[Swan] Cannot start ipsec service using systemd

Discussion:

[Swan] Cannot start ipsec service using systemd

Elison Niven

2013-01-04 09:51:41 UTC

Hi,

I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto

# Remove openswan, racoon
$ yum remove openswan ipsec-tools

# Make and install libreswan
# make programs
$ make install

$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service

$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush (code=exited,
status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush (code=exited,
status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager
start (code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn --config
/etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service

I can start pluto manually by executing the commands in the systemd unit
file marked for ExecStartPre and ExecStart.

$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target

[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen

[Install]
WantedBy=multi-user.target
Alias=syslog.service

Any help?

--
Best Regards,
Elison Niven

Philippe Vouters

2013-01-04 12:05:01 UTC

Dear Elison,

I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
and performed the following commands from my user account:

$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns

Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service

Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "roadwarrior":
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "macintosh-l2tp":
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...

So would it happen you still have /etc/rc.d/init.d/ipsec* ?
On my side:
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
Can you give us the output of the following:
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
If getenforce returns Enforcing, can you perform the following commands:
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$

Once the above points clean,

[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns

Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...

Thank you so much in advance to keep us informed.
Best regards,

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto
# Remove openswan, racoon
$ yum remove openswan ipsec-tools
# Make and install libreswan
# make programs
$ make install
$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service
$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
I can start pluto manually by executing the commands in the systemd
unit file marked for ExecStartPre and ExecStart.
$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target
[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen
[Install]
WantedBy=multi-user.target
Alias=syslog.service
Any help?

Elison Niven

2013-01-04 12:22:22 UTC

SELinux is disabled.
$ getenforce
Disabled
$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory

Thanks.

Post by Philippe Vouters
Dear Elison,
I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$
Once the above points clean,
[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Thank you so much in advance to keep us informed.
Best regards,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto
# Remove openswan, racoon
$ yum remove openswan ipsec-tools
# Make and install libreswan
# make programs
$ make install
$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service
$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
I can start pluto manually by executing the commands in the systemd
unit file marked for ExecStartPre and ExecStart.
$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target
[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen
[Install]
WantedBy=multi-user.target
Alias=syslog.service
Any help?

--
Best Regards,
Elison Niven

Philippe Vouters

2013-01-04 13:07:00 UTC

Dear Elison,

pluto fails to correctly start on your side on:
/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
whack failing on stop is just a consequence.

Because $PLUTO_OPTIONS comes from:
EnvironmentFile=-/etc/sysconfig/pluto

can you *$ cat /etc/sysconfig/pluto*

$ *export PLUTO_OPTIONS=*<the right side of the assignment in your
PLUTO_OPTIONS in your /etc/sysconfig/pluto file>

and manually perform:

*/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
**--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
*
from a root account ????

You provide us the output of what you did and read.
Thank you so much in advance.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
SELinux is disabled.
$ getenforce
Disabled
$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Thanks.

Post by Philippe Vouters
Dear Elison,
I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$
Once the above points clean,
[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Thank you so much in advance to keep us informed.
Best regards,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto
# Remove openswan, racoon
$ yum remove openswan ipsec-tools
# Make and install libreswan
# make programs
$ make install
$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service
$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
I can start pluto manually by executing the commands in the systemd
unit file marked for ExecStartPre and ExecStart.
$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target
[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen
[Install]
WantedBy=multi-user.target
Alias=syslog.service
Any help?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/28b612af/attachment-0001.html>

Philippe Vouters

2013-01-04 13:31:57 UTC

Dear Elison,

I queried Google with "systemctl status=203/EXEC" which is the pluto
exit code you report us and found this discussion at
http://forums.fedoraforum.org/showthread.php?t=272075 This is specific
to Fedora 16 but my guess is that it can also apply to Fedora 17.

It happens that the pluto code forks and exec's "addconn --autoall".
From a root account or sudo'ing, can you also perform:
# ipsec addconn --autoall
# echo $?
On my side:
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
--autoall
002 "roadwarrior-l2tp-updatedwin": deleting connection
002 added connection description "roadwarrior-l2tp-updatedwin"
002 "roadwarrior-l2tp": deleting connection
002 added connection description "roadwarrior-l2tp"
002 "macintosh-l2tp": deleting connection
002 added connection description "macintosh-l2tp"
002 "roadwarrior": deleting connection
002 added connection description "roadwarrior"
[philippe at victor libreswan-3.0]$ echo $?
0

You may as well check your /var/log/secure so that we can get more
information on the pluto failure.

