[Swan-dev] pluto crashes with signal 11 when ike=des
Ben Lentz
ben.lentz at gmail.com
Thu Jul 10 03:53:47 EEST 2014
> try:
>
> remote_peer_type=cisco
> esp=aes-sha1;modp1024
>
> Paul
Hey Paul,
Thanks so much for your continued help with this. Unfortunately, I
continue to struggle. I found what I believe is an acceptable phase 2
proposal in 3des-sha1, discovered by reviewing the debug logs from a
successful tunnel connection from vpnc.
I've tried migrating the configs into two different boxes; a RHEL 6.4
system running openswan-2.6.32-19.el6_3 and a Fedora 20 Live USB running
libreswan-3.6-1.fc20. The RHEL box crashes pluto with a signal 11
(again! - even though I think we have an acceptable proposal) and the
Fedora 20 box doesn't die, complains of a duplicate packet during quick
mode. Oddly enough I end up with an updated /etc/resolv.conf but no IP
alias and no routes added.
RHEL logs (this is /var/log/secure and /var/log/messages together so the
ipsec messages and daemon crash are shown together timing-wise):
Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: XAUTH: Successfully
Authenticated
Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: modecfg: Sending IP
request (MODECFG_I1)
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: received mode cfg reply
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: setting client address to
192.168.0.79/32
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: setting ip source address
to 192.168.0.79/32
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received IP4 NETMASK
255.255.255.0
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS 10.0.0.20,
len=10
Jul 9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20, len=10
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS 10.0.0.240,
len=10
Jul 9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20
10.0.0.240, len=21
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: transition from state
STATE_MODE_CFG_I1 to state STATE_MAIN_I4
Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: STATE_MAIN_I4: ISAKMP SA
established
Jul 9 20:15:05 bentz pluto[18134]: "conn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+AGGRESSIVE {using isakmp#1
msgid:d45f73bf proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
Jul 9 20:15:05 bentz ipsec__plutorun: /usr/libexec/ipsec/_plutorun:
line 250: 18134 Segmentation fault /usr/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--use-netkey --uniqueids --nat_traversal --virtual_private oe=off
Jul 9 20:15:05 bentz ipsec__plutorun: !pluto failure!: exited with
error status 139 (signal 11)
Jul 9 20:15:05 bentz ipsec__plutorun: restarting IPsec after pause...
Jul 9 20:15:15 bentz ipsec_setup: Stopping Openswan IPsec...
Jul 9 20:15:15 bentz ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:
Jul 9 20:15:15 bentz ipsec_setup: ...Openswan IPsec stopped
Jul 9 20:15:15 bentz ipsec_setup: Starting Openswan IPsec
U2.6.32/K2.6.32-358.el6.x86_64...
Jul 9 20:15:15 bentz ipsec_setup: Using NETKEY(XFRM) stack
Jul 9 20:15:15 bentz ipsec_setup: /usr/libexec/ipsec/addconn Non-fips
mode set in /proc/sys/crypto/fips_enabled
Jul 9 20:15:15 bentz ipsec__plutorun: Starting Pluto subsystem...
Jul 9 20:15:15 bentz ipsec_setup: ...Openswan IPsec started
Jul 9 20:15:15 bentz ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul 9 20:15:15 bentz pluto: adjusting ipsec.d to /etc/ipsec.d
Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 9 20:15:16 bentz pluto[18353]: nss directory plutomain: /etc/ipsec.d
Jul 9 20:15:16 bentz pluto[18353]: NSS Initialized
Jul 9 20:15:16 bentz pluto[18353]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Jul 9 20:15:16 bentz pluto[18353]: Starting Pluto (Openswan Version
2.6.32; Vendor ID OEhyLdACecfa) pid:18353
Here's the Fedora journalctl -f output:
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: XAUTH: Successfully
Authenticated
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: modecfg: Sending IP
request (MODECFG_I1)
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: received mode cfg reply
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IPv4 address:
192.168.0.38/32
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: setting ip source
address to 192.168.0.38/32
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IP4 NETMASK
255.255.255.0
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.20
Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20, len=10
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.240
Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20
10.0.0.240, len=21
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Cisco ModeCFG
Domain: conn.com
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Domain: conn.com
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from state
STATE_MODE_CFG_I1 to state STATE_MAIN_I4
Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_MAIN_I4: ISAKMP
SA established
Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+XAUTH+MODECFGPULL+AGGRESSIVE+IKE_FRAG {using
isakmp#1 msgid:2886c6de proposal=3DES(3)_192-SHA1(2)_1...fsgroup=no-pfs}
Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output:
updating resolvconf
Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output:
Current resolv.conf is generated by Libreswan, and backup resolv.conf
already exists, so doing nothing
Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client command
exited with status 1
Jul 09 20:37:34 localhost pluto[2804]: "conn" #2: discarding duplicate
packet; already STATE_QUICK_I1
Jul 09 20:37:36 localhost pluto[2804]: "conn" #2: discarding duplicate
packet; already STATE_QUICK_I1
Jul 09 20:37:44 localhost pluto[2804]: "conn" #2: discarding duplicate
packet; already STATE_QUICK_I1
Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x8603a62d) not found (maybe expired)
Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received and ignored
empty informational notification payload
Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received Delete SA
payload: deleting ISAKMP State #1
Jul 09 20:37:52 localhost pluto[2804]: packet from 198.185.66.15:4500:
received and ignored empty informational notification payload
I read that leftxauthserver means rekey=no, so I did add that but it
didn't seem to make a difference (it just doesn't 'try' as hard).
My config is (scrubbed):
conn conn
auto=start
authby=secret
left=%defaultroute
leftid=@vpnusers
leftxauthclient=yes
leftmodecfgclient=yes
leftxauthusername=blentz
right=1.2.3.4
rightxauthserver=yes
rightmodecfgserver=yes
modecfgpull=yes
ike=3des-md5;modp1536
esp=3des-sha1
rekey=no
remote_peer_type=cisco
aggrmode=yes
pfs=no
ikev2=no
sareftrack=no
esp=3des-sha1 appears to have gotten me around the NO_PROPOSAL_CHOSEN
problem but I didn't get a whole lot further. It feels like I'm 98%
there but this last 2% is kicking my butt.
I saw there was a release today, I might try pulling that down onto the
Fedora 20 Live USB system to see if there's something in there that's
fixed that I could benefit from.
Any more ideas?
More information about the Swan-dev
mailing list