On Mon, 2 Feb 2015, Matias R. Cuenca del Rey wrote:
Hello,I'm trying to run Openstack VPNaaS on Centos 7 with libreswan-3.8-6.el7_0.x86_64. VPNaaS's scripts are for openswan, so there are some options that are different. I've been working to adapt them, for example 'ipsec pluto' didn't work because there weren't nssdb, Right now, I have running pluto, but I'm not sure if it is running like I want. The command that I execute to start pluto is:
We put it a few fixes specifically for openstack and non-root ownership of files and dropping capabilities later on. Please use libreswan-3.12 to ensure you haev all those fixes! You're mixing at least libreswan-3.9: * pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]
# ipsec pluto --ctlbase /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/var/run/pluto --ipsecdir /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d --config /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.conf --uniqueids --nat_traversal --secretsfile /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.secrets --virtual_private %v4:192.168.1.0/24,%v4:192.168.88.0/24 Although I execute ipsec pluto with --config option, when I execute ipsec whack --status I read the default config file and directory:
The order matters. If you specify --config and then --ctlbase, the ctlbase will override the configuration. if you specify --ctlbase before --config, the config file version will get used.
Cannot open logfile '(null)': Bad file descriptornss directory plutomain: /var/lib/neutron/ipsec/776a620a-9e26-436a-8efe-0736ef38d2cc/etc/ipsec.d
Those might be the caused by the capabilities fix. If this does not fix your issues, ping me on [email protected] and I'll bring you in contact with our redhat/openstack guy that was part of fixing these issues. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