Yours truly,

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Philippe Vouters
Dear Elison,
/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
whack failing on stop is just a consequence.
EnvironmentFile=-/etc/sysconfig/pluto
can you *$ cat /etc/sysconfig/pluto*
$ *export PLUTO_OPTIONS=*<the right side of the assignment in your
PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
*/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
**--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
*
from a root account ????
You provide us the output of what you did and read.
Thank you so much in advance.
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Elison Niven
SELinux is disabled.
$ getenforce
Disabled
$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Thanks.

Post by Philippe Vouters
Dear Elison,
I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$
Once the above points clean,
[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Thank you so much in advance to keep us informed.
Best regards,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto
# Remove openswan, racoon
$ yum remove openswan ipsec-tools
# Make and install libreswan
# make programs
$ make install
$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service
$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
I can start pluto manually by executing the commands in the systemd
unit file marked for ExecStartPre and ExecStart.
$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target
[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen
[Install]
WantedBy=multi-user.target
Alias=syslog.service
Any help?

_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/f4326f3d/attachment-0001.html>

Philippe Vouters

2013-01-04 13:51:22 UTC

Dear Elison,

If # ipsec addconn --autoall fails, my guess is that you ought to also
get the root cause of your problem with this line in bold:
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 3.0 (netkey) on 3.6.10-2.fc17.i686
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
*Pluto ipsec.conf syntax [OK]*
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Philippe Vouters
Dear Elison,
I queried Google with "systemctl status=203/EXEC" which is the pluto
exit code you report us and found this discussion at
http://forums.fedoraforum.org/showthread.php?t=272075 This is specific
to Fedora 16 but my guess is that it can also apply to Fedora 17.
It happens that the pluto code forks and exec's "addconn --autoall".
# ipsec addconn --autoall
# echo $?
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
--autoall
002 "roadwarrior-l2tp-updatedwin": deleting connection
002 added connection description "roadwarrior-l2tp-updatedwin"
002 "roadwarrior-l2tp": deleting connection
002 added connection description "roadwarrior-l2tp"
002 "macintosh-l2tp": deleting connection
002 added connection description "macintosh-l2tp"
002 "roadwarrior": deleting connection
002 added connection description "roadwarrior"
[philippe at victor libreswan-3.0]$ echo $?
0
You may as well check your /var/log/secure so that we can get more
information on the pluto failure.
Yours truly,
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Philippe Vouters
Dear Elison,
/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
whack failing on stop is just a consequence.
EnvironmentFile=-/etc/sysconfig/pluto
can you *$ cat /etc/sysconfig/pluto*
$ *export PLUTO_OPTIONS=*<the right side of the assignment in your
PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
*/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
**--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
*
from a root account ????
You provide us the output of what you did and read.
Thank you so much in advance.
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Elison Niven
SELinux is disabled.
$ getenforce
Disabled
$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Thanks.

Post by Philippe Vouters
Dear Elison,
I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$
Once the above points clean,
[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Thank you so much in advance to keep us informed.
Best regards,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto
# Remove openswan, racoon
$ yum remove openswan ipsec-tools
# Make and install libreswan
# make programs
$ make install
$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service
$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
I can start pluto manually by executing the commands in the systemd
unit file marked for ExecStartPre and ExecStart.
$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target
[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen
[Install]
WantedBy=multi-user.target
Alias=syslog.service
Any help?

_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/d450de93/attachment-0001.html>

Elison Niven

2013-01-04 14:04:20 UTC

Thanks for your support and time.
$ cat /etc/sysconfig/pluto
# Put extra pluto command line options you want here
PLUTO_OPTIONS=" "

$ ipsec addconn --autoall
$ echo $?
0

Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 3.0 (netkey) on 3.1.0-7.fc16.i686.PAE
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause
act on or cause sending of bogus ICMP redirects!

ICMP default/accept_redirects [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
cause act on or cause sending of bogus ICMP redirects!

XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/p18p1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/vmnet1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/vmnet8/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/virbr0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/virbr0-nic/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [FAILED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]

ipsec verify: encountered 19 errors - see 'man ipsec_verify' for help

Post by Philippe Vouters
Dear Elison,
If # ipsec addconn --autoall fails, my guess is that you ought to also
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.0 (netkey) on 3.6.10-2.fc17.i686
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
*Pluto ipsec.conf syntax [OK]*
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Philippe Vouters
Dear Elison,
I queried Google with "systemctl status=203/EXEC" which is the pluto
exit code you report us and found this discussion at
http://forums.fedoraforum.org/showthread.php?t=272075 This is
specific to Fedora 16 but my guess is that it can also apply to
Fedora 17.
It happens that the pluto code forks and exec's "addconn --autoall".
# ipsec addconn --autoall
# echo $?
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
--autoall
002 "roadwarrior-l2tp-updatedwin": deleting connection
002 added connection description "roadwarrior-l2tp-updatedwin"
002 "roadwarrior-l2tp": deleting connection
002 added connection description "roadwarrior-l2tp"
002 "macintosh-l2tp": deleting connection
002 added connection description "macintosh-l2tp"
002 "roadwarrior": deleting connection
002 added connection description "roadwarrior"
[philippe at victor libreswan-3.0]$ echo $?
0
You may as well check your /var/log/secure so that we can get more
information on the pluto failure.
Yours truly,
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Philippe Vouters
Dear Elison,
/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
whack failing on stop is just a consequence.
EnvironmentFile=-/etc/sysconfig/pluto
can you *$ cat /etc/sysconfig/pluto*
$ *export PLUTO_OPTIONS=*<the right side of the assignment in your
PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
*/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
**--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
*
from a root account ????
You provide us the output of what you did and read.
Thank you so much in advance.
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Elison Niven
SELinux is disabled.
$ getenforce
Disabled
$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Thanks.

Post by Philippe Vouters
Dear Elison,
I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$
Once the above points clean,
[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Thank you so much in advance to keep us informed.
Best regards,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto
# Remove openswan, racoon
$ yum remove openswan ipsec-tools
# Make and install libreswan
# make programs
$ make install
$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service
$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
I can start pluto manually by executing the commands in the systemd
unit file marked for ExecStartPre and ExecStart.
$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target
[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen
[Install]
WantedBy=multi-user.target
Alias=syslog.service
Any help?

_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

--
Best Regards,
Elison Niven

Philippe Vouters

2013-01-04 14:33:20 UTC

Dear Elison,

Ensure you have this /etc/sysctl.conf configuration:
[philippe at victor libreswan-3.0]$ sudo cat /etc/sysctl.conf
# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
#net.ipv4.ip_forward = 0

# Controls source route verification
#net.ipv4.conf.all.rp_filter = 0
#net.ipv4.conf.default.rp_filter = 0
#net.ipv4.conf.eth0.rp_filter = 0

# Do not accept source routing
#net.ipv4.conf.default.accept_source_route = 0

#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.default.send_redirects = 0
#net.ipv4.conf.lo.send_redirects = 0
#net.ipv4.conf.eth0.send_redirects = 0

*#IPSec**
**net.ipv4.conf.default.rp_filter = 0**
**net.ipv4.conf.default.accept_redirects = 0**
**net.ipv4.conf.default.send_redirects = 0**
**net.ipv4.icmp_ignore_bogus_error_responses = 1**
**net.ipv4.conf.default.log_martians = 0**
**net.ipv4.ip_forward = 1**
*
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
Afterwards the command should be # sysctl -p from a root account.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Thanks for your support and time.
$ cat /etc/sysconfig/pluto
# Put extra pluto command line options you want here
PLUTO_OPTIONS=" "
$ ipsec addconn --autoall
$ echo $?
0
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.0 (netkey) on 3.1.0-7.fc16.i686.PAE
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause
act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/p18p1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/vmnet1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/vmnet8/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/virbr0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/virbr0-nic/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [FAILED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 19 errors - see 'man ipsec_verify' for help

