[Swan] ipsec won't stay running

Mon, 09 Jun 2014 09:18:23 -0700

I used to have openswan installed on my ubuntu 12.04 server and I ran apt-get remove openswan to remove it. I then installed libreswan-3.8 from source and rebooted the server. After the reboot, I found that the ipsec service was not running. 

Running service ipsec start gives me something like this:
ipsec start/running, process 4933

Then if I immediately run service ipsec status I get this:
ipsec stop/waiting
So the ipsec service never really gets going...it must fail almost right away.
What can I do to troubleshoot this situation and get libreswan going on this server? 


The logs show these entries:
Jun  9 11:02:14 gamma kernel: [ 1136.017915] intel_rng: FWH not detected
Jun 9 11:02:14 gamma kernel: [ 1136.213599] padlock_sha: VIA PadLock Hash Engine not detected. Jun 9 11:02:14 gamma kernel: [ 1136.313834] Intel AES-NI instructions are not detected. Jun 9 11:02:14 gamma kernel: [ 1136.383964] Intel AES-NI instructions are not detected. Jun 9 11:02:14 gamma kernel: [ 1136.562989] init: ipsec main process (4933) terminated with status 10 Jun 9 11:02:14 gamma kernel: [ 1136.563012] init: ipsec main process ended, respawning Jun 9 11:02:14 gamma kernel: [ 1136.567396] init: ipsec post-stop process (4996) terminated with status 1 

ipsec verify looks like this:
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.8 (netkey) on 3.2.0-64-generic
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/lo/rp_filter                   [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
 /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
 /proc/sys/net/ipv4/conf/dummy0/rp_filter               [ENABLED]
 /proc/sys/net/ipv4/conf/eth0.3/rp_filter               [ENABLED]
 /proc/sys/net/ipv4/conf/eth1.3/rp_filter               [ENABLED]
 /proc/sys/net/ipv4/conf/bond0/rp_filter                [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [FAILED]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] 
Opportunistic Encryption                                [DISABLED]

My /etc/ipsec.conf file looks like this:
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.100.105.0/27
        oe=off
        protostack=netkey

conn mainoffice
        authby=secret
        auto=start
        type=tunnel
        left=1.1.1.1
        leftsourceip=10.100.105.1
        leftsubnet=10.100.105.0/27
        right=2.2.2.2
        rightsourceip=10.100.100.1
        rightsubnet=10.100.100.0/23
        ike=aes128-sha1
        phase2=esp
        phase2alg=aes128-sha1
        pfs=no

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to