<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Dear Elison,<br>
<br>
If # ipsec addconn --autoall fails, my guess is that you ought to
also get the root cause of your problem with this line in bold:<br>
[philippe@victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec verify<br>
Verifying installed system and configuration files<br>
<br>
Version check and ipsec on-path [OK]<br>
Libreswan 3.0 (netkey) on 3.6.10-2.fc17.i686<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY: Testing XFRM related proc values<br>
ICMP default/send_redirects [OK]<br>
ICMP default/accept_redirects [OK]<br>
XFRM larval drop [OK]<br>
<b>Pluto ipsec.conf syntax [OK]</b><br>
Hardware random device [N/A]<br>
Checking rp_filter [OK]<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for IKE on tcp 500 [NOT
IMPLEMENTED]<br>
Pluto listening for IKE/NAT-T on udp 4500 [OK]<br>
Pluto listening for IKE/NAT-T on tcp 4500 [NOT
IMPLEMENTED]<br>
Pluto listening for IKE on tcp 10000 (cisco) [NOT
IMPLEMENTED]<br>
Pluto ipsec.secret syntax [OK]<br>
Checking NAT and MASQUERADEing [TEST
INCOMPLETE]<br>
Checking 'ip' command [OK]<br>
Checking 'iptables' command [OK]<br>
Checking for obsolete ipsec.conf options [OK]<br>
Opportunistic Encryption [DISABLED]<br>
<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 04/01/2013 14:31, Philippe Vouters a écrit :<br>
</div>
<blockquote cite="mid:50E6D9CD.1050705@laposte.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Dear Elison,<br>
<br>
I queried Google with "systemctl status=203/EXEC" which is the
pluto exit code you report us and found this discussion at <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://forums.fedoraforum.org/showthread.php?t=272075">http://forums.fedoraforum.org/showthread.php?t=272075</a>
This is specific to Fedora 16 but my guess is that it can also
apply to Fedora 17.<br>
<br>
It happens that the pluto code forks and exec's "addconn
--autoall".<br>
From a root account or sudo'ing, can you also perform:<br>
# ipsec addconn --autoall<br>
# echo $?<br>
On my side:<br>
[philippe@victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec
addconn --autoall<br>
002 "roadwarrior-l2tp-updatedwin": deleting connection<br>
002 added connection description "roadwarrior-l2tp-updatedwin"<br>
002 "roadwarrior-l2tp": deleting connection<br>
002 added connection description "roadwarrior-l2tp"<br>
002 "macintosh-l2tp": deleting connection<br>
002 added connection description "macintosh-l2tp"<br>
002 "roadwarrior": deleting connection<br>
002 added connection description "roadwarrior"<br>
[philippe@victor libreswan-3.0]$ echo $?<br>
0<br>
<br>
You may as well check your /var/log/secure so that we can get
more information on the pluto failure.<br>
<br>
Yours truly,<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 04/01/2013 14:07, Philippe Vouters a écrit :<br>
</div>
<blockquote cite="mid:50E6D3F4.90805@laposte.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Dear Elison,<br>
<br>
pluto fails to correctly start on your side on:<br>
/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto <br>
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'<br>
whack failing on stop is just a consequence.<br>
<br>
Because $PLUTO_OPTIONS comes from:<br>
EnvironmentFile=-/etc/sysconfig/pluto <br>
<br>
can you <b>$ cat /etc/sysconfig/pluto</b><br>
<br>
$ <b>export PLUTO_OPTIONS=</b><the right side of the
assignment in your PLUTO_OPTIONS in your /etc/sysconfig/pluto
file><br>
<br>
and manually perform:<br>
<br>
<b>/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto </b><b><br>
</b><b> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'</b><b><br>
</b><br>
from a root account ????<br>
<br>
You provide us the output of what you did and read.<br>
Thank you so much in advance.<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 04/01/2013 13:22, Elison Niven a écrit :<br>
</div>
<blockquote cite="mid:50E6C97E.8070504@cyberoam.com" type="cite">SELinux
is disabled. <br>
$ getenforce <br>
Disabled <br>
$ ls /etc/rc.d/init.d/ipsec* <br>
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or
directory <br>
<br>
Thanks. <br>
<br>
On Friday 04 January 2013 05:35 PM, Philippe Vouters wrote: <br>
<blockquote type="cite">Dear Elison, <br>
<br>
I am running Fedora 17 i686 with SELinux policy set to
permissive. I <br>
just dowloaded <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://download.libreswan.org/libreswan-3.0.tar.gz">https://download.libreswan.org/libreswan-3.0.tar.gz</a>
<br>
and performed the following commands from my user account: <br>
<br>
$ sudo yum remove libreswan <br>
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf <br>
$ tar -zxvf download/libreswan-3.0.tar.gz <br>
$ cd libreswan-3.0/ <br>
$ make programs <br>
$ sudo make install <br>
$ sudo systemctl start ipsec.service <br>
