On Tue, 23 Sep 2014, Nels Lindquist wrote:

I'm trying to get LibreSWAN 3.10 working on an older gateway running
CentOS5 (x86_64).

As the RHEL5/CentOS5 binaries don't seem to be available in the
repository yet, I decided to build my own.

Ah were we building those. I might have just forgotten.

First issue of note--neither the libreswan-3.9-1.el5.x86_64.rpm nor the
libreswan-3.9-1.el5.src.rpm passed the signature check, despite my
importing RPM-GPG-KEY-libreswan.  Not sure what's up there.

That might be because of a md5 versus sha1 issue? I'll look into it.

Anyway, I (possibly foolishly) bypassed the failing signature check,
extracted the spec file from the 3.9 source package, tweaked it for
3.10, built a 3.10 source RPM and then finally built the binary RPMs
on CentOS5.  I disabled DNSSEC in the spec file rather than trying to
find compatible unbound packages in various repositories.

Sure. that's prob for the best.

The problem arises when trying to bring up a tunnel.  Either using an
L2TP connection or XAUTH + RSA, the connection fails with the following:

Sep 23 06:28:50 yycgate pluto[14414]: read from crypto helper 0
failed with short length 2048 of 2768.  Killing helper.

Odd. Perhaps Hugh can shed some light on that?

I tried forcing "nhelpers=1" in ipsec.conf, but it made no difference.

Try nhelpers=0 instead?

I'm also seeing these:

Sep 23 06:28:52 yycgate pluto[14414]: "L2TP-Win2KXP"[1]
75.158.74.198 #1: discarding packet received during asynchronous
work (DNS or crypto) in STATE_MAIN_R1

that seems a side effect or the earlier bug.

"ipsec verify" passes everything except for "XFRM larval drop [NOT
ENABLED]";

that only affects delays on dynamic tunnels.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to