[Swan] Libreswan 5.0rc2 cannot start on debian bullseye
Paul Wouters
paul at nohats.ca
Thu Mar 28 23:32:03 EET 2024
Sent using a virtual keyboard on a phone
> On Mar 28, 2024, at 17:24, antonio via Swan <swan at lists.libreswan.org> wrote:
>
> Hi,
>
> I’m trying to install libreswan 5.0rc2 on a debian bullseye but I got the error when trying to start it:
That seems a bug in unbound when compiled with nettle on Debian? Maybe dkg can get this fixed?
Paul
>
> systemctl status ipsec
> ● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
> Loaded: loaded (/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
> Active: failed (Result: signal) since Thu 2024-03-28 19:13:20 CET; 2s ago
> Docs: man:ipsec(8)
> man:pluto(8)
> man:ipsec.conf(5)
> Process: 20341 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
> Process: 20342 ExecStartPre=/usr/sbin/ipsec checknss (code=exited, status=0/SUCCESS)
> Process: 20344 ExecStartPre=/usr/sbin/ipsec checknflog (code=exited, status=0/SUCCESS)
> Process: 20360 ExecStart=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork (code=killed, signal=ABRT)
> Process: 20365 ExecStopPost=/usr/sbin/ipsec stopnflog (code=exited, status=0/SUCCESS)
> Main PID: 20360 (code=killed, signal=ABRT)
> Status: "PLUTO_EXIT=9"
>
> Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Failed with result 'signal'.
> Mar 28 19:13:20 vps228428.ovh.net ipsec[20368]: [1711649600] libunbound[20368:0] error: nettle random(yarrow) cannot initialize, getentropy failed: Function not implemented
> Mar 28 19:13:20 vps228428.ovh.net ipsec[20368]: FATAL: ASSERTION FAILED: dns_ctx != ((void *)0) (unbound_sync_init() +208 lib/libswan/unbound.c)
> Mar 28 19:13:20 vps228428.ovh.net ipsec[20367]: Aborted
> Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Scheduled restart job, restart counter is at 5.
> Mar 28 19:13:20 vps228428.ovh.net systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
> Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Start request repeated too quickly.
> Mar 28 19:13:20 vps228428.ovh.net systemd[1]: ipsec.service: Failed with result 'signal'.
> Mar 28 19:13:20 vps228428.ovh.net systemd[1]: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
>
>
> Executing the command that fails: ipsec pluto --stderrlog --nofork
>
> ipsec pluto --stderrlog --nofork
> Pluto initialized
> Mar 28 19:13:40.656745: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
> Mar 28 19:13:40.661725: FIPS Mode: OFF
> Mar 28 19:13:40.661932: NSS crypto library initialized
> Mar 28 19:13:40.662137: FIPS mode disabled for pluto daemon
> Mar 28 19:13:40.662227: FIPS HMAC integrity support [not required]
> Mar 28 19:13:40.662446: libcap-ng support [enabled]
> Mar 28 19:13:40.662524: Linux audit support [enabled]
> Mar 28 19:13:40.662604: Starting Pluto (Libreswan Version 5.0~rc2 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS) NFTABLES CAT NFLOG) pid:20384
> Mar 28 19:13:40.662744: core dump dir: /run/pluto
> Mar 28 19:13:40.662798: secrets file: /etc/ipsec.secrets
> Mar 28 19:13:40.662850: leak-detective disabled
> Mar 28 19:13:40.662898: NSS crypto [enabled]
> Mar 28 19:13:40.662967: XAUTH PAM support [enabled]
> Mar 28 19:13:40.663032: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
> Mar 28 19:13:40.663151: NAT-Traversal support [enabled]
> Mar 28 19:13:40.663405: Encryption algorithms:
> Mar 28 19:13:40.663487: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
> Mar 28 19:13:40.663566: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b
> Mar 28 19:13:40.663623: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a
> Mar 28 19:13:40.663677: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des
> Mar 28 19:13:40.663741: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP
> Mar 28 19:13:40.663799: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia
> Mar 28 19:13:40.663861: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c
> Mar 28 19:13:40.663917: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b
