View Issue Details

IDProjectCategoryView StatusLast Update
0005832CentOS-6openswanpublic2013-12-03 13:45
Reportergstreeter Assigned To 
Status assignedResolutionopen 
PlatformAMDOSLinuxOS VersionCentOS 6.3
Product Version6.3 
Summary0005832: Openswan IPSEC not working after package update
DescriptionAfter installing the updated Openswan package (openswan.i686 0:2.6.32-18.el6_3) released today 13 Jul 12 I can no longer create L2TP/IPSEC connections to my server from other devices. There are no error messages in the logs and the openswan pluto.log shows the SA being established as normal but the devices time out and report unable to establish the connection. I rolled back to the previous package (openswan.i686 0:2.6.32-18.el6) and normal operation was restored.

With the updated package the connections do not progress from STATE_QUICK_R2 to STATE_MAIN_R3
Steps To Reproduce1) Setup Openswan L2TP/IPSEC VPN successfully with openswan.i686 0:2.6.32-18.el6

2) Upgrade to openswan.i686 0:2.6.32-18.el6_3

3) Clients can no longer connect to the VPN server.
Additional InformationNo error message found in any associated logs. SELinux set to permissive but same result.
TagsNo tags attached.




2012-07-18 11:52

administrator   ~0015497

It seems there is a regression in the openswan-2.6.32-18.el6_3 package.
I can't confirm your issue, but mine is really close to yours :
after updating my openswan package to openswan-2.6.32-18.el6_3 (from openswan-2.6.32-16.el6 - 6.3[base]), i can't initiate anymore ipsec/l2tp connection anymore (so on my side, i'm a client, not a server)
Reverting back to 2.6.32-16.el6 fixes the issue.
I've not (yet) had free time to investigate on that issue and i don't see a relevant bug report on upstream bugzilla wrt that issue (seems l2tp/ipsec combination issue)


2012-07-18 11:53

administrator   ~0015498

Two people acking on a regression with the latest version of openswan package


2012-07-19 19:56

reporter   ~0015511

My original report was slightly wrong as I reverted to 2.6.32-16.el6 as well. Both Android (Gingerbread) and IOS 5.1 clients now cannot connect to the CentOS server if upgraded to 2.6.32-18.el_3


2012-07-20 20:57

reporter   ~0015519

Exactly the same issue for me everything is working ok with openswan-2.6.32-18.el_2 but not with openswan-2.6.32-18.el6_3 (Windows 7 clients)


2012-07-21 11:16

reporter   ~0015523

I have removed the distribution packaged version of Openswan and replaced this with a local build using the downloaded source for the latest version from the Openswan project (2.6.38). This functions correctly and I am able to establish ipsec/l2tp connections from my Android and IOS clients.


2012-07-26 21:17

reporter   ~0015556

Having replaced the flawed Openswan with the working release I find that the new update to XL2TPD released today has once again broken IPSEC/L2TP. Dear upstream, doesn't anyone bother to test their changes anymore? The sole reason I use CentOS is to run the VPN server. These multiple failures thanks to upstream render the system useless. What a waste of time. Hardly a great advert for converting to Linux.


2012-07-26 21:26

reporter   ~0015557

XL2TPD error is:
Jul 26 21:53:01 pppd[22778]: /usr/lib/./pppd/2.4.5/ cannot open shared object file: No such file or directory
Jul 26 21:53:01 pppd[22778]: Couldn't load plugin


2012-07-26 21:50

reporter   ~0015558

Fix for xl2tpd is to include the following line in xl2tpd.conf:

force userspace =yes


2012-07-31 03:13

reporter   ~0015566

I can also confirm both of these regressions (openswan & xl2tpd). To resolve, I had to downgrade openswan from 2.6.32-18.el6_3 to 2.6.32-16.el6:

    yum downgrade openswan

... and I had to add what gstreeter provided to /etc/xl2tpd/xl2tpd.conf

    force userspace = yes

in the "[global]" section.


2012-11-11 18:51

reporter   ~0016021

Can confirm this bug. Can also confirm that a yum downgrade openswan and the adding of force userspace = yes works to solve the problems.

These versions are working:
ipsec --version
Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.i686 (netkey)

xl2tpd --version
xl2tpd version: xl2tpd-1.3.1


2013-09-09 19:05

manager   ~0017956

How is this issue with openswan-2.6.32-21.el6_4?


2013-09-11 20:31

manager   ~0017974

still not solved with 2.6.32-21.el6_4


2013-12-02 18:53

manager   ~0018528

how is the issue with openswan-2.6.32-27.el6 released with 6.5?


2013-12-03 13:45

reporter   ~0018532

I no longer use Openswan as this utility has not been maintained. I now use Strongswan with pure IPSec rather than l2tp and not with Centos.

Issue History

Date Modified Username Field Change
2012-07-13 09:38 gstreeter New Issue
2012-07-18 11:52 arrfab Note Added: 0015497
2012-07-18 11:53 arrfab Note Added: 0015498
2012-07-18 11:53 arrfab Status new => acknowledged
2012-07-19 19:56 gstreeter Note Added: 0015511
2012-07-20 20:57 acdmail Note Added: 0015519
2012-07-21 11:16 gstreeter Note Added: 0015523
2012-07-26 21:17 gstreeter Note Added: 0015556
2012-07-26 21:26 gstreeter Note Added: 0015557
2012-07-26 21:50 gstreeter Note Added: 0015558
2012-07-31 03:13 kipkoan Note Added: 0015566
2012-11-11 18:51 raymii Note Added: 0016021
2013-09-09 19:05 tigalch Note Added: 0017956
2013-09-11 20:31 tigalch Note Added: 0017974
2013-12-02 18:53 tigalch Note Added: 0018528
2013-12-02 18:53 tigalch Status acknowledged => feedback
2013-12-03 13:45 gstreeter Note Added: 0018532
2013-12-03 13:45 gstreeter Status feedback => assigned