Bug 1014009
| Summary: | pluto fails to start in default configuration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Ondrej Moriš <omoris> |
| Component: | openswan | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | azelinka, eparis, ksrot, mitr, omoris, sgrubb, tlavigne |
| Target Milestone: | rc | Keywords: | Regression, TestBlocker |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openswan-2.6.32-27.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 23:48:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 993793 | ||
This problems appears if openswan-fips package is installed and a kernel fips kernel flag is disabled. After removing openswan-fips package, the problem disappears. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1718.html |
Description of problem: With the latest version of openswan packages, pluto fails to start during ipsec service start. Version-Release number of selected component (if applicable): openswan-2.6.32-24.el6 How reproducible: 100% Steps to Reproduce: 1. Use the default configuration: # /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private= oe=off # Enable this if you see "failed to find any available worker" # nhelpers=0 #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. #include /etc/ipsec.d/*.conf 2. Start ipsec: service ipsec start 3. See the status and /v/l/m. Actual results: # service ipsec status IPsec stopped but... has subsystem lock (/var/lock/subsys/ipsec)! # tail /var/log/messages Oct 1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock Hash Engine not detected. Oct 1 08:54:00 pes-guest-82 kernel: Intel AES-NI instructions are not detected. Oct 1 08:54:00 pes-guest-82 kernel: Intel AES-NI instructions are not detected. Oct 1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:54:00 pes-guest-82 ipsec_setup: ...Openswan IPsec started Oct 1 08:54:00 pes-guest-82 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:54:00 pes-guest-82 pluto: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:54:00 pes-guest-82 ipsec__plutorun: whack: read() failed (104 Connection reset by peer) Oct 1 08:54:00 pes-guest-82 ipsec__plutorun: pluto apparently already running (?!?), giving up Expected results: # service ipsec status IPsec running - pluto pid: 1951 pluto pid 1951 No tunnels up # tail /var/log/messages Oct 1 08:59:51 pes-guest-82 ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64... Oct 1 08:59:51 pes-guest-82 ipsec_setup: Using NETKEY(XFRM) stack Oct 1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock Hash Engine not detected. Oct 1 08:59:51 pes-guest-82 kernel: Intel AES-NI instructions are not detected. Oct 1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:59:51 pes-guest-82 ipsec_setup: ...Openswan IPsec started Oct 1 08:59:51 pes-guest-82 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:59:51 pes-guest-82 pluto: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:59:51 pes-guest-82 ipsec__plutorun: 003 no secrets filename matched "/etc/ipsec.d/*.secrets" Additional info: With previous version of openswan (openswan-2.6.32-21.el6_4) it worked fine. Therefore some of the new patches must introduce this problem.