> Mar 28 19:13:40.663969: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a
> Mar 28 19:13:40.664020: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr
> Mar 28 19:13:40.664076: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes
> Mar 28 19:13:40.664130: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac
> Mar 28 19:13:40.664184: NULL [] IKEv1: ESP IKEv2: ESP NULL
> Mar 28 19:13:40.664240: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305
> Mar 28 19:13:40.664308: Hash algorithms:
> Mar 28 19:13:40.664358: MD5 IKEv1: IKE IKEv2: NSS
> Mar 28 19:13:40.664416: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha
> Mar 28 19:13:40.664472: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256
> Mar 28 19:13:40.664526: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384
> Mar 28 19:13:40.664584: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512
> Mar 28 19:13:40.664635: IDENTITY IKEv1: IKEv2: FIPS
> Mar 28 19:13:40.664688: PRF algorithms:
> Mar 28 19:13:40.664738: HMAC_MD5 IKEv1: IKE IKEv2: IKE NSS md5
> Mar 28 19:13:40.664791: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1
> Mar 28 19:13:40.664844: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256
> Mar 28 19:13:40.664897: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384
> Mar 28 19:13:40.664949: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512
> Mar 28 19:13:40.665001: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc
> Mar 28 19:13:40.665059: Integrity algorithms:
> Mar 28 19:13:40.665110: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS md5, hmac_md5
> Mar 28 19:13:40.665171: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1
> Mar 28 19:13:40.665227: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512
> Mar 28 19:13:40.665283: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384
> Mar 28 19:13:40.665339: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
> Mar 28 19:13:40.665394: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
> Mar 28 19:13:40.665452: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
> Mar 28 19:13:40.665507: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
> Mar 28 19:13:40.665558: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
> Mar 28 19:13:40.665611: DH algorithms:
> Mar 28 19:13:40.665660: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0
> Mar 28 19:13:40.665716: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2
> Mar 28 19:13:40.665769: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5
> Mar 28 19:13:40.665823: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14
> Mar 28 19:13:40.665876: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
> Mar 28 19:13:40.665925: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
> Mar 28 19:13:40.665974: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
> Mar 28 19:13:40.666023: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
> Mar 28 19:13:40.666073: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
> Mar 28 19:13:40.666132: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
> Mar 28 19:13:40.666186: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
> Mar 28 19:13:40.666237: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
> Mar 28 19:13:40.666291: IPCOMP algorithms:
> Mar 28 19:13:40.666340: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
> Mar 28 19:13:40.666391: LZS IKEv1: IKEv2: ESP AH FIPS
> Mar 28 19:13:40.666443: LZJH IKEv1: IKEv2: ESP AH FIPS
> Mar 28 19:13:40.666493: testing CAMELLIA_CBC:
> Mar 28 19:13:40.666548: Camellia: 16 bytes with 128-bit key
> Mar 28 19:13:40.666728: Camellia: 16 bytes with 128-bit key
> Mar 28 19:13:40.666837: Camellia: 16 bytes with 256-bit key
> Mar 28 19:13:40.666971: Camellia: 16 bytes with 256-bit key
> Mar 28 19:13:40.667083: testing AES_GCM_16:
> Mar 28 19:13:40.667139: empty string
> Mar 28 19:13:40.667239: one block
> Mar 28 19:13:40.667396: two blocks
