[Swan-dev] pluto crashes with signal 11 when ike=des
Ben Lentz
ben.lentz at gmail.com
Thu Jul 10 04:31:24 EEST 2014
On 7/9/14, 8:53 PM, Ben Lentz wrote:
>
>> try:
>>
>> remote_peer_type=cisco
>> esp=aes-sha1;modp1024
>>
>> Paul
>
> Hey Paul,
> Thanks so much for your continued help with this. Unfortunately, I
> continue to struggle. I found what I believe is an acceptable phase 2
> proposal in 3des-sha1, discovered by reviewing the debug logs from a
> successful tunnel connection from vpnc.
>
> I've tried migrating the configs into two different boxes; a RHEL 6.4
> system running openswan-2.6.32-19.el6_3 and a Fedora 20 Live USB
> running libreswan-3.6-1.fc20. The RHEL box crashes pluto with a signal
> 11 (again! - even though I think we have an acceptable proposal) and
> the Fedora 20 box doesn't die, complains of a duplicate packet during
> quick mode. Oddly enough I end up with an updated /etc/resolv.conf but
> no IP alias and no routes added.
>
> RHEL logs (this is /var/log/secure and /var/log/messages together so
> the ipsec messages and daemon crash are shown together timing-wise):
>
> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: XAUTH: Successfully
> Authenticated
> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: transition from state
> STATE_XAUTH_I0 to state STATE_XAUTH_I1
> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: STATE_XAUTH_I1: XAUTH
> client - awaiting CFG_set
> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: modecfg: Sending IP
> request (MODECFG_I1)
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: received mode cfg reply
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: setting client address
> to 192.168.0.79/32
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: setting ip source
> address to 192.168.0.79/32
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received IP4 NETMASK
> 255.255.255.0
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS 10.0.0.20,
> len=10
> Jul 9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20, len=10
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS
> 10.0.0.240, len=10
> Jul 9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20
> 10.0.0.240, len=21
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: transition from state
> STATE_MODE_CFG_I1 to state STATE_MAIN_I4
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: STATE_MAIN_I4: ISAKMP
> SA established
> Jul 9 20:15:05 bentz pluto[18134]: "conn" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+AGGRESSIVE {using isakmp#1
> msgid:d45f73bf proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
> Jul 9 20:15:05 bentz ipsec__plutorun: /usr/libexec/ipsec/_plutorun:
> line 250: 18134 Segmentation fault /usr/libexec/ipsec/pluto
> --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
> --use-netkey --uniqueids --nat_traversal --virtual_private oe=off
> Jul 9 20:15:05 bentz ipsec__plutorun: !pluto failure!: exited with
> error status 139 (signal 11)
> Jul 9 20:15:05 bentz ipsec__plutorun: restarting IPsec after pause...
> Jul 9 20:15:15 bentz ipsec_setup: Stopping Openswan IPsec...
> Jul 9 20:15:15 bentz ipsec_setup: Removing orphaned
> /var/run/pluto/pluto.pid:
> Jul 9 20:15:15 bentz ipsec_setup: ...Openswan IPsec stopped
> Jul 9 20:15:15 bentz ipsec_setup: Starting Openswan IPsec
> U2.6.32/K2.6.32-358.el6.x86_64...
> Jul 9 20:15:15 bentz ipsec_setup: Using NETKEY(XFRM) stack
> Jul 9 20:15:15 bentz ipsec_setup: /usr/libexec/ipsec/addconn Non-fips
> mode set in /proc/sys/crypto/fips_enabled
> Jul 9 20:15:15 bentz ipsec__plutorun: Starting Pluto subsystem...
> Jul 9 20:15:15 bentz ipsec_setup: ...Openswan IPsec started
> Jul 9 20:15:15 bentz ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> Jul 9 20:15:15 bentz pluto: adjusting ipsec.d to /etc/ipsec.d
> Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn
> Non-fips mode set in /proc/sys/crypto/fips_enabled
> Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn
> Non-fips mode set in /proc/sys/crypto/fips_enabled
> Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn
> Non-fips mode set in /proc/sys/crypto/fips_enabled
> Jul 9 20:15:16 bentz pluto[18353]: nss directory plutomain: /etc/ipsec.d
> Jul 9 20:15:16 bentz pluto[18353]: NSS Initialized
> Jul 9 20:15:16 bentz pluto[18353]: Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> Jul 9 20:15:16 bentz pluto[18353]: Starting Pluto (Openswan Version
> 2.6.32; Vendor ID OEhyLdACecfa) pid:18353
>
> Here's the Fedora journalctl -f output:
>
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: XAUTH: Successfully
> Authenticated
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from
> state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_XAUTH_I1:
> XAUTH client - awaiting CFG_set
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: modecfg: Sending IP
> request (MODECFG_I1)
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: received mode cfg reply
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IPv4
> address: 192.168.0.38/32
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: setting ip source
> address to 192.168.0.38/32
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IP4 NETMASK
> 255.255.255.0
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.20
> Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20,
> len=10
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.240
> Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20
> 10.0.0.240, len=21
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Cisco
> ModeCFG Domain: conn.com
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Domain:
> conn.com
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from
> state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_MAIN_I4:
> ISAKMP SA established
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: initiating Quick
> Mode PSK+ENCRYPT+TUNNEL+UP+XAUTH+MODECFGPULL+AGGRESSIVE+IKE_FRAG
> {using isakmp#1 msgid:2886c6de
> proposal=3DES(3)_192-SHA1(2)_1...fsgroup=no-pfs}
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output:
> updating resolvconf
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output:
> Current resolv.conf is generated by Libreswan, and backup resolv.conf
> already exists, so doing nothing
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client command
> exited with status 1
> Jul 09 20:37:34 localhost pluto[2804]: "conn" #2: discarding duplicate
> packet; already STATE_QUICK_I1
> Jul 09 20:37:36 localhost pluto[2804]: "conn" #2: discarding duplicate
> packet; already STATE_QUICK_I1
> Jul 09 20:37:44 localhost pluto[2804]: "conn" #2: discarding duplicate
> packet; already STATE_QUICK_