.663917: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b
Mar 28 19:13:40.663969: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a
Mar 28 19:13:40.664020: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr
Mar 28 19:13:40.664076: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes
Mar 28 19:13:40.664130: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac
Mar 28 19:13:40.664184: NULL [] IKEv1: ESP IKEv2: ESP NULL
Mar 28 19:13:40.664240: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305
Mar 28 19:13:40.664308: Hash algorithms:
Mar 28 19:13:40.664358: MD5 IKEv1: IKE IKEv2: NSS
Mar 28 19:13:40.664416: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha
Mar 28 19:13:40.664472: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256
Mar 28 19:13:40.664526: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384
Mar 28 19:13:40.664584: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512
Mar 28 19:13:40.664635: IDENTITY IKEv1: IKEv2: FIPS
Mar 28 19:13:40.664688: PRF algorithms:
Mar 28 19:13:40.664738: HMAC_MD5 IKEv1: IKE IKEv2: IKE NSS md5
Mar 28 19:13:40.664791: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1
Mar 28 19:13:40.664844: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256
Mar 28 19:13:40.664897: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384
Mar 28 19:13:40.664949: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512
Mar 28 19:13:40.665001: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc
Mar 28 19:13:40.665059: Integrity algorithms:
Mar 28 19:13:40.665110: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS md5, hmac_md5
Mar 28 19:13:40.665171: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1
Mar 28 19:13:40.665227: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512
Mar 28 19:13:40.665283: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384
Mar 28 19:13:40.665339: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Mar 28 19:13:40.665394: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Mar 28 19:13:40.665452: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Mar 28 19:13:40.665507: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
Mar 28 19:13:40.665558: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
Mar 28 19:13:40.665611: DH algorithms:
Mar 28 19:13:40.665660: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0
Mar 28 19:13:40.665716: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2
Mar 28 19:13:40.665769: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5
Mar 28 19:13:40.665823: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14
Mar 28 19:13:40.665876: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
Mar 28 19:13:40.665925: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
Mar 28 19:13:40.665974: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
Mar 28 19:13:40.666023: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
Mar 28 19:13:40.666073: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
Mar 28 19:13:40.666132: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
Mar 28 19:13:40.666186: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
Mar 28 19:13:40.666237: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
Mar 28 19:13:40.666291: IPCOMP algorithms:
Mar 28 19:13:40.666340: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
Mar 28 19:13:40.666391: LZS IKEv1: IKEv2: ESP AH FIPS
Mar 28 19:13:40.666443: LZJH IKEv1: IKEv2: ESP AH FIPS
Mar 28 19:13:40.666493: testing CAMELLIA_CBC:
Mar 28 19:13:40.666548: Camellia: 16 bytes with 128-bit key
Mar 28 19:13:40.666728: Camellia: 16 bytes with 128-bit key
Mar 28 19:13:40.666837: Camellia: 16 bytes with 256-bit key
Mar 28 19:13:40.666971: Camellia: 16 bytes with 256-bit key
Mar 28 19:13:40.667083: testing AES_GCM_16:
Mar 28 19:13:40.667139: empty string
Mar 28 19:13:40.667239: one block
Mar 28 19:13:40.667396: two blocks
Mar 28 19:13:40.667502: two blocks with associated data
Mar 28 19:13:40.667613: testing AES_CTR:
Mar 28 19:13:40.667667: Encrypting 16 octets using AES-CTR with 128-bit key
Mar 28 19:13:40.667772: Encrypting 32 octets using AES-CTR with 128-bit key
Mar 28 19:13:40.667898: Encrypting 36 octets using AES-CTR with 128-bit key
Mar 28 19:13:40.668003: Encrypting 16 octets using AES-CTR with 192-bit key
Mar 28 19:13:40.668103: Encrypting 32 octets using AES-CTR with 192-bit key
Mar 28 19:13:40.668201: Encrypting 36 octets using AES-CTR with 192-bit key
Mar 28 19:13:40.668302: Encrypting 16 octets using AES-CTR with 256-bit key
Mar 28 19:13:40.668400: Encrypting 32 octets using AES-CTR with 256-bit key
Mar 28 19:13:40.668507: Encrypting 36 octets using AES-CTR with 256-bit key
Mar 28 19:13:40.668608: testing AES_CBC:
Mar 28 19:13:40.668661: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Mar 28 19:13:40.668768: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Mar 28 19:13:40.668878: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Mar 28 19:13:40.669008: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Mar 28 19:13:40.669128: testing AES_XCBC:
Mar 28 19:13:40.669185: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Mar 28 19:13:40.669467: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Mar 28 19:13:40.669751: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Mar 28 19:13:40.670026: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Mar 28 19:13:40.670304: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Mar 28 19:13:40.670601: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Mar 28 19:13:40.670883: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Mar 28 19:13:40.671467: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Mar 28 19:13:40.671767: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Mar 28 19:13:40.672118: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Mar 28 19:13:40.672572: testing HMAC_MD5:
Mar 28 19:13:40.672631: RFC 2104: MD5_HMAC test 1
Mar 28 19:13:40.672852: RFC 2104: MD5_HMAC test 2
Mar 28 19:13:40.673065: RFC 2104: MD5_HMAC test 3
Mar 28 19:13:40.673277: testing HMAC_SHA1:
Mar 28 19:13:40.673334: CAVP: IKEv2 key derivation with HMAC-SHA1
Mar 28 19:13:40.673978: 1 CPU cores online
Mar 28 19:13:40.674051: starting up 1 helper threads
Mar 28 19:13:40.674178: started thread for helper 0
Mar 28 19:13:40.674249: using Linux xfrm kernel support code on #1 SMP Debian 3.16.51-3 (2017-12-13)
Mar 28 19:13:40.674457: selinux support is NOT enabled.
Mar 28 19:13:40.674541: systemd watchdog not enabled - not sending watchdog keepalives
[1711649620] libunbound[20384:0] error: nettle random(yarrow) cannot initialize, getentropy failed: Function not implemented
Mar 28 19:13:40.674728: FATAL ERROR: failed to initialize unbound libevent ABI, please recompile libunbound with libevent support or recompile libreswan without USE_DNSSEC
Mar 28 19:13:40.674846: WARNING: helper threads still running
Mar 28 19:13:40.675075: helper(1): seccomp security for helper not supported
Mar 28 19:13:40.677629: FATAL: ASSERTION FAILED: event_initialized(ev) (free_signal_handlers() +448 programs/pluto/server.c)
Aborted
I’ve try to set “USE_DNSSEC=no” in ipsec.conf but same error.. I guess I could compile without DNSSEC..
The version installed:
ii libunbound8:amd64 1.13.1-1+deb11u1 amd64 library implementing DNS resolution and validation
Try to install bpo version: libunbound8 (1.17.1-2~bpo11+1) same result.
NOTE:
I’ve try to install the .deb on debian bookworm, but there is a missing dependency: libldap-2.4-2 , and is not available on debian.
Should I create a new issue on git?
—
Saludos / Regards / Cumprimentos
António Silva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20240328/08db7150/attachment-0003.htm>
More information about the Swan
mailing list