[philippe@victor libreswan-3.0]$ sudo systemctl status
ipsec.service <br>
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon
for IPsec <br>
Loaded: loaded
(/usr/lib/systemd/system/ipsec.service; disabled) <br>
Active: active (running) since Fri, 04 Jan 2013
12:42:54 <br>
+0100; 14s ago <br>
Process: 2154 <br>
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, <br>
status=0/SUCCESS) <br>
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec
addconn <br>
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS) <br>
Main PID: 2215 (sh) <br>
CGroup: name=systemd:/system/ipsec.service <br>
2215 /usr/bin/sh -c eval <br>
`/usr/local/libexec/ipsec/plut... <br>
2216 /usr/bin/sh -c eval <br>
`/usr/local/libexec/ipsec/plut... <br>
2217 /usr/local/libexec/ipsec/pluto
--config <br>
/etc/ipsec... <br>
2242 _pluto_adns <br>
<br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | <br>
find_host_pair_conn ... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added
connection <br>
descr... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
reaped addconn <br>
helpe... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | <br>
connect_to_host_pair... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair: <br>
comp... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | <br>
connect_to_host_pair... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair: <br>
comp... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | <br>
connect_to_host_pair... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair: <br>
comp... <br>
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | <br>
connect_to_host_pair... <br>
[philippe@victor libreswan-3.0]$ sudo systemctl stop
ipsec.service <br>
[philippe@victor libreswan-3.0]$ sudo systemctl status
ipsec.service <br>
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon
for IPsec <br>
Loaded: loaded
(/usr/lib/systemd/system/ipsec.service; disabled) <br>
Active: inactive (dead) since Fri, 04 Jan 2013
12:50:26 <br>
+0100; 2s ago <br>
Process: 2580 ExecStopPost=/sbin/ip xfrm state
flush <br>
(code=exited, status=0/SUCCESS) <br>
Process: 2576 ExecStopPost=/sbin/ip xfrm policy
flush <br>
(code=exited, status=0/SUCCESS) <br>
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
--shutdown <br>
(code=exited, status=0/SUCCESS) <br>
Process: 2215 ExecStart=/usr/bin/sh -c eval <br>
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf
--nofork <br>
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS) <br>
Process: 2154 <br>
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, <br>
status=0/SUCCESS) <br>
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec
addconn <br>
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS) <br>
CGroup: name=systemd:/system/ipsec.service <br>
<br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
shutting down <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: |
processing <br>
connectio... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
"roadwarrior": <br>
deletin... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: |
processing <br>
connectio... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
"macintosh-l2tp": <br>
dele... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: |
processing <br>
connectio... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: <br>
"roadwarrior-l2tp": de... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: |
processing <br>
connectio... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: <br>
"roadwarrior-l2tp-upda... <br>
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl
fetch <br>
request li... <br>
<br>
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
<br>
On my side: <br>
[philippe@victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
<br>
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or
directory <br>
Would it also happen but it looks at first glance unlikely
that you are <br>
facing some SELinux issue ? <br>
Can you give us the output of the following: <br>
[philippe@victor libreswan-3.0]$ sudo getenforce <br>
Permissive <br>
If getenforce returns Enforcing, can you perform the
following commands: <br>
[philippe@victor libreswan-3.0]$ sudo restorecon
/usr/local/sbin -Rv <br>
[philippe@victor libreswan-3.0]$ sudo restorecon <br>
/usr/local/libexec/ipsec -Rv <br>
[philippe@victor libreswan-3.0]$ <br>
<br>
Once the above points clean, <br>
<br>
[philippe@victor libreswan-3.0]$ sudo systemctl --system
daemon-reload <br>
[philippe@victor libreswan-3.0]$ sudo systemctl restart
ipsec.service <br>
[philippe@victor libreswan-3.0]$ sudo systemctl status
ipsec.service <br>
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon
for IPsec <br>
Loaded: loaded
(/usr/lib/systemd/system/ipsec.service; disabled) <br>
Active: active (running) since Fri, 04 Jan 2013
12:58:55 <br>
+0100; 6s ago <br>
