Hide Forgot
Description of problem: With the latest version of openswan packages, pluto fails to start during ipsec service start. Version-Release number of selected component (if applicable): openswan-2.6.32-24.el6 How reproducible: 100% Steps to Reproduce: 1. Use the default configuration: # /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private= oe=off # Enable this if you see "failed to find any available worker" # nhelpers=0 #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. #include /etc/ipsec.d/*.conf 2. Start ipsec: service ipsec start 3. See the status and /v/l/m. Actual results: # service ipsec status IPsec stopped but... has subsystem lock (/var/lock/subsys/ipsec)! # tail /var/log/messages Oct 1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock Hash Engine not detected. Oct 1 08:54:00 pes-guest-82 kernel: Intel AES-NI instructions are not detected. Oct 1 08:54:00 pes-guest-82 kernel: Intel AES-NI instructions are not detected. Oct 1 08:54:00 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:54:00 pes-guest-82 ipsec_setup: ...Openswan IPsec started Oct 1 08:54:00 pes-guest-82 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:54:00 pes-guest-82 pluto: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:54:00 pes-guest-82 ipsec__plutorun: whack: read() failed (104 Connection reset by peer) Oct 1 08:54:00 pes-guest-82 ipsec__plutorun: pluto apparently already running (?!?), giving up Expected results: # service ipsec status IPsec running - pluto pid: 1951 pluto pid 1951 No tunnels up # tail /var/log/messages Oct 1 08:59:51 pes-guest-82 ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64... Oct 1 08:59:51 pes-guest-82 ipsec_setup: Using NETKEY(XFRM) stack Oct 1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock Hash Engine not detected. Oct 1 08:59:51 pes-guest-82 kernel: Intel AES-NI instructions are not detected. Oct 1 08:59:51 pes-guest-82 kernel: padlock: VIA PadLock not detected. Oct 1 08:59:51 pes-guest-82 ipsec_setup: ...Openswan IPsec started Oct 1 08:59:51 pes-guest-82 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:59:51 pes-guest-82 pluto: adjusting ipsec.d to /etc/ipsec.d Oct 1 08:59:51 pes-guest-82 ipsec__plutorun: 003 no secrets filename matched "/etc/ipsec.d/*.secrets" Additional info: With previous version of openswan (openswan-2.6.32-21.el6_4) it worked fine. Therefore some of the new patches must introduce this problem.
This problems appears if openswan-fips package is installed and a kernel fips kernel flag is disabled. After removing openswan-fips package, the problem disappears.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1718.html