<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Paul,<br>
I was playing around with our ClearOS Webconfig front end for
Libreswan/Openswan to allow it to take %defaultroute as a valid
value for leftnexthop until bug 86 is fixed. I seitched the first
conn over to:<br>
<br>
conn MumIn<br>
type=tunnel<br>
authby=secret<br>
dpdtimeout=120<br>
dpddelay=30<br>
auto=add<br>
left=%defaultroute<br>
leftnexthop=%defaultroute<br>
#left=howitts.poweredbyclear.com<br>
#left=82.19.147.85<br>
leftsourceip=172.17.2.1<br>
leftsubnet=172.17.2.0/24<br>
leftid=@Nick<br>
right=damim.dtdns.net<br>
rightsubnet=192.168.10.0/24<br>
salifetime=24h<br>
dpdaction=clear<br>
ikelifetime=24h<br>
ike=aes256-sha1;modp2048<br>
phase2alg=aes256<br>
rekey=no<br>
<br>
then reloaded the conn (when the webconfig also reloads secrets) at
which point I got logs:<br>
<br>
Sep 18 21:10:46 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:10:47 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:10:49 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:10:50 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:10:51 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:10:52 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:00 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:19 server pluto[1948]: forgetting secrets<br>
Sep 18 21:11:19 server pluto[1948]: loading secrets from
"/etc/ipsec.secrets"<br>
Sep 18 21:11:19 server pluto[1948]: loading secrets from
"/etc/ipsec.d/ipsec.unmanaged.MumIn.secrets"<br>
Sep 18 21:11:19 server pluto[1948]: loading secrets from
"/etc/ipsec.d/ipsec.unmanaged.PaulIn.secrets"<br>
Sep 18 21:11:19 server pluto[1948]: "MumIn": deleting connection<br>
Sep 18 21:11:19 server pluto[1948]: "MumIn" #2377: deleting state
(STATE_QUICK_R2)<br>
Sep 18 21:11:19 server pluto[1948]: "MumIn" #2377: ESP traffic
information: in=1KB out=0B<br>
Sep 18 21:11:19 server pluto[1948]: "MumIn" #2373: deleting state
(STATE_MAIN_R3)<br>
Sep 18 21:11:19 server pluto[1948]: "MumIn" #2355: deleting state
(STATE_MAIN_R3)<br>
Sep 18 21:11:20 server pluto[1948]: added connection description
"MumIn"<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
responding to Main Mode from unknown peer 82.30.103.217<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT
detected<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
ignoring informational payload IPSEC_INITIAL_CONTACT,
msgid=00000000, length=28<br>
Sep 18 21:11:21 server pluto[1948]: | ISAKMP Notification Payload<br>
Sep 18 21:11:21 server pluto[1948]: | 00 00 00 1c 00 00 00 01 01
10 60 02<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
Main mode peer ID is ID_IPV4_ADDR: '82.30.103.217'<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp2048}<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
Dead Peer Detection (RFC 3706): enabled<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
the peer proposed: 172.17.2.0/24:0/0 -> 192.168.10.0/24:0/0<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
cannot respond to IPsec SA request because no connection is known
for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 18 21:11:21 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 18 21:11:22 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:24 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
the peer proposed: 172.17.2.0/24:0/0 -> 192.168.10.0/24:0/0<br>
Sep 18 21:11:24 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
cannot respond to IPsec SA request because no connection is known
for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 18 21:11:24 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 18 21:11:30 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
the peer proposed: 172.17.2.0/24:0/0 -> 192.168.10.0/24:0/0<br>
Sep 18 21:11:30 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
cannot respond to IPsec SA request because no connection is known
for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 18 21:11:30 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 18 21:11:33 server pluto[1948]: "PaulIn"[3] 82.30.103.217 #2378:
received Delete SA payload: deleting ISAKMP State #2378<br>
Sep 18 21:11:33 server pluto[1948]: "PaulIn"[3] 82.30.103.217:
deleting connection "PaulIn" instance with peer 82.30.103.217
{isakmp=#0/ipsec=#0}<br>
Sep 18 21:11:33 server pluto[1948]: packet from 82.30.103.217:500:
received and ignored empty informational notification payload<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
responding to Main Mode from unknown peer 82.30.103.217<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT
detected<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
ignoring informational payload IPSEC_INITIAL_CONTACT,
msgid=00000000, length=28<br>
Sep 18 21:11:37 server pluto[1948]: | ISAKMP Notification Payload<br>
Sep 18 21:11:37 server pluto[1948]: | 00 00 00 1c 00 00 00 01 01
10 60 02<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
Main mode peer ID is ID_IPV4_ADDR: '82.30.103.217'<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp2048}<br>
Sep 18 21:11:37 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
Dead Peer Detection (RFC 3706): enabled<br>
Sep 18 21:11:38 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
the peer proposed: 172.17.2.0/24:0/0 -> 192.168.10.0/24:0/0<br>
Sep 18 21:11:38 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
cannot respond to IPsec SA request because no connection is known
for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 18 21:11:38 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 18 21:11:40 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:41 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
the peer proposed: 172.17.2.0/24:0/0 -> 192.168.10.0/24:0/0<br>
Sep 18 21:11:41 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
cannot respond to IPsec SA request because no connection is known