Process: 2580 ExecStopPost=/sbin/ip xfrm state
flush <br>
(code=exited, status=0/SUCCESS) <br>
Process: 2576 ExecStopPost=/sbin/ip xfrm policy
flush <br>
(code=exited, status=0/SUCCESS) <br>
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
--shutdown <br>
(code=exited, status=0/SUCCESS) <br>
Process: 2947 <br>
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, <br>
status=0/SUCCESS) <br>
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec
addconn <br>
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS) <br>
Main PID: 3011 (sh) <br>
CGroup: name=systemd:/system/ipsec.service <br>
3011 /usr/bin/sh -c eval <br>
`/usr/local/libexec/ipsec/plut... <br>
3012 /usr/bin/sh -c eval <br>
`/usr/local/libexec/ipsec/plut... <br>
3013 /usr/local/libexec/ipsec/pluto
--config <br>
/etc/ipsec... <br>
3038 _pluto_adns <br>
<br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | <br>
find_host_pair_conn ... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added
connection <br>
descr... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
reaped addconn <br>
helpe... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | <br>
connect_to_host_pair... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair: <br>
comp... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | <br>
connect_to_host_pair... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair: <br>
comp... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | <br>
connect_to_host_pair... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair: <br>
comp... <br>
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | <br>
connect_to_host_pair... <br>
<br>
Thank you so much in advance to keep us informed. <br>
Best regards, <br>
<br>
Philippe Vouters (Fontainebleau/France) <br>
URL: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
<br>
SIP: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a>
<br>
<br>
Le 04/01/2013 10:51, Elison Niven a écrit : <br>
<blockquote type="cite">Hi, <br>
<br>
I downloaded libreswan and installed from source on Fedora
16. <br>
# Install dependencies <br>
$ yum install unbound-devel libcap-ng-devel xmto <br>
<br>
# Remove openswan, racoon <br>
$ yum remove openswan ipsec-tools <br>
<br>
# Make and install libreswan <br>
# make programs <br>
$ make install <br>
<br>
$ systemctl --system daemon-reload <br>
$ systemctl enable ipsec.service <br>
$ service ipsec start <br>
Redirecting to /bin/systemctl start ipsec.service <br>
<br>
$ service ipsec status <br>
Redirecting to /bin/systemctl status ipsec.service <br>
ipsec.service - Internet Key Exchange (IKE) Protocol
Daemon for IPsec <br>
Loaded: loaded (/lib/systemd/system/ipsec.service;
enabled) <br>
Active: failed since Fri, 04 Jan 2013 15:11:52
+0530; 2s ago <br>
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
<br>
(code=exited, status=0/SUCCESS) <br>
Process: 13443 ExecStopPost=/sbin/ip xfrm policy
flush <br>
(code=exited, status=0/SUCCESS) <br>
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack
--shutdown <br>
(code=exited, status=1/FAILURE) <br>
Process: 13438 ExecStart=/usr/bin/sh -c eval <br>
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf
--nofork <br>
$PLUTO_OPTIONS` (code=exited, status=203/EXEC) <br>
Process: 13379 <br>
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
<br>
(code=exited, status=0/SUCCESS) <br>
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec
addconn <br>
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS) <br>
CGroup: name=systemd:/system/ipsec.service <br>
<br>
<br>
I can start pluto manually by executing the commands in
the systemd <br>
unit file marked for ExecStartPre and ExecStart. <br>
<br>
$ cat
/etc/systemd/system/multi-user.target.wants/ipsec.service
<br>
[Unit] <br>
Description=Internet Key Exchange (IKE) Protocol Daemon
for IPsec <br>
After=syslog.target <br>
After=network.target <br>
#After=remote-fs.target <br>
<br>
[Service] <br>
Type=simple <br>
Restart=always <br>
EnvironmentFile=-/etc/sysconfig/pluto <br>
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec <br>
#Environment=IPSEC_SBINDIR=/usr/local/sbin <br>
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
<br>
#PIDFile=/var/run/pluto/pluto.pid <br>
# <br>
ExecStartPre=/usr/local/sbin/ipsec addconn --config
/etc/ipsec.conf <br>
--checkconfig <br>
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
<br>
ExecStart=/usr/bin/sh -c 'eval
`/usr/local/libexec/ipsec/pluto <br>
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`' <br>
ExecStop=/usr/local/sbin/ipsec whack --shutdown <br>
ExecStopPost=/sbin/ip xfrm policy flush <br>
ExecStopPost=/sbin/ip xfrm state flush <br>
ExecReload=/usr/local/sbin/ipsec whack --listen <br>
<br>
[Install] <br>
WantedBy=multi-user.target <br>
Alias=syslog.service <br>
<br>
Any help? <br>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>