Post by Philippe Vouters
Dear Elison,
If # ipsec addconn --autoall fails, my guess is that you ought to also
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.0 (netkey) on 3.6.10-2.fc17.i686
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
*Pluto ipsec.conf syntax [OK]*
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT
IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT
IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT
IMPLEMENTED]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST
INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Philippe Vouters
Dear Elison,
I queried Google with "systemctl status=203/EXEC" which is the pluto
exit code you report us and found this discussion at
http://forums.fedoraforum.org/showthread.php?t=272075 This is
specific to Fedora 16 but my guess is that it can also apply to
Fedora 17.
It happens that the pluto code forks and exec's "addconn --autoall".
# ipsec addconn --autoall
# echo $?
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
--autoall
002 "roadwarrior-l2tp-updatedwin": deleting connection
002 added connection description "roadwarrior-l2tp-updatedwin"
002 "roadwarrior-l2tp": deleting connection
002 added connection description "roadwarrior-l2tp"
002 "macintosh-l2tp": deleting connection
002 added connection description "macintosh-l2tp"
002 "roadwarrior": deleting connection
002 added connection description "roadwarrior"
[philippe at victor libreswan-3.0]$ echo $?
0
You may as well check your /var/log/secure so that we can get more
information on the pluto failure.
Yours truly,
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Philippe Vouters
Dear Elison,
/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
whack failing on stop is just a consequence.
EnvironmentFile=-/etc/sysconfig/pluto
can you *$ cat /etc/sysconfig/pluto*
$ *export PLUTO_OPTIONS=*<the right side of the assignment in your
PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
*/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
**--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
*
from a root account ????
You provide us the output of what you did and read.
Thank you so much in advance.
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Elison Niven
SELinux is disabled.
$ getenforce
Disabled
$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Thanks.

Post by Philippe Vouters
Dear Elison,
I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$
Once the above points clean,
[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Thank you so much in advance to keep us informed.
Best regards,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
I downloaded libreswan and installed from source on Fedora 16.
# Install dependencies
$ yum install unbound-devel libcap-ng-devel xmto
# Remove openswan, racoon
$ yum remove openswan ipsec-tools
# Make and install libreswan
# make programs
$ make install
$ systemctl --system daemon-reload
$ systemctl enable ipsec.service
$ service ipsec start
Redirecting to /bin/systemctl start ipsec.service
$ service ipsec status
Redirecting to /bin/systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=1/FAILURE)
Process: 13438 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=203/EXEC)
Process: 13379
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited,
status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
I can start pluto manually by executing the commands in the systemd
unit file marked for ExecStartPre and ExecStart.
$ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target
[Service]
Type=simple
Restart=always
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/local/sbin
#Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
--checkconfig
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/local/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/local/sbin/ipsec whack --listen
[Install]
WantedBy=multi-user.target
Alias=syslog.service
Any help?

_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

--
Best Regards,
Elison Niven

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/ff8988ca/attachment-0001.html>

Paul Wouters

2013-01-04 15:16:34 UTC

On Fri, 4 Jan 2013, Elison Niven wrote:

Why is it that "stop" is failing? Was there perhaps an openswan pluto
running instead of a libreswan pluto, which confused "whack"?

Can you "killall -9 pluto" and then run "systemctl start ipsec.service" ?

Paul

Elison Niven

2013-01-09 07:28:34 UTC

Hi,

Found the culprit. My systemd unit file had this line :
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'

But in Fedora 16 :
# which sh
/bin/sh

Therefore it was only required to change it to :
ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'

Thanks !

Paul,
Pluto should NOT be running as per Elison's ipsec verify output
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Paul Wouters
Why is it that "stop" is failing? Was there perhaps an openswan pluto
running instead of a libreswan pluto, which confused "whack"?
Can you "killall -9 pluto" and then run "systemctl start
ipsec.service" ?
Paul
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

--
Best Regards,
Elison Niven

Philippe Vouters

2013-01-09 10:08:11 UTC

Dear Elison,

I do thank very much to keep us informed. I am a bit surprised by what
you found. On my Fedora 17 computer, I have the following:
[philippe at victor libreswan]$ ls -l /
...
lrwxrwxrwx. 1 root root 7 Jun 2 2012 bin -> usr/bin
...
I now can't certify it. However I believe it has always been like that.

Yours truly,

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Elison Niven
Hi,
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
# which sh
/bin/sh
ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
Thanks !

