IPSEC support before and after using an L2TP VPN connection

Asked by karatedog on 2011-09-18

I did a Restart, then:
~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
Checking that pluto is running [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

So it seems IPSec support failed.

Then I start one of my VPN connection (I couldn't successfully set it up yet, so it fails with 'Maximum retries exceeded for tunnel")

Then I run 'ipsec verify' again:

~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.38-11-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

So IPsec support in kernel is now OK.

I'm not a kernel guru, but shouldn't be it supported immediately after reboot? It looks like running L2TP VPN connection sets something, which makes 'ipsec' notice that kernel supports IPsec.

Question information

Language:
English Edit question
Status:
Solved
For:
L2TP over IPsec VPN Manager Edit question
Assignee:
No assignee Edit question
Solved by:
Werner Jaeger
Solved:
2011-09-20
Last query:
2011-09-20
Last reply:
2011-09-20
Best Werner Jaeger (werner-jaeger) said : #1

I do not really know how ipsec verify works, but it seems as if kernel support can only be detected when ipsec is started at least the kernel code of ipsec must have been loaded.

Cheers
 Werner

karatedog (karatedog) said : #2

Thanks Werner Jaeger, that solved my question.