Liviu Nicoara
2008-06-04 04:33:03 UTC
Hi guys,
I am trying for a couple of days now to set up a connection to my
office using OpenSWAN 2.5.16, with little success.
I am running Slackware on x86_64:
# uname -a
Linux yomama 2.6.25.4 #7 SMP Wed May 21 19:21:26 EDT 2008 x86_64
x86_64 x86_64 GNU/Linux
and AFAIK I am trying to establish a RoadWarrior type of connection. I
built and installed 2.5.16 (after 2.5.17 gave me a hard time) and the
installation went smoothly. I then installed the files provided by my
sysadmin (certificates and the sort).
The first roadblock is here:
tmp# ipsec setup start
duplicate key '' in conn theoffice while processing def theoffice
while loading 'theoffice': duplicate key '' in conn theoffice while
processing def theoffice
ipsec_setup: Starting Openswan IPsec 2.5.16...
ipsec_setup: FATAL ERROR: Both KLIPS and NETKEY IPsec code is present
in kernel
ipsec_setup: OOPS, should have aborted! Broken shell!
I do not understand the duplicate key error. Here is the content of my
config file for the connection:
tmp# cat /etc/ipsec.d/theoffice.conf
conn theoffice
authby=rsasig
pfs=no
rekey=yes
keyingtries=4
type=transport
leftupdown=/etc/ipsec.d/theoffice-updown
left=192.168.1.66
left=%defaultroute
leftcert=/etc/ipsec.d/certs/***@theoffice.com.pem
leftrsasigkey=%cert
leftprotoport=17/1701
right=nnn.nnn.nnn.nnn
rightid="C=US, ST=Colorado, L=Boulder, O=TheOffice, OU=IT,
CN=zephyrus.theoffice.com"
rightrsasigkey=%cert
rightca=%same
rightprotoport=17/1701
auto=add
Does anybody have any idea where that duplicate key error is coming
from? (There is a final newline after `add')
Then, the script code which emits that "FATAL ERROR" is in
/usr/local/lib/ipsec/_startklips:
if test ! -f $ipsecversion && test ! -f $netkey; then
# both KLIPS and NETKEY code detected, bail out
echo "FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in
kernel"
exit
fi
I see the variables defined at the beginning:
netkey=/proc/net/pfkey
ipsecversion=/proc/net/ipsec/version
but I don't understand what's being tested here. I am not sure what is
configured wrong in the kernel either. IMHO, the kernel is configured
just fine.
Ok. Onward:
tmp# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.5.16/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Opportunistic Encryption Support [DISABLED]
But then:
tmp# ipsec pluto && ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.5.16/K2.6.25.4 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto not listening on port udp 500. Check interfaces defintion in
ipsec.conf.Checking for 'ip' command
[OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Opportunistic Encryption Support [DISABLED]
Is it on or not? Well, apparently not:
tmp# ipsec auto --up theoffice
024 need --listen before --initiate
And here is the output of ipsec barf:
tmp# ipsec barf
yomama
Wed Jun 4 00:05:59 EDT 2008
+ _________________________ version
+ ipsec --version
Linux Openswan U2.5.16/K2.6.25.4 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.25.4 (***@yomama) (gcc version 4.1.2) #7 SMP Wed
May 21 19:21:26 EDT 2008
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0
0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
ffff81013a4e2000 2 0 0 0 73131
+ _________________________ ip-xfrm-state
+ ip xfrm state
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
+ _________________________ /proc/crypto
/usr/local/libexec/ipsec/barf: line 382: syntax error: unexpected end
of file
(indeed, barf ends abruptly at line 382 and this error is present in
both 2.5.16 and 2.5.17).
It is possible that my machine is seriously screwed up so that this
installation process, which apparently works so fine for so many, it
fails for me.
Any suggestions are GREATLY appreciated!
Thanks,
Liviu
I am trying for a couple of days now to set up a connection to my
office using OpenSWAN 2.5.16, with little success.
I am running Slackware on x86_64:
# uname -a
Linux yomama 2.6.25.4 #7 SMP Wed May 21 19:21:26 EDT 2008 x86_64
x86_64 x86_64 GNU/Linux
and AFAIK I am trying to establish a RoadWarrior type of connection. I
built and installed 2.5.16 (after 2.5.17 gave me a hard time) and the
installation went smoothly. I then installed the files provided by my
sysadmin (certificates and the sort).
The first roadblock is here:
tmp# ipsec setup start
duplicate key '' in conn theoffice while processing def theoffice
while loading 'theoffice': duplicate key '' in conn theoffice while
processing def theoffice
ipsec_setup: Starting Openswan IPsec 2.5.16...
ipsec_setup: FATAL ERROR: Both KLIPS and NETKEY IPsec code is present
in kernel
ipsec_setup: OOPS, should have aborted! Broken shell!
I do not understand the duplicate key error. Here is the content of my
config file for the connection:
tmp# cat /etc/ipsec.d/theoffice.conf
conn theoffice
authby=rsasig
pfs=no
rekey=yes
keyingtries=4
type=transport
leftupdown=/etc/ipsec.d/theoffice-updown
left=192.168.1.66
left=%defaultroute
leftcert=/etc/ipsec.d/certs/***@theoffice.com.pem
leftrsasigkey=%cert
leftprotoport=17/1701
right=nnn.nnn.nnn.nnn
rightid="C=US, ST=Colorado, L=Boulder, O=TheOffice, OU=IT,
CN=zephyrus.theoffice.com"
rightrsasigkey=%cert
rightca=%same
rightprotoport=17/1701
auto=add
Does anybody have any idea where that duplicate key error is coming
from? (There is a final newline after `add')
Then, the script code which emits that "FATAL ERROR" is in
/usr/local/lib/ipsec/_startklips:
if test ! -f $ipsecversion && test ! -f $netkey; then
# both KLIPS and NETKEY code detected, bail out
echo "FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in
kernel"
exit
fi
I see the variables defined at the beginning:
netkey=/proc/net/pfkey
ipsecversion=/proc/net/ipsec/version
but I don't understand what's being tested here. I am not sure what is
configured wrong in the kernel either. IMHO, the kernel is configured
just fine.
Ok. Onward:
tmp# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.5.16/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Opportunistic Encryption Support [DISABLED]
But then:
tmp# ipsec pluto && ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.5.16/K2.6.25.4 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto not listening on port udp 500. Check interfaces defintion in
ipsec.conf.Checking for 'ip' command
[OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Opportunistic Encryption Support [DISABLED]
Is it on or not? Well, apparently not:
tmp# ipsec auto --up theoffice
024 need --listen before --initiate
And here is the output of ipsec barf:
tmp# ipsec barf
yomama
Wed Jun 4 00:05:59 EDT 2008
+ _________________________ version
+ ipsec --version
Linux Openswan U2.5.16/K2.6.25.4 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.25.4 (***@yomama) (gcc version 4.1.2) #7 SMP Wed
May 21 19:21:26 EDT 2008
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0
0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
ffff81013a4e2000 2 0 0 0 73131
+ _________________________ ip-xfrm-state
+ ip xfrm state
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
+ _________________________ /proc/crypto
/usr/local/libexec/ipsec/barf: line 382: syntax error: unexpected end
of file
(indeed, barf ends abruptly at line 382 and this error is present in
both 2.5.16 and 2.5.17).
It is possible that my machine is seriously screwed up so that this
installation process, which apparently works so fine for so many, it
fails for me.
Any suggestions are GREATLY appreciated!
Thanks,
Liviu