Hi All,
I have been a happy LRP and LEAF user for a number of years now. Thanks for all the great work! I started messing with LRP for fun and began production use at some offices with LRP 2.9.4. The offices have been updated over the years, moving up through Dachstein and Eiger and using Bering most recently. Fantastic stuff that just works! My best uptime so far has been about 380 days! Nice! Anyway, I've been recently asked to provide some VPN functionality at a couple of offices that are running Bering. I've done a bit of research and spent a bit of time trying to get a working setup on the bench. I can't seem to get past a couple of hitches and it is time to ask the community for a bit of help. I'm certain that it it is my inexperience with IPSec that is causing the problems, so hopefully it will be a quick bit of advice that will put me back on track.
At this point, I have eleminated all of the errors that displayed on the console during the startup phase. When I try to start the VPN connection from the command line with "ipsec auto --up vpn_jim" (vpn_jim is the name of my vpn tunnel, I think), I get "whack: Pluto is not running (no "var/run/pluto.ctl")" as the response. I get that message for most anything that I type that starts with ipsec. When I look in /var/log/daemon.log, I can see a line that says "ipsec__plutorun: !pluto failure: exited with error status 1". When I look in /var/log/auth.log, I can see a line that says "pluto[31029]: FATAL ERROR: unable to malloc 0 bytes for cert". The few previous lines mentioned loading the cacert file and the crl file. There is nothing in the process list about pluto, so I think it's dead.
Anybody got any suggestions?
Stupid question #1: Did you start IPSec at startup (or manually)? Try running: svi ipsec start
Stupid question #2:
If you did try starting pluto and it crashed, have you tried using a simpler auth method? I suggest getting things going with pre-shared-secrets, then migrating to RSA keys or certs once things are working...there's enough complexity in IPSec by itself, adding cert issues on top of it can be daunting for a first go-round.
Stupid question #3:
It looks like you're using plain RSA keys. I don't know if the Cert-patched version of ipsec that comes with Bering-uClibc supports this, or if it only likes full-blown certificates. I use RSA keys (w/o using certs) on Bering (normal, not uClibc), and it happily interoperates with my Dachstein routers still in production (which don't understand certs anyway).
NOTE: It is *REALLY* easy to malform your ipsec secrets file (it's got an odd syntax, and ipsec very picky), which can cause no end of 'what-now..it should work' type problems. Be careful when editing, read through the manpages (find online), and try to follow some examples verbatim for your first tunnel(s). A misplaced (or missing) space or tab can do you in...
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
