On 29/10/15 10:37, Paul Wouters wrote: > You can change the spec and disable DNSSEC so you don't need unbound,
I tried building the RPM without DNSSEC and succeeded. However, I got runtime errors: pluto[19918]: "seattle" #4: can not start crypto helper: failed to find any available worker pluto[19918]: "seattle" #4: message in state STATE_MAIN_R1 ignored due to cryptographic overload Which led me to this: "More sites with same problem. All el5 based where libreswan is compiled without unbound support." https://lists.libreswan.org/pipermail/swan-dev/2014-July/000423.html I then found unbound on EPEL: unbound-libs-1.4.20-2.el5 unbound-devel-1.4.20-2.el5 To install them you'll need a few other things: ldns-devel-1.6.16-1.el5 libevent-1.4.13-1 ldns-1.6.16-1.el5 and perhaps a few others (depending on your system). Anyway, I build the libreswan-3.9 package again and it succeeded. I still got these errors though on Road Warrior connections: pluto[22628]: "l2tp"[1] 165.228.94.4 #4: can not start crypto helper: failed to find any available worker pluto[22628]: "l2tp"[1] 165.228.94.4 #4: message in state STATE_MAIN_R1 ignored due to cryptographic overload So I ended up putting nhelpers=0 in the main config section of ipsec.conf. It is now working but I don't understand fully what the default is and why I need to set this. From the man page: nhelpers how many pluto helpers are started to help with cryptographic operations. Pluto will start (n-1) of them, where n is the number of CPU’s you have (including hypherthreaded CPU’s). A value of 0 forces pluto to do all operations in the main process. A value of -1 tells pluto to perform the above calculation. Any other value forces the number to that amount. Our VPN server has only one CPU so, from the man page, nhelpers should start n-1 where n = number of CPUs. If I'm understanding correctly that would mean nhelpers=0 in my case but I had to set that explicitly. What are the helpers and what are the workers. Should I have more than 0 here and why do I have to set that explicitly? Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: [email protected]
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
