Red Hat Bugzilla – Bug 837088
up-client script fails to run
Last modified: 2016-10-19 06:48:20 EDT
Description of problem:
When setting up strongswan ipsec vpn, i've run into problem, that routing is not properly configured on successful connection. Upon investigation, noticed following record in log (output truncated):
| executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='ios' <truncated>
"ios" 22.214.171.124:4500 #2: up-client output: sh: ipsec: command not found
"ios" 126.96.36.199:4500 #2: up-client command exited with status 127
fixed this by creating symbolic link:
sudo ln -s /usr/sbin/strongswan /usr/sbin/ipsec
(I know it creates collision with another packages, but I had to get it working).
Version-Release number of selected component (if applicable):
strongswan-4.6.4-1.el6 has been submitted as an update for Fedora EPEL 6.
strongswan-5.0.0-1.git20120619.el6 has been submitted as an update for Fedora EPEL 6.
Thanks for your bugreport. If you have enough time, please test the 5.0.0 release. It should work well without configuration changes.
strongswan-4.6.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Just updated to 4.6.4 - still doesn't work - still requires symlink from /usr/sbin/ipsec to /usr/sbin/strongswan
Hi Alex, is it still exactly the same error? I just checked the git repo and it's been already fixed for 4.6.4:
Did you also try the 5.0.0 release?
Thanks for your updates.
Yes, exactly same error in 4.6.4.
I didn't try 5.0.0 yet, as I've used pluto, which is now gone, and now need to change (?) config for charon.
Here is output from 4.6.4:
Linux strongSwan U4.6.4/K2.6.32-220.23.1.el6.x86_64
| eroute_connection add eroute 192.168.10.1/32:0 -> 0.0.0.0/0:0 => tun.0@WANIP:0
| eroute_connection add eroute 0.0.0.0/0:0 -> 192.168.10.1/32:0 => tun.0@REMOTEIP:0
| executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='ios' PLUTO_NEXT_HOP='REMOTEIP' PLUTO_INTERFACE='eth1' PLUTO_REQID='16392' PLUTO_ME='WANIP' PLUTO_MY_ID='C=CH, O=junkyard, CN=ivpn.blah.com' PLUTO_MY_CLIENT='0.0.0.0/0' PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='REMOTEIP' PLUTO_PEER_ID='C=CH, O=junkyard, CN=aleks' PLUTO_PEER_CLIENT='192.168.10.1/32' PLUTO_PEER_CLIENT_NET='192.168.10.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CH, O=junkyard, CN=junkyard CA' PLUTO_XAUTH_ID='aleks' PLUTO_UDP_ENC='3022' ipsec _updown iptables
"ios" REMOTEIP:3022 #2: up-client output: sh: ipsec: command not found
"ios" REMOTEIP:3022 #2: up-client command exited with status 12
Ah, it appears to be the same bug or one that is very similar. As 5.0.0 is not so different from 4.6.4, I would prefer if you could stick with the symlink workaround until you decide to switch to 5.0.0.
You might even try the unchanged config and see if you need any modifications at all.
Please see the differences here:
Does apply to 5.1.1-3?