> Mar 28 19:13:40.667502: two blocks with associated data
> Mar 28 19:13:40.667613: testing AES_CTR:
> Mar 28 19:13:40.667667: Encrypting 16 octets using AES-CTR with 128-bit key
> Mar 28 19:13:40.667772: Encrypting 32 octets using AES-CTR with 128-bit key
> Mar 28 19:13:40.667898: Encrypting 36 octets using AES-CTR with 128-bit key
> Mar 28 19:13:40.668003: Encrypting 16 octets using AES-CTR with 192-bit key
> Mar 28 19:13:40.668103: Encrypting 32 octets using AES-CTR with 192-bit key
> Mar 28 19:13:40.668201: Encrypting 36 octets using AES-CTR with 192-bit key
> Mar 28 19:13:40.668302: Encrypting 16 octets using AES-CTR with 256-bit key
> Mar 28 19:13:40.668400: Encrypting 32 octets using AES-CTR with 256-bit key
> Mar 28 19:13:40.668507: Encrypting 36 octets using AES-CTR with 256-bit key
> Mar 28 19:13:40.668608: testing AES_CBC:
> Mar 28 19:13:40.668661: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
> Mar 28 19:13:40.668768: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
> Mar 28 19:13:40.668878: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
> Mar 28 19:13:40.669008: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
> Mar 28 19:13:40.669128: testing AES_XCBC:
> Mar 28 19:13:40.669185: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
> Mar 28 19:13:40.669467: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
> Mar 28 19:13:40.669751: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
> Mar 28 19:13:40.670026: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
> Mar 28 19:13:40.670304: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
> Mar 28 19:13:40.670601: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
> Mar 28 19:13:40.670883: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
> Mar 28 19:13:40.671467: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
> Mar 28 19:13:40.671767: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
> Mar 28 19:13:40.672118: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
> Mar 28 19:13:40.672572: testing HMAC_MD5:
> Mar 28 19:13:40.672631: RFC 2104: MD5_HMAC test 1
> Mar 28 19:13:40.672852: RFC 2104: MD5_HMAC test 2
> Mar 28 19:13:40.673065: RFC 2104: MD5_HMAC test 3
> Mar 28 19:13:40.673277: testing HMAC_SHA1:
> Mar 28 19:13:40.673334: CAVP: IKEv2 key derivation with HMAC-SHA1
> Mar 28 19:13:40.673978: 1 CPU cores online
> Mar 28 19:13:40.674051: starting up 1 helper threads
> Mar 28 19:13:40.674178: started thread for helper 0
> Mar 28 19:13:40.674249: using Linux xfrm kernel support code on #1 SMP Debian 3.16.51-3 (2017-12-13)
> Mar 28 19:13:40.674457: selinux support is NOT enabled.
> Mar 28 19:13:40.674541: systemd watchdog not enabled - not sending watchdog keepalives
> [1711649620] libunbound[20384:0] error: nettle random(yarrow) cannot initialize, getentropy failed: Function not implemented
> Mar 28 19:13:40.674728: FATAL ERROR: failed to initialize unbound libevent ABI, please recompile libunbound with libevent support or recompile libreswan without USE_DNSSEC
> Mar 28 19:13:40.674846: WARNING: helper threads still running
> Mar 28 19:13:40.675075: helper(1): seccomp security for helper not supported
> Mar 28 19:13:40.677629: FATAL: ASSERTION FAILED: event_initialized(ev) (free_signal_handlers() +448 programs/pluto/server.c)
> Aborted
>
>
> I’ve try to set “USE_DNSSEC=no” in ipsec.conf but same error.. I guess I could compile without DNSSEC..
> The version installed:
> ii libunbound8:amd64 1.13.1-1+deb11u1 amd64 library implementing DNS resolution and validation
>
> Try to install bpo version: libunbound8 (1.17.1-2~bpo11+1) same result.
>
>
> NOTE:
> I’ve try to install the .deb on debian bookworm, but there is a missing dependency: libldap-2.4-2 , and is not available on debian.
> Should I create a new issue on git?
>
>
>
> —
> Saludos / Regards / Cumprimentos
> António Silva
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20240328/10894fe3/attachment-0001.htm>
More information about the Swan
mailing list