HPE Community
Operating System - Linux
1827474 Members
2323 Online
109965 Solutions
New Discussion

Re: could not stop ipsec

 
SOLVED
Go to solution
'chris'
Super Advisor

‎03-01-2006 02:07 AM

‎03-01-2006 02:07 AM

could not stop ipsec

hi

I could not stop ipsec on debian sarge stable:

if I start with:


# /etc/init.d/ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: insmod: ipsec: no module by that name found
ipsec_setup: /sbin/insmod /lib/modules/2.4.27-2-386/kernel/net/key/af_key.o
ipsec_setup: Using /lib/modules/2.4.27-2-386/kernel/net/key/af_key.o
ipsec_setup: Symbol version prefix ''
ipsec_setup: /sbin/insmod -q /lib/modules/2.4.27-2-386/kernel/net/ipv4/ah4.o
ipsec_setup: Using /lib/modules/2.4.27-2-386/kernel/net/ipv4/ah4.o
ipsec_setup: Symbol version prefix ''
ipsec_setup: /sbin/insmod -q /lib/modules/2.4.27-2-386/kernel/net/ipv4/esp4.o
ipsec_setup: Using /lib/modules/2.4.27-2-386/kernel/net/ipv4/esp4.o
ipsec_setup: Symbol version prefix ''
ipsec_setup: /sbin/insmod -q /lib/modules/2.4.27-2-386/kernel/net/ipv4/ipcomp.o
ipsec_setup: Using /lib/modules/2.4.27-2-386/kernel/net/ipv4/ipcomp.o
ipsec_setup: Symbol version prefix ''
ipsec_setup: /sbin/insmod -q /lib/modules/2.4.27-2-386/kernel/net/xfrm/xfrm_user.o
ipsec_setup: Using /lib/modules/2.4.27-2-386/kernel/net/xfrm/xfrm_user.o
ipsec_setup: Symbol version prefix ''
ipsec_setup: WARNING: setkey not found.


could not stop anymore:


# /etc/init.d/ipsec stop
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: Attempt to shut Pluto down failed! Trying kill:
ipsec_setup: /usr/lib/ipsec/_realsetup: line 1: kill: (2192) - Kein passender Prozess gefunden

ipsec is still running !
even if I try to kill the process, it starts again


my config file:

# cat /etc/ipsec.conf

# basic configuration
config setup
interfaces=%defaultroute
#interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
#plutoload=%search
#plutostart=%search

uniqueids=yes
forwardcontrol=yes
#Enable NAT-Traversal
#nat_traversal=yes


# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
#compress=yes

# sample VPN connection
conn Firebox1
authby=secret
left=202.X.X.10
leftnexthop=202.X.X.1
leftsubnet=192.168.0.0/24
right=202.X.X.10
rightnexthop=202.X.X.1
rightsubnet=192.168.115.0/24
keyexchange=ike
pfs=yes
auto=start

conn Firebox2
authby=secret
left=202.X.X.10
leftnexthop=202.X.X.1
leftsubnet=10.0.0.0/8
right=202.X.X.10
rightnexthop=202.X.X.1
rightsubnet=192.168.115.0/24
keyexchange=ike
pfs=yes
auto=start

conn Firebox3
authby=secret
left=202.X.X.10
leftnexthop=202.X.X.1
leftsubnet=192.168.1.0/24
right=202.X.X.10
rightnexthop=202.X.X.1
rightsubnet=192.168.115.0/24
keyexchange=ike
pfs=yes
auto=start

knows someone howto solve this problem ?
0 Kudos
Reply
10 REPLIES 10
Sergejs Svitnevs
Honored Contributor

‎03-01-2006 02:31 AM

‎03-01-2006 02:31 AM

Solution

Re: could not stop ipsec

At first check that you have a successful install:
# ipsec verify

Your host is trying to load the unexisting ipsec.o module. It seems your module did not get installed properly.

What do "modprobe ipsec" and "depmod -a" say?

