Hello, I'm trying to run Openstack VPNaaS on Centos 7 with libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan, so there are some options that are different. I've been working to adapt them, for example 'ipsec pluto' didn't work because there weren't nssdb, Right now, I have running pluto, but I'm not sure if it is running like I want. The command that I execute to start pluto is:
# ipsec pluto --ctlbase /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d --config /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24 Although I execute ipsec pluto with --config option, when I execute ipsec whack --status I read the default config file and directory: # ipsec whack --ctlbase /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto --status 000 using kernel interface: netkey 000 interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX 000 interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX 000 000 fips mode=disabled; 000 SElinux=disabled 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets, ipsecdir=/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d, dumpdir=/var/run/pluto, statsbin=unset 000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec, libexecdir=/usr/libexec/ipsec 000 pluto_version=3.8, pluto_vendorid=OE-Libreswan-3.8 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=XXX.XXX.XXX.XXX 000 secctx_attr_value=32001 000 myid = (none) [more output here...] 000 000 Connection list: 000 000 000 State list: 000 000 Shunt list: 000 When I execute ipsec pluto with --nofork option I have the following output # ipsec pluto --ctlbase /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d --config /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24 --nofork --debug-all --stderrlog adjusting ipsec.d to /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d Pluto initialized Cannot open logfile '(null)': Bad file descriptornss directory plutomain: /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d NSS Initialized libcap-ng support [enabled] FIPS HMAC integrity verification test passed FIPS: pluto daemon NOT running in FIPS mode libcap-ng support [enabled] Linux audit support [disabled] Starting Pluto (Libreswan Version 3.8 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:9483 core dump dir: /var/run/pluto secrets file: /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets LEAK_DETECTIVE support [disabled] OCF support for IKE [disabled] SAref support [disabled]: Protocol not available SAbind support [disabled]: Protocol not available NSS crypto [enabled] XAUTH PAM support [enabled] Setting NAT-Traversal port-4500 floating to on port floating activation criteria nat_t=1/port_float=1 NAT-Traversal support [enabled] | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds | event added at head of queue | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds | event added at head of queue | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds | event added after event EVENT_PENDING_DDNS ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) starting up 15 cryptographic helpers started helper (thread) pid=139704128128768 (fd:5) started helper (thread) pid=139704119736064 (fd:7) | status value returned by setting the priority of this thread (id=0) 22 | helper 0 waiting on fd: 6 | status value returned by setting the priority of this thread (id=1) 22 | helper 1 waiting on fd: 8 | status value returned by setting the priority of this thread (id=2) 22 | helper 2 waiting on fd: 10 started helper (thread) pid=139704111343360 (fd:9) started helper (thread) pid=139704102950656 (fd:11) started helper (thread) pid=139704094557952 (fd:14) | status value returned by setting the priority of this thread (id=3) 22 | helper 3 waiting on fd: 12 started helper (thread) pid=139703877629696 (fd:16) | status value returned by setting the priority of this thread (id=5) 22 | helper 5 waiting on fd: 17 | status value returned by setting the priority of this thread (id=4) 22 | helper 4 waiting on fd: 15 started helper (thread) pid=139703869236992 (fd:18) started helper (thread) pid=139703860844288 (fd:20) | status value returned by setting the priority of this thread (id=6) 22 | helper 6 waiting on fd: 19 started helper (thread) pid=139703852451584 (fd:22) | status value returned by setting the priority of this thread (id=7) 22 | helper 7 waiting on fd: 21 | status value returned by setting the priority of this thread (id=8) 22 | helper 8 waiting on fd: 23 started helper (thread) pid=139703844058880 (fd:24) | status value returned by setting the priority of this thread (id=9) 22 | helper 9 waiting on fd: 25 started helper (thread) pid=139703835666176 (fd:26) | status value returned by setting the priority of this thread (id=10) 22 | helper 10 waiting on fd: 27 started helper (thread) pid=139703827273472 (fd:28) started helper (thread) pid=139703273649920 (fd:30) | status value returned by setting the priority of this thread (id=11) 22 | helper 11 waiting on fd: 29 | status value returned by setting the priority of this thread (id=12) 22 | helper 12 waiting on fd: 31 started helper (thread) pid=139703265257216 (fd:32) started helper (thread) pid=139703256864512 (fd:34) | status value returned by setting the priority of this thread (id=13) 22 | helper 13 waiting on fd: 33 | status value returned by setting the priority of this thread (id=14) 22 | helper 14 waiting on fd: 35 Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-123.13.2.el7.x86_64 | process 9483 listening for PF_KEY_V2 on file descriptor 38 | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH | 02 07 00 02 02 00 00 00 01 00 00 00 0b 25 00 00 | pfkey_get: K_SADB_REGISTER message 1 | AH registered with kernel. | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP | 02 07 00 03 02 00 00 00 02 00 00 00 0b 25 00 00 | pfkey_get: K_SADB_REGISTER message 2 | alg_init():memset(0x7f0f6e09d580, 0, 2048) memset(0x7f0f6e09dd80, 0, 2048) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72 | kernel_alg_add():satype=3, exttype=14, alg_id=251(ESP_KAME_NULL) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=2(ESP_DES) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=3(ESP_3DES) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=5(ESP_IDEA) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=6(ESP_CAST) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=7(ESP_BLOWFISH) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=8(ESP_3IDEA) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=9(ESP_DES_IV32) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=88 | kernel_alg_add():satype=3, exttype=15, alg_id=11(ESP_NULL) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=2(ESP_DES) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=3(ESP_3DES) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=6(ESP_CAST) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=7(ESP_BLOWFISH) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=12(ESP_AES) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=252(ESP_SERPENT) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=22(ESP_CAMELLIA) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=253(ESP_TWOFISH) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=13(ESP_AES_CTR) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=18(ESP_AES_GCM_A) | kernel_alg_add():satype=3, exttype=15, alg_id=19(ESP_AES_GCM_B) | kernel_alg_add():satype=3, exttype=15, alg_id=20(ESP_AES_GCM_C) | kernel_alg_add():satype=3, exttype=15, alg_id=14(ESP_AES_CCM_A) | kernel_alg_add():satype=3, exttype=15, alg_id=15(ESP_AES_CCM_B) | kernel_alg_add():satype=3, exttype=15, alg_id=16(ESP_AES_CCM_C) ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Warning: failed to register algo_aes_ccm_8 for IKE ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0) Warning: failed to register algo_aes_ccm_12 for IKE ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0) Warning: failed to register algo_aes_ccm_16 for IKE ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0) Warning: failed to register algo_aes_gcm_8 for IKE ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0) Warning: failed to register algo_aes_gcm_12 for IKE ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0) Warning: failed to register algo_aes_gcm_16 for IKE | Registered AEAD AES CCM/GCM algorithms | ESP registered with kernel. | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP | 02 07 00 09 02 00 00 00 03 00 00 00 0b 25 00 00 | pfkey_get: K_SADB_REGISTER message 3 | IPCOMP registered with kernel. | Registered AH, ESP and IPCOMP | Changed path to directory '/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d/cacerts' | Changing to directory '/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d/crls' | selinux support is NOT enabled. | inserting event EVENT_LOG_DAILY, timeout in 78344 seconds | event added after event EVENT_REINIT_SECRET listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface qr-b9e50b74-8d | found qr-b9e50b74-8d with address 192.168.1.1 | Inspecting interface qg-b0dafe22-e4 | found qg-b0dafe22-e4 with address XXX.XXX.XXX.XXX | Only looking to listen on XXX.XXX.XXX.XXX | NAT-Traversal: Trying new style NAT-T | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19) | NAT-Traversal: Trying old style NAT-T | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4 adding interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX:500 | NAT-Traversal: Trying new style NAT-T | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=19) | NAT-Traversal: Trying old style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4 adding interface qg-b0dafe22-e4/qg-b0dafe22-e4 XXX.XXX.XXX.XXX:4500 skipping interface qr-b9e50b74-8d with 192.168.1.1 skipping interface lo with 127.0.0.1 | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001 | Only looking to listen on XXX.XXX.XXX.XXX skipping interface lo with ::1 | Only looking to listen on XXX.XXX.XXX.XXX | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshard_secrets' loading secrets from "/var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets" | id type added to secret(0x7f0f6eb8a250) PPK_PSK: XXX.XXX.XXX.XXX | id type added to secret(0x7f0f6eb8a250) PPK_PSK: YYY.YYY.YYY.YYY | Processing PSK at line 2: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | next event EVENT_PENDING_DDNS in 60 seconds | calling addconn helper using execve can not load config '/etc/ipsec.conf': can't load file '/etc/ipsec.conf' | next event EVENT_PENDING_DDNS in 59 seconds | reaped addconn helper child | | *received whack message | SElinux: disabled, could not open /sys/fs/selinux/enforce or /selinux/enforce | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 0 seconds | *time to handle event | handling event EVENT_PENDING_DDNS | event after this is EVENT_PENDING_PHASE2 in 60 seconds | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds | event added at head of queue | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message | SElinux: disabled, could not open /sys/fs/selinux/enforce or /selinux/enforce | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 60 seconds | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message | SElinux: disabled, could not open /sys/fs/selinux/enforce or /selinux/enforce | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 60 seconds | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message | SElinux: disabled, could not open /sys/fs/selinux/enforce or /selinux/enforce | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 0 seconds | *time to handle event | handling event EVENT_PENDING_DDNS | event after this is EVENT_PENDING_PHASE2 in 0 seconds | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds | event added after event EVENT_PENDING_PHASE2 | handling event EVENT_PENDING_PHASE2 | event after this is EVENT_PENDING_DDNS in 60 seconds | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds | event added after event EVENT_PENDING_DDNS | next event EVENT_PENDING_DDNS in 60 seconds | | next event EVENT_PENDING_DDNS in 0 seconds | *time to handle event | handling event EVENT_PENDING_DDNS | event after this is EVENT_PENDING_PHASE2 in 60 seconds | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds | event added at head of queue | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message | SElinux: disabled, could not open /sys/fs/selinux/enforce or /selinux/enforce | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 60 seconds | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message | SElinux: disabled, could not open /sys/fs/selinux/enforce or /selinux/enforce | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 0 seconds | *time to handle event | handling event EVENT_PENDING_DDNS | event after this is EVENT_PENDING_PHASE2 in 0 seconds | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds | event added after event EVENT_PENDING_PHASE2 | handling event EVENT_PENDING_PHASE2 | event after this is EVENT_PENDING_DDNS in 60 seconds | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds | event added after event EVENT_PENDING_DDNS | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message | SElinux: disabled, could not open /sys/fs/selinux/enforce or /selinux/enforce | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 0 seconds | *time to handle event | handling event EVENT_PENDING_DDNS | event after this is EVENT_PENDING_PHASE2 in 60 seconds | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds | event added at head of queue | next event EVENT_PENDING_DDNS in 60 seconds Is it using /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf ? Thanks!! MatÃas R. Cuenca del Rey
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
