Bug 1014009 - pluto fails to start in default configuration
pluto fails to start in default configuration
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan (Show other bugs)
6.5
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Paul Wouters
Ondrej Moriš
: Regression, TestBlocker
Depends On:
Blocks: 993793
  Show dependency treegraph
 
Reported: 2013-10-01 05:08 EDT by Ondrej Moriš
Modified: 2013-11-21 18:48 EST (History)
7 users (show)

See Also:
Fixed In Version: openswan-2.6.32-27.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 18:48:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ondrej Moriš 2013-10-01 05:08:26 EDT
Description of problem:

With the latest version of openswan packages, pluto fails to start during ipsec service start. 

Version-Release number of selected component (if applicable):

openswan-2.6.32-24.el6

How reproducible:

100%

Steps to Reproduce:

1. Use the default configuration:
    
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"
	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
	protostack=netkey
	nat_traversal=yes
	virtual_private=
	oe=off
	# Enable this if you see "failed to find any available worker"
	# nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

2. Start ipsec: service ipsec start
3. See the status and /v/l/m.

Actual results:

# service ipsec status
IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!

# tail /var/log/messages 
Oct  1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock not detected.
Oct  1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock Hash Engine not detected.
Oct  1 08:54:00 pes-guest-82 kernel: Intel AES-NI instructions are not detected.
Oct  1 08:54:00 pes-guest-82 kernel: Intel AES-NI instructions are not detected.
Oct  1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock not detected.
Oct  1 08:54:00 pes-guest-82 ipsec_setup: ...Openswan IPsec started
Oct  1 08:54:00 pes-guest-82 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Oct  1 08:54:00 pes-guest-82 pluto: adjusting ipsec.d to /etc/ipsec.d
Oct  1 08:54:00 pes-guest-82 ipsec__plutorun: whack: read() failed (104 Connection reset by peer)
Oct  1 08:54:00 pes-guest-82 ipsec__plutorun: pluto apparently already running (?!?), giving up

Expected results:

# service ipsec status
IPsec running  - pluto pid: 1951
pluto pid 1951
No tunnels up

# tail /var/log/messages 
Oct  1 08:59:51 pes-guest-82 ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...
Oct  1 08:59:51 pes-guest-82 ipsec_setup: Using NETKEY(XFRM) stack
Oct  1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock not detected.
Oct  1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock Hash Engine not detected.
Oct  1 08:59:51 pes-guest-82 kernel: Intel AES-NI instructions are not detected.
Oct  1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock not detected.
Oct  1 08:59:51 pes-guest-82 ipsec_setup: ...Openswan IPsec started
Oct  1 08:59:51 pes-guest-82 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Oct  1 08:59:51 pes-guest-82 pluto: adjusting ipsec.d to /etc/ipsec.d
Oct  1 08:59:51 pes-guest-82 ipsec__plutorun: 003 no secrets filename matched "/etc/ipsec.d/*.secrets"

Additional info:

With previous version of openswan (openswan-2.6.32-21.el6_4) it worked fine. Therefore some of the new patches must introduce this problem.
Comment 1 Ondrej Moriš 2013-10-01 05:19:44 EDT
This problems appears if openswan-fips package is installed and a kernel fips kernel flag is disabled. After removing openswan-fips package, the problem disappears.
Comment 22 errata-xmlrpc 2013-11-21 18:48:06 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1718.html

Note You need to log in before you can comment on or make changes to this bug.