Regards,
Sergejs

Reply
'chris'
Super Advisor

‎03-01-2006 02:40 AM

‎03-01-2006 02:40 AM

Re: could not stop ipsec

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN U2.04/K(no kernel code presently loaded)
Checking for KLIPS support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto.ctl")
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no "/var/run/pluto.ctl")
Checking NAT and MASQUERADEing
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: ext.domain.net [MISSING]
Does the machine have at least one non-private address? [FAILED]

# modprobe ipsec
modprobe: Can't locate module ipsec

# depmod -a
#
0 Kudos
Reply
Lionel Giraudeau
Advisor

‎03-01-2006 02:41 AM

‎03-01-2006 02:41 AM

Re: could not stop ipsec

Hi,

"ipsec_setup: insmod: ipsec: no module by that name found"

Don't you have this module in /lib/modules/2.x.x/ ? Is it compiled in the kernel ?

By the way, this is, for me, the only reason you cannot stop FreeSWan 'cause it seems that your modules have been re-compiled (lot of "Symbol version prefix" messages at start).

I think you should tried asking on the mail lists of FreeSwan. (http://www.freeswan.org/)
Reply
Sergejs Svitnevs
Honored Contributor

‎03-01-2006 02:59 AM

‎03-01-2006 02:59 AM

Re: could not stop ipsec

Seems your kernel does not support IPSec.
You can set up the 2.6.X stable kernel (has native IPSec support) or install freeswan-modules-source package (from http://packages.debian.org/stable/net/freeswan-modules-source) which contains the source for the FreeSWan modules.
Reply
'chris'
Super Advisor

‎03-01-2006 03:30 AM

‎03-01-2006 03:30 AM

Re: could not stop ipsec

I've done:

# apt-get install kernel-image-2.6.8-2-686
# uname -a
Linux ext.domain.net 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux
# apt-get install freeswan-modules-source

and still get problems:

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN U2.04/K(no kernel code presently loaded)
Checking for KLIPS support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing

Opportunistic Encryption DNS checks:
Looking for TXT in forward map: ext.domain.net [MISSING]
Does the machine have at least one non-private address? [FAILED]
0 Kudos
Reply
Sergejs Svitnevs
Honored Contributor

‎03-01-2006 03:47 AM

‎03-01-2006 03:47 AM

Re: could not stop ipsec

Could you stop ipsec without killing the process?
Reply
'chris'
Super Advisor

‎03-01-2006 11:43 AM

‎03-01-2006 11:43 AM

Re: could not stop ipsec

no, if I try to stop with:

# /etc/init.d/ipsec stop

or

# ipsec setup --stop

it's still running.
0 Kudos
Reply
'chris'
Super Advisor

‎03-01-2006 11:47 AM

‎03-01-2006 11:47 AM

Re: could not stop ipsec

the problem is solved now !

I changed in /etc/ipsec.conf from:

interfaces=%defaultroute

to:

interfaces="ipsec0=eth0"

and it seems to be OK now.
0 Kudos
Reply
'chris'
Super Advisor

‎03-01-2006 12:05 PM

‎03-01-2006 12:05 PM

Re: could not stop ipsec

what I could only not understand

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN U2.04/K(no kernel code presently loaded)
Checking for KLIPS support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing

Opportunistic Encryption DNS checks:
Looking for TXT in forward map: ext.domain.net [MISSING]
Does the machine have at least one non-private address? [FAILED]


is howto solve these FAILED or MISSING problems ?
0 Kudos
Reply
Sergejs Svitnevs
Honored Contributor

‎03-01-2006 08:17 PM

‎03-01-2006 08:17 PM

Re: could not stop ipsec

According to "http://www.freeswan.org/freeswan_trees/CURRENT-TREE/doc/2.6.known-issues" document, kernel 2.6 series IPsec does not have KLIPS style ipsecN interfaces, therefore You can ignore "ipsec verify" error messages.

Regards
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.