[Swan-dev] pluto crashes with signal 11 when ike=des
Ben Lentz
ben.lentz at gmail.com
Tue Jul 8 08:20:12 EEST 2014
Hey folks,
I apologize if this is the wrong place to post to receive help for an
issue like this.
I am trying to connect to an IPSEC gateway that requires single DES
but I find that when I specify ike=des, the pluto process crashes and
drops core.
I've tried this on the version of OpenSwan that comes with RHEL /
CentOS 6 (2.6.32) and the version of libreswan that comes with Fedora
20 (3.8) - booting a Live CD with Fedora 20 and confirming the result
there was the quickest way I could think of to reproduce the issue on
a late(r|st) version without a potentially complicated source code
compile.
The logging data in Fedora 20 produced by journalctl while using the
cute little GUI applet looks like this:
Jul 08 00:56:57 localhost pluto[5798]: loading secrets from "/etc/ipsec.secrets"
Jul 08 00:56:57 localhost pluto[5798]: loading secrets from
"/etc/ipsec.d/ipsec-nm-conn1.secrets"
Jul 08 00:56:59 localhost pluto[5798]: | entering aalg_getbyname_esp()
Jul 08 00:56:59 localhost pluto[5798]: added connection description "nm-conn1"
Jul 08 00:56:59 localhost NetworkManager[903]: <info> VPN connection
'VPN 1' (Connect) reply received.
Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc
ealg=1 not present
Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc
ealg=1 not present
Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc
ealg=1 not present
Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc
ealg=1 not present
Jul 08 00:56:59 localhost kernel: pluto[5798]: segfault at 4 ip
00007fd39977a35f sp 00007ffff99e65a0 error 6 in
pluto[7fd39970a000+10c000]
Jul 08 00:56:59 localhost abrt-hook-ccpp[5870]: Saved core dump of pid
5798 (/usr/libexec/ipsec/pluto) to
/var/tmp/abrt/ccpp-2014-07-08-00:56:59-5798 (28303360 bytes)
Jul 08 00:56:59 localhost NetworkManager[903]: <info> VPN plugin state
changed: stopped (6)
Jul 08 00:56:59 localhost NetworkManager[903]: <info> VPN plugin state
change reason: 0
Jul 08 00:56:59 localhost NetworkManager[903]: <warn> error
disconnecting VPN: Could not process the request because no VPN
connection was active.
Jul 08 00:56:59 localhost abrt-server[5871]: Generating core_backtrace
Jul 08 00:56:59 localhost abrt-server[5871]: Generating backtrace
Jul 08 00:57:01 localhost abrt-server[5871]: Duplicate: core backtrace
Jul 08 00:57:01 localhost abrt-server[5871]: DUP_OF_DIR:
/var/tmp/abrt/ccpp-2014-07-08-00:43:27-5095
Jul 08 00:57:01 localhost abrt-server[5871]: Deleting problem
directory ccpp-2014-07-08-00:56:59-5798 (dup of
ccpp-2014-07-08-00:43:27-5095)
Jul 08 00:57:01 localhost gnome-session[1259]: abrt-applet: repeated
problem in libreswan-3.8-1.fc20, not showing the notification
Jul 08 00:57:05 localhost NetworkManager[903]: ipsec/pluto started with pid 5798
Jul 08 00:57:05 localhost NetworkManager[903]: pluto_watch: pluto died
with signal 11
Jul 08 00:57:05 localhost NetworkManager[903]: <info> VPN service
'openswan' disappeared
This is roughly the same result I get configuring the
ipsec.d/conn.conf files by hand on the RHEL / CentOS 6 boxes. I
believe I do actually need single DES; I have been able to establish a
connection to this gateway using vpnc and using whatever IPSEC
software runs on Android 4.4.2 when configuring a "Basic VPN" in
"IPSec Xauth PSK" mode. The path of least resistance would seem to be
to use vpnc to connect to this gateway, however, I have a need to
connect to other IPSEC gateways in addition to this one at the same
time as this one and I can obviously only have one thing bound to UDP
500 at a time - so unfortunately that's my use case.
Not setting ike= results in NO_PROPOSAL_CHOSEN and setting it to aes
or 3des results in INVALID_HASH_INFORMATION.
I tried recompiling OpenSwan on the RHEL / CentOS 6 box using
USE_WEAKSTUFF?=true, with no impact, I have the same symptoms.
