[Users] pclose pfkey fails (?!!) Please help

From: Jeremy (jcapps_at_qwest.net)
Date: Sat Nov 30 2002 - 19:30:56 CET

Since Freeswan's Mailman seems to be having issues I hope this eventually
gets posted

Redhat 7.1, fresh kernel 2.4.9-34
Using freeswan 1.99 RPM
PSK method between remote firewall appliance with a dhcp address (which
unfortunately only supports psk, pfs, encrypted/auth)
It connects but no route created (may not be related)

Added to ipsec.secrets
my.freeswan.server.ip %any : PSK "mysecret"

IPsec.conf

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        type=tunnel
        keyingtries=1
        leftupdown=/path/to/my/modified/_updown
        authby=secret
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
conn roadwarrior
        auto=add
        left=my.freeswan.server.ip
        leftnexthop=my.gate.way.ip
        leftsubnet=10.0.0.0/24
        right=%any
        rightsubnet=192.168.1.0/24

Ipsec barf output

Nov 30 09:46:58 myserver pluto[4424]: "roadwarrior"[1] my.road.warrior.ip
#3: responding to Main Mode from unknown peer 12.224.112.69
Nov 30 09:46:58 myserver pluto[4424]: "roadwarrior"[1] my.road.warrior.ip
#3: sent MR3, ISAKMP SA established
Nov 30 09:46:59 myserver pluto[4424]: "roadwarrior"[1] my.road.warrior.ip
#4: responding to Quick Mode
Nov 30 09:46:59 my server pluto[4424]: ERROR: "roadwarrior"[1]
my.road.warrior.ip #4: pclose failed for up-client command. Errno 10: No
child processes
Nov 30 09:47:09 myserver pluto[4424]: ERROR: "roadwarrior"[1]
my.road.warrior.ip #4: pclose failed for up-client command. Errno 10: No
child processes
Nov 30 09:47:09 myserver pluto[4424]: ERROR: "roadwarrior"[1]
my.road.warrior.ip #4: pfkey write() of SADB_DELETE message 31 for Delete SA
esp.fcc55661_at_my.freeswan.server.ip failed. Errno 3: No such process
Nov 30 09:47:09 myserver pluto[4424]: | 02 04 00 03 0a 00 00 00 1f 00 00
00 48 11 00 00
Nov 30 09:47:09 myserver pluto[4424]: | 02 00 01 00 fc c5 56 61 00 01 00
00 00 00 00 00
Nov 30 09:47:09 myserver pluto[4424]: | 03 00 05 00 00 00 00 00 02 00 01
f4 0c e0 70 45
Nov 30 09:47:09 myserver pluto[4424]: | 00 00 00 00 00 00 00 00 03 00 06
00 00 00 00 00
Nov 30 09:47:09 myserver pluto[4424]: | 02 00 00 00 41 66 17 81 00 00 00
00 00 00 00 00
Nov 30 09:47:29 myserver pluto[4424]: ERROR: "roadwarrior"[1]
my.road.warrior.ip #4: pclose failed for up-client command. Errno 10: No
child processes
Nov 30 09:47:29 myserver pluto[4424]: ERROR: "roadwarrior"[1]
my.road.warrior.ip #4: pfkey write() of SADB_DELETE message 38 for Delete SA
esp.fcc55661_at_my.freeswan.server.ip failed. Errno 3: No such process

I have made some changes like commenting out ipchains test in
/usr/local/lib/ipsec/_plutorun
commented out:

#if test -f /etc/sysconfig/ipchains
#then
# if egrep -q 500:500 /etc/sysconfig/ipchains
# then
# :
# else
# ipchains -I input 1 -p udp -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0
500:500 -j ACCEPT
# # if it redhat, then save the rules again.
# if [ -f /etc/redhat-release ]
# then
# sh /etc/rc.d/init.d/ipchains save
# fi
# fi
#fi

Also, deleted from my modified _updown, not the one in /usr/local/lib/ipsec

up-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, coming
up
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -i accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, going
down
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -d accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
        exit 1
        ;;

and added to my modified _updown

up-client:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall commands go here.
        iptables -A FORWARD \
        -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
        -j ACCEPT
        iptables -A FORWARD \
        -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
        -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -j ACCEPT
        ;;
down-client:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall commands go here.
        iptables -D FORWARD \
        -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
        -j ACCEPT
        iptables -D FORWARD \
        -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
        -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -j ACCEPT

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Wed Dec 04 2002 - 05:20:58 CET