for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 18 21:11:41 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 18 21:11:42 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:43 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:44 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:45 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:47 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
the peer proposed: 172.17.2.0/24:0/0 -> 192.168.10.0/24:0/0<br>
Sep 18 21:11:47 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
cannot respond to IPsec SA request because no connection is known
for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 18 21:11:47 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 18 21:11:47 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:48 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:49 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:50 server pluto[1948]: "PaulIn"[4] 82.30.103.217 #2379:
received Delete SA payload: deleting ISAKMP State #2379<br>
Sep 18 21:11:50 server pluto[1948]: "PaulIn"[4] 82.30.103.217:
deleting connection "PaulIn" instance with peer 82.30.103.217
{isakmp=#0/ipsec=#0}<br>
Sep 18 21:11:50 server pluto[1948]: packet from 82.30.103.217:500:
received and ignored empty informational notification payload<br>
Sep 18 21:11:50 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:52 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:11:53 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
etc<br>
<br>
Note the SELINUX error.<br>
<br>
Then trying the other conn as well:<br>
<br>
conn PaulIn<br>
type=tunnel<br>
authby=secret<br>
dpdtimeout=120<br>
dpddelay=30<br>
auto=add<br>
left=%defaultroute<br>
leftsourceip=172.17.2.1<br>
leftsubnet=172.17.2.0/24<br>
leftid=@Nick<br>
right=%any<br>
rightsubnet=192.168.30.0/24<br>
salifetime=24h<br>
dpdaction=clear<br>
ikelifetime=24h<br>
ike=aes256-sha1;modp2048<br>
phase2alg=aes256-sha1<br>
rekey=no<br>
leftnexthop=%defaultroute<br>
<br>
gave:<br>
<br>
Sep 18 21:13:34 server pluto[1948]: forgetting secrets<br>
Sep 18 21:13:34 server pluto[1948]: loading secrets from
"/etc/ipsec.secrets"<br>
Sep 18 21:13:34 server pluto[1948]: loading secrets from
"/etc/ipsec.d/ipsec.unmanaged.MumIn.secrets"<br>
Sep 18 21:13:34 server pluto[1948]: loading secrets from
"/etc/ipsec.d/ipsec.unmanaged.PaulIn.secrets"<br>
Sep 18 21:13:34 server pluto[1948]: "PaulIn"[11] 82.30.103.217:
deleting connection "PaulIn" instance with peer 82.30.103.217
{isakmp=#2386/ipsec=#0}<br>
Sep 18 21:13:34 server pluto[1948]: "PaulIn" #2386: deleting state
(STATE_MAIN_R3)<br>
Sep 18 21:13:34 server pluto[1948]: "PaulIn"[2] 88.104.27.88:
deleting connection "PaulIn" instance with peer 88.104.27.88
{isakmp=#2368/ipsec=#2376}<br>
Sep 18 21:13:34 server pluto[1948]: "PaulIn" #2376: deleting state
(STATE_QUICK_R2)<br>
Sep 18 21:13:34 server pluto[1948]: "PaulIn" #2376: ESP traffic
information: in=1KB out=0B<br>
Sep 18 21:13:34 server pluto[1948]: "PaulIn" #2368: deleting state
(STATE_MAIN_R3)<br>
Sep 18 21:13:35 server pluto[1948]: "PaulIn": deleting connection<br>
Sep 18 21:13:35 server pluto[1948]: added connection description
"PaulIn"<br>
Sep 18 21:13:35 server pluto[1948]: packet from 82.30.103.217:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA<br>
Sep 18 21:13:37 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:13:37 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:13:40 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:13:40 server pluto[1948]: packet from 82.30.103.217:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA<br>
Sep 18 21:13:46 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:13:47 server pluto[1948]: packet from 82.30.103.217:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:13:50 server pluto[1948]: packet from 82.30.103.217:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:13:52 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:13:55 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:13:56 server pluto[1948]: packet from 82.30.103.217:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:01 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:03 server pluto[1948]: packet from 82.30.103.217:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:06 server pluto[1948]: packet from 82.30.103.217:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:08 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:09 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:09 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:11 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:12 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:12 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:12 server pluto[1948]: packet from 82.30.103.217:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:13 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:15 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:16 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:17 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:18 server pluto[1948]: packet from 88.104.27.88:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:18 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:19 server pluto[1948]: packet from 82.30.103.217:500:
initial Main Mode message received on 82.19.147.85:500 but no
connection has been authorized with policy=PSK<br>
Sep 18 21:14:20 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:21 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
Sep 18 21:14:22 server pluto[1948]: SElinux: could not open
/sys/fs/selinux/enforce<br>
etc<br>
<br>
Restarting ipsec did not help. Reinstating the old conns with
left=IP and no leftnexthop did not help even after restarting ipsec.
The only fix was to remove and reinstall Libreswan.<br>
<br>
FWIW, under /sys/fs there is only a folder ext4, no selinux folder
so it is not surprising it could not be opened, bt why does
reinstalling fix it/stop it from trying to open the file?<br>
<br>
Regards,<br>
<br>
Nick<br>
</body>
</html>