Paul,
Pluto should NOT be running as per Elison's ipsec verify output
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Paul Wouters
Why is it that "stop" is failing? Was there perhaps an openswan pluto
running instead of a libreswan pluto, which confused "whack"?
Can you "killall -9 pluto" and then run "systemctl start
ipsec.service" ?
Paul
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

--
Best Regards,
Elison Niven

Paul Wouters

2013-01-09 13:32:01 UTC

Post by Philippe Vouters
lrwxrwxrwx. 1 root root 7 Jun 2 2012 bin -> usr/bin
...
I now can't certify it. However I believe it has always been like that.

No, this happened very recently, see

https://fedoraproject.org/wiki/Features/UsrMove

But I would expect symlinks to be there?

lrwxrwxrwx. 1 root root 4 Dec 29 14:09 /bin/sh -> bash
lrwxrwxrwx. 1 root root 4 Dec 29 14:09 /usr/bin/sh -> bash

But I guess the symlinks did not use to cover /usr/bin/sh because that
had never existed before.

It was targetted for Fedora 17. So for Fedora 16, I can see there is no
/usr/bin/sh. For likely in the next Fedora or one after, they might
remove the old /bin/sh link. So we are caught in the middle. Since F16
is about to be EOL (it is not only because F18 got delayed so much), I'm
tempted to leave it like this, and specifically detect this scenario in
a backwards compatible way.

I'll add a @BINSH@ replacement variable that will map to /usr/bin/sh on
Fedora 17+ and /bin/sh to older fedoras.

Paul

Philippe Vouters

2013-01-09 10:54:23 UTC

Dear Wes,

Perhaps we can do something better with the ipsec.service to take into
account both Elison's experience and my last reply to him. What about
replacing /usr/bin/sh with /bin/sh for /lib/systemd/system/ipsec.service
? On HP-UX systems (a Unix system), sh is usually found in /bin. What
about other Linux distributions ?

If I consider what others do on my Fedora computer, they tend to specify
/bin/sh instead of /usr/bin/sh as per hereafter:

[philippe at victor libreswan]$ sudo find /lib/systemd/system/ -name
\*.service -exec grep /bin/sh {} \; -print
ConditionPathExists=!/run/initramfs/bin/sh
/lib/systemd/system/dracut-shutdown.service
ConditionPathExists=!/run/initramfs/bin/sh
/lib/systemd/system/shutdown.target.wants/dracut-shutdown.service
ExecStart=/bin/sh -c "exec /usr/libexec/netatalk/netatalk.sh"
/lib/systemd/system/netatalk.service
ExecReload=*/bin/sh* -c '/usr/sbin/rndc reload > /dev/null 2>&1 ||
/bin/kill -HUP $MAINPID'
ExecStop=*/bin/sh* -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill
-TERM $MAINPID'
*/lib/systemd/system/named.service*
ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
/lib/systemd/system/ipsec.service
ExecStart=*/bin/sh* -c '/bin/dmesg | /usr/bin/abrt-dump-oops -xD; exec
/usr/bin/abrt-watch-log -F "`/usr/bin/abrt-dump-oops -m`"
/var/log/messages -- /usr/bin/abrt-dump-oops -xD'
*/lib/systemd/system/abrt-oops.service*
grep:
/lib/systemd/system/anaconda.target.wants/anaconda-shell at tty2.service:
No such file or directory
grep: /lib/systemd/system/anaconda.target.wants/anaconda at tty2.service:
No such file or directory
grep: /lib/systemd/system/anaconda.target.wants/anaconda at tty1.service:
No such file or directory
ExecStart=*/bin/sh* -c 'exec /usr/bin/abrt-watch-log -F
"`/usr/bin/abrt-dump-xorg -m`" /var/log/Xorg.0.log --
/usr/bin/abrt-dump-xorg -xD'
*/lib/systemd/system/abrt-xorg.service*
ExecStartPre=*/bin/sh* -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1
|| :'
*/lib/systemd/system/vncserver at .service*
[philippe at victor libreswan]$

-------- Message original --------
Sujet: Re: [Swan] Cannot start ipsec service using systemd
Date : Wed, 09 Jan 2013 12:58:34 +0530
De : Elison Niven <elison.niven at cyberoam.com>
Pour : Philippe Vouters <philippe.vouters at laposte.net>
Copie ? : Paul Wouters <pwouters at redhat.com>, swan at lists.libreswan.org

Hi,

Found the culprit. My systemd unit file had this line :
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'

But in Fedora 16 :
# which sh
/bin/sh

Therefore it was only required to change it to :
ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'

Thanks !

