<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal">I recently moved to libreswan 3.21 on a new machine and transferred my configuration files from a 3.18 machine to the new machine. All appeared to be working normally.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Until this morning, although northing changed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This morning the VPN will not come up and it seems to fail with the following error when I try to bring it up with the following command:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Command:<o:p></o:p></p>
<p class="MsoNormal">/usr/local/sbin/ipsec auto --up IMD-L2TP-PSK<o:p></o:p></p>
<p class="MsoNormal">Error:<o:p></o:p></p>
<p class="MsoNormal">whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This is what I am seeing in the /var/log/auth.log :<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Sep 24 11:08:02 rpiNC CRON[7993]: pam_unix(cron:session): session opened for user root by (uid=0)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: NSS DB directory: sql:/etc/ipsec.d<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Initializing NSS<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Opening NSS database "sql:/etc/ipsec.d" read-only<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: NSS initialized<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: NSS crypto library initialized<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: FIPS HMAC integrity support [disabled]<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: libcap-ng support [enabled]<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Linux audit support [disabled]<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Starting Pluto (Libreswan Version 3.21 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS DNSSEC SYSTEMD_WATCHDOG LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8381<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: core dump dir: /var/run/pluto/<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: secrets file: /etc/ipsec.secrets<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: leak-detective enabled<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: NSS crypto [enabled]<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: XAUTH PAM support [enabled]<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: NAT-Traversal support [enabled]<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Encryption algorithms:<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_GCM_16 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_GCM_12 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_GCM_8 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: NULL IKEv1: ESP IKEv2: ESP []<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Hash algorithms:<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MD5 IKEv1: IKE IKEv2:<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: SHA1 IKEv1: IKE IKEv2: FIPS (sha)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: PRF algorithms:<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Integrity algorithms:<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_XCBC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_xcbc)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: DH algorithms:<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: starting up 3 crypto helpers<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: started thread for crypto helper 0 (master fd 11)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: seccomp security for crypto helper not supported<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: started thread for crypto helper 1 (master fd 13)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: seccomp security for crypto helper not supported<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: started thread for crypto helper 2 (master fd 15)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: seccomp security for crypto helper not supported<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.41-v7+<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: watchdog: sending probes every 100 secs<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: ABORT: ASSERTION FAILED: dns_ctx != NULL (in unbound_event_init() at unbound.c:188)<o:p></o:p></p>
<p class="MsoNormal">Sep 24 11:08:05 rpiNC pluto[8381]: ABORT: ASSERTION FAILED: dns_ctx != NULL (in unbound_event_init() at unbound.c:188)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This series of errors appears to repeat 3 or so times.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nothing has changed on this machine, or on the machine to which it is trying to connect.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ideas?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">TIA<o:p></o:p></p>
</div>
</body>
</html>