Anyway, here's the gdb output from the crash. Am I out of luck or do I
have any options for troubleshooting this further? I would greatly
appreciate any help you folks can provide. Thank you.
[root at localhost ccpp-2014-07-08-00:43:27-5095]# gdb
/usr/libexec/ipsec/pluto coredump
GNU gdb (GDB) Fedora 7.6.50.20130731-16.fc20
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
..
Reading symbols from /usr/libexec/ipsec/pluto...Reading symbols from
/usr/lib/debug/usr/libexec/ipsec/pluto.debug...done.
done.
[New LWP 5095]
[New LWP 5098]
[New LWP 5100]
[New LWP 5099]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/libexec/ipsec/pluto --config
/etc/ipsec.conf --nofork'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 oakley_alg_makedb (ai=<optimized out>, base=0x7f26367e26c8
<oakley_am_sadb+360>, maxtrans=maxtrans at entry=2)
at /usr/src/debug/libreswan-3.8/programs/pluto/spdb_struct.c:308
308 gsp->parentSA = TRUE;
Missing separate debuginfos, use: debuginfo-install
audit-libs-2.3.2-1.fc20.x86_64 cyrus-sasl-lib-2.1.26-14.fc20.x86_64
keyutils-libs-1.5.8-1.fc20.x86_64 krb5-libs-1.11.3-33.fc20.x86_64
ldns-1.6.16-6.fc20.x86_64 libcom_err-1.42.8-3.fc20.x86_64
libevent-2.0.21-3.fc20.x86_64 libidn-1.28-2.fc20.x86_64
libssh2-1.4.3-8.fc20.x86_64 nss-mdns-0.10-13.fc20.x86_64
nss-softokn-3.15.2-2.fc20.x86_64
nss-softokn-freebl-3.15.2-2.fc20.x86_64
openssl-libs-1.0.1e-30.fc20.x86_64 pcre-8.33-2.fc20.1.x86_64
python-libs-2.7.5-9.fc20.x86_64 sqlite-3.8.1-2.fc20.x86_64
systemd-libs-208-9.fc20.x86_64 zlib-1.2.8-3.fc20.x86_64
(gdb) where
#0 oakley_alg_makedb (ai=<optimized out>, base=0x7f26367e26c8
<oakley_am_sadb+360>, maxtrans=maxtrans at entry=2)
at /usr/src/debug/libreswan-3.8/programs/pluto/spdb_struct.c:308
#1 0x00007f263653687c in init_am_st_oakley
(st=st at entry=0x7f2636a645c0, policy=policy at entry=1376452709) at
/usr/src/debug/libreswan-3.8/programs/pluto/spdb_v1_struct.c:1528
#2 0x00007f2636545d55 in aggr_outI1 (whack_sock=25, c=0x7f2636a60eb0,
predecessor=0x0, policy=1376452709, try=1,
importance=pcim_demand_crypto, uctx=0x0)
at /usr/src/debug/libreswan-3.8/programs/pluto/ikev1_aggr.c:1163
#3 0x00007f26364eaa46 in initiate_a_connection (c=<optimized out>,
arg=arg at entry=0x7fffe558e650) at
/usr/src/debug/libreswan-3.8/programs/pluto/initiate.c:267
#4 0x00007f26364ec8a5 in initiate_connection (name=0x7fffe5590108
"nm-conn1", whackfd=24, moredebug=0,
importance=importance at entry=pcim_demand_crypto)
at /usr/src/debug/libreswan-3.8/programs/pluto/initiate.c:299
#5 0x00007f2636527102 in whack_process (whackfd=whackfd at entry=23,
msg=...) at /usr/src/debug/libreswan-3.8/programs/pluto/rcv_whack.c:527
#6 0x00007f2636527cd6 in whack_handle (whackctlfd=<optimized out>) at
/usr/src/debug/libreswan-3.8/programs/pluto/rcv_whack.c:659
#7 0x00007f26364f85f8 in call_server () at
/usr/src/debug/libreswan-3.8/programs/pluto/server.c:764
#8 0x00007f26364e1d95 in main (argc=<optimized out>, argv=<optimized
out>) at /usr/src/debug/libreswan-3.8/programs/pluto/plutomain.c:1355
(gdb)
More information about the Swan-dev
mailing list