Paul,
Pluto should NOT be running as per Elison's ipsec verify output
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Post by Paul Wouters
Why is it that "stop" is failing? Was there perhaps an openswan pluto
running instead of a libreswan pluto, which confused "whack"?
Can you "killall -9 pluto" and then run "systemctl start
ipsec.service" ?
Paul
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

--
Best Regards,
Elison Niven

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130109/2322906b/attachment.html>

Elison Niven

2013-01-09 11:01:37 UTC

Hi,

Fedora 17 introduced https://fedoraproject.org/wiki/Features/UsrMove

This patch will solve this issue :

--- initsystems/systemd/ipsec.service.in 2013-01-02 10:35:37.000000000
+0530
+++ initsystems/systemd/ipsec.service.in.2 2013-01-09
16:29:10.766584179 +0530
@@ -15,7 +15,7 @@
#
ExecStartPre=@FINALSBINDIR@/ipsec addconn --config @FINALCONFFILE@
--checkconfig
ExecStartPre=@FINALLIBDIR@/_stackmanager start
-ExecStart=/usr/bin/sh -c 'eval `@FINALLIBEXECDIR@/pluto --config
@FINALCONFFILE@ --nofork $PLUTO_OPTIONS`'
+ExecStart=/bin/sh -c 'eval `@FINALLIBEXECDIR@/pluto --config
@FINALCONFFILE@ --nofork $PLUTO_OPTIONS`'
ExecStop=@FINALSBINDIR@/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush

Post by Philippe Vouters
Dear Wes,
Perhaps we can do something better with the ipsec.service to take into
account both Elison's experience and my last reply to him. What about
replacing /usr/bin/sh with /bin/sh for
/lib/systemd/system/ipsec.service ? On HP-UX systems (a Unix system),
sh is usually found in /bin. What about other Linux distributions ?
If I consider what others do on my Fedora computer, they tend to
[philippe at victor libreswan]$ sudo find /lib/systemd/system/ -name
\*.service -exec grep /bin/sh {} \; -print
ConditionPathExists=!/run/initramfs/bin/sh
/lib/systemd/system/dracut-shutdown.service
ConditionPathExists=!/run/initramfs/bin/sh
/lib/systemd/system/shutdown.target.wants/dracut-shutdown.service
ExecStart=/bin/sh -c "exec /usr/libexec/netatalk/netatalk.sh"
/lib/systemd/system/netatalk.service
ExecReload=*/bin/sh* -c '/usr/sbin/rndc reload > /dev/null 2>&1 ||
/bin/kill -HUP $MAINPID'
ExecStop=*/bin/sh* -c '/usr/sbin/rndc stop > /dev/null 2>&1 ||
/bin/kill -TERM $MAINPID'
*/lib/systemd/system/named.service*
ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
/lib/systemd/system/ipsec.service
ExecStart=*/bin/sh* -c '/bin/dmesg | /usr/bin/abrt-dump-oops -xD; exec
/usr/bin/abrt-watch-log -F "`/usr/bin/abrt-dump-oops -m`"
/var/log/messages -- /usr/bin/abrt-dump-oops -xD'
*/lib/systemd/system/abrt-oops.service*
No such file or directory
No such file or directory
No such file or directory
ExecStart=*/bin/sh* -c 'exec /usr/bin/abrt-watch-log -F
"`/usr/bin/abrt-dump-xorg -m`" /var/log/Xorg.0.log --
/usr/bin/abrt-dump-xorg -xD'
*/lib/systemd/system/abrt-xorg.service*
ExecStartPre=*/bin/sh* -c '/usr/bin/vncserver -kill %i > /dev/null
2>&1 || :'
*/lib/systemd/system/vncserver at .service*
[philippe at victor libreswan]$
-------- Message original --------
Sujet: Re: [Swan] Cannot start ipsec service using systemd
Date : Wed, 09 Jan 2013 12:58:34 +0530
De : Elison Niven <elison.niven at cyberoam.com>
Pour : Philippe Vouters <philippe.vouters at laposte.net>
Copie ? : Paul Wouters <pwouters at redhat.com>, swan at lists.libreswan.org
Hi,
ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
# which sh
/bin/sh
ExecStart=/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
Thanks !

