<div dir="ltr">Looks like there is an issue resulting from a delivery that happens 4 days ago titled "<span style="color:rgb(33,63,77);font-family:Helvetica,arial,nimbussansl,liberationsans,freesans,clean,sans-serif,'Segoe UI Emoji','Segoe UI Symbol';font-weight:bold;line-height:25.2px;background-color:rgb(230,241,246)">systemd: add socket activation</span>" <div><br></div><div>I'm running on an ubuntu 14.04 system in EC2/VPC</div><div><br></div><div>Up to that commit (not including), running "make build & install" does the magic and everything works ok.</div><div><br></div><div>Building/installing and running "ipsec verify" After that commit returns the following output</div><div><div><br></div><div><div>root@ip-192-168-100-119:/home/ubuntu# ipsec verify</div><div><br></div><div>Verifying installed system and configuration files</div><div><br></div><div>Version check and ipsec on-path <span class="" style="white-space:pre"> </span>[OK]</div><div>Libreswan 3.master-201544.git (netkey) on 3.13.0-48-generic</div><div>Checking for IPsec support in kernel <span class="" style="white-space:pre"> </span>[OK]</div><div> NETKEY: Testing XFRM related proc values</div><div> ICMP default/send_redirects <span class="" style="white-space:pre"> </span>[OK]</div><div> ICMP default/accept_redirects <span class="" style="white-space:pre"> </span>[OK]</div><div> XFRM larval drop <span class="" style="white-space:pre"> </span>[OK]</div><div>Pluto ipsec.conf syntax <span class="" style="white-space:pre"> </span>[OK]</div><div>Hardware random device <span class="" style="white-space:pre"> </span>[N/A]</div><div>Two or more interfaces found, checking IP forwarding<span class="" style="white-space:pre"> </span>[OK]</div><div>Checking rp_filter <span class="" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/eth0/rp_filter <span class="" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/lo/rp_filter <span class="" style="white-space:pre"> </span>[ENABLED]</div><div> rp_filter is not fully aware of IPsec and should be disabled</div><div>Checking that pluto is running <span class="" style="white-space:pre"> </span>[OK]</div><div><span style="background-color:rgb(194,123,160)"> Pluto listening for IKE on udp 500 <span class="" style="white-space:pre"> </span>[FAILED]</span></div><div><span style="background-color:rgb(194,123,160)"> Pluto listening for IKE/NAT-T on udp 4500 <span class="" style="white-space:pre"> </span>[DISABLED]</span></div><div> Pluto ipsec.secret syntax <span class="" style="white-space:pre"> </span>[OK]</div><div>Checking 'ip' command <span class="" style="white-space:pre"> </span>[OK]</div><div>Checking 'iptables' command <span class="" style="white-space:pre"> </span>[OK]</div><div>Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options <span class="" style="white-space:pre"> </span>[OK]</div><div>Opportunistic Encryption <span class="" style="white-space:pre"> </span>[DISABLED]</div></div><div> </div><div>auth.log has the following error</div><div><br></div><div>Nov 1 13:11:13 ip-192-168-100-119 pluto[8648]: reapchild failed with errno=10 No child processes<br></div><div><br></div><div>syslog has the following error</div><div>Nov 1 13:11:13 ip-192-168-100-119 ipsec_starter[8920]: connect(pluto_ctl) failed: Invalid argument<br></div><div><br></div><div>Any thoughts? Am I doing something wrong?</div></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(0,0,0)"><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><b><font color="#000000"><span>Amir</span> Naftali</font></b> | <b><font face="arial, helvetica, sans-serif"><font color="#0000ff">CTO and Co-Founder</font> | </font>+972 54 497 2622</b></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><br></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><a href="http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig" style="color:rgb(0,0,255);font-family:'Courier New';font-size:14px;line-height:21px" target="_blank"><img align="none" height="37" src="https://gallery.mailchimp.com/805c65e3dbe647f677fe8ee38/images/bde29e88-9385-4f4b-ae97-60c704de1547.png" width="200" alt="" style="width:200px;min-height:37px;margin:0px"></a><br></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Oct 30, 2015 at 3:34 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, 30 Oct 2015, Amir Naftali wrote:<br>
<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Subject: Re: [Swan] GW To GW IPSec connection between CheckPoint and Libreswan<br>
<br></span><span class="">
This sounds great, having such a capability will provide a powerful tool supporting an advance set of<br>
use cases<br>
Is there a way to get an early peek at the patch so I can test it against some use cases that we have<br>
</span></blockquote>
<br>
This was pushed:<br>
<br>
<a href="https://github.com/libreswan/libreswan/commit/f0328a91565c7a9951c9bc6b330ab15667e58fcd" rel="noreferrer" target="_blank">https://github.com/libreswan/libreswan/commit/f0328a91565c7a9951c9bc6b330ab15667e58fcd</a><br>
<br>
Note that the _updown script does not yet actually do any marking.<br>
<br>
I need to understand better how that would need to be done and what<br>
parameters are needed and how this would work well with vti. If anyone<br>
has suggestions or patches for _updown.netkey, please let me know.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>