Red Hat Bugzilla – Bug 134086
Problems running ipsec
Last modified: 2007-11-30 17:10:50 EST
Description of problem: I'm trying to set up IPSec on Fedora Core 3 test2 and am having many annoying issues : - On one machine, I have the exact same /etc/ipsec.d/examples/no_oe.conf file as on the others, but when I try to run "service ipsec start", I get "/etc/init.d/ipsec: (/etc/ipsec.d/examples/no_oe.conf, line 12) section header " auto=ignore" has wrong number of fields (1) -- `start aborted", which I really don't understand as all lines have "auto=ignore", that one not having anything in particular. - When running "service ipsec start", something gets either stuck or not properly daemonized since a while loop with initlog calls is still running after the service command has finished its execution : /bin/sh -c while read line; do /sbin/initlog -s $line -f ${LOG_FACILITY:-daemon} -p ${LOG_PRIORITY:-error} -t ipsec__plutorun; done - Last, the docs are really poor, messy and outdated (that's actually more on the openswan side, I'll open another bug later on for that). Version-Release number of selected component (if applicable): ipsec-tools-0.3.3-1 How reproducible: The running while loop with initlog is 100% reproducible on all 4 machines I've tested it on. The "wrong number of fields" problem is 100% reproducible on the only machine it's happening on, even after "rpm -e ipsec-tools openswan && rm -rf /etc/ipsec.*" and reinstalling both packages. Steps to Reproduce: 1. Install ipsec-tools & openswan 2. service ipsec start 3. ps ax | grep initlog Actual results: /bin/sh -c while read line; do /sbin/initlog -s $line -f ${LOG_FACILITY:-daemon} -p ${LOG_PRIORITY:-error} -t ipsec__plutorun; done Expected results: Nothing. Additional info: I've already had a similar "wrong number of fields" error when I had a config file with an error or bad indentation, but here I'm using the default config files and didn't edit anything. The system was installed with a minimal set of packages and ipsec-tools and openswan were later added with yum, so maybe it's a missing runtime dependency not pulled in by the packages? Just a thought.
Sorry, this bug should ovbiouslt have been against openswan and not ipsec-tools, changing that.
Unfortunately, ipsec.conf's parser is due for an update (see programs/starter). It is very sensitive to spaces and tabs (which are not both 'white space'). You should have conn name, and on the next line have <tab>option, and the end of the conn must have an empty line. We've added a trailing space to the conn lines which seems to fix the missing tab problem in CVS head. We will look into the logging loop, but the fedora package changed a lot of the logging functions, so I am not sure yet what code is at fault here.
Well, with the exact default examples/no_oe.conf, I was getting that problem. Adding a white space at the end of every conn line seems to have worked around it, weird. Thanks for the tip.
Fixed in Openswan 2.2.1 (released shortly) - changed the no_oe.conf.in file in the distribution.