Paul,
Pluto should NOT be running as per Elison's ipsec verify output
Philippe Vouters (Fontainebleau/France)
URL:http://vouters.dyndns.org/
SIP:sip:Vouters at sip.linphone.org

Post by Paul Wouters
Why is it that "stop" is failing? Was there perhaps an openswan pluto
running instead of a libreswan pluto, which confused "whack"?
Can you "killall -9 pluto" and then run "systemctl start
ipsec.service" ?
Paul
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

--
Best Regards,
Elison Niven

--
Best Regards,
Elison Niven

Paul Wouters

2013-01-09 13:37:04 UTC

Perhaps we can do something better with the ipsec.service to take into account both Elison's experience
and my last reply to him. What about replacing /usr/bin/sh with /bin/sh for
/lib/systemd/system/ipsec.service ? On HP-UX systems (a Unix system), sh is usually found in /bin. What
about other Linux distributions ?

Fedora is the only distribution that, in my opinion WRONGLY, decided to
phase out /bin and merge it with /usr/bin. No other distribution has
done this. But whether we like it or not, on Fedora/RHEL the /bin
directory is going to disappear in the future. So /usr/bin/sh is the
right choice for Fedora 17+

If I consider what others do on my Fedora computer, they tend to specify /bin/sh instead of /usr/bin/sh

That is just because most packagers have not upgraded to the new reality
yet.

Paul

Wes Hardaker

2013-01-09 15:14:44 UTC

Post by Paul Wouters

Post by Philippe Vouters
Perhaps we can do something better with the ipsec.service to take
into account both Elison's experience
and my last reply to him. What about replacing /usr/bin/sh with /bin/sh for
/lib/systemd/system/ipsec.service ? On HP-UX systems (a Unix
system), sh is usually found in /bin. What
about other Linux distributions ?

Fedora is the only distribution that, in my opinion WRONGLY, decided to
phase out /bin and merge it with /usr/bin. No other distribution has
done this. But whether we like it or not, on Fedora/RHEL the /bin
directory is going to disappear in the future. So /usr/bin/sh is the
right choice for Fedora 17+

Also, is HP-UX actually using systemd?

Detecting where 'sh' vs 'bash' vs... is located is exactly what a
configure script should do.

--
Wes Hardaker
My Pictures: http://capturedonearth.com/
My Thoughts: http://pontifications.hardakers.net/

Philippe Vouters

2013-01-04 17:09:37 UTC

Any news ? Does # systemctl start ipsec.service now works correctly for
you after # ipsec verify competes with no errors ?
Note that # sysctl -p might not be the ultimate command provided you
copied my /etc/sysctl.conf.
You might need:
# service network restart
and if # ipsec verify still fails, you might even need if you indeed
copied my /etc/sysctl.conf:
# reboot

--
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

16 Replies
2800 Views
Permalink to this page
Disable enhanced parsing

Thread Navigation

Elison Niven 2013-01-04 09:51:41 UTC

Philippe Vouters 2013-01-04 12:05:01 UTC

Elison Niven 2013-01-04 12:22:22 UTC

Philippe Vouters 2013-01-04 13:07:00 UTC

Philippe Vouters 2013-01-04 13:31:57 UTC

Philippe Vouters 2013-01-04 13:51:22 UTC

Elison Niven 2013-01-04 14:04:20 UTC

Philippe Vouters 2013-01-04 14:33:20 UTC

Paul Wouters 2013-01-04 15:16:34 UTC

Elison Niven 2013-01-09 07:28:34 UTC

Philippe Vouters 2013-01-09 10:08:11 UTC

Paul Wouters 2013-01-09 13:32:01 UTC

Philippe Vouters 2013-01-09 10:54:23 UTC

Elison Niven 2013-01-09 11:01:37 UTC

Paul Wouters 2013-01-09 13:37:04 UTC

Wes Hardaker 2013-01-09 15:14:44 UTC

Philippe Vouters 2013-01-04 17:09:37 UTC

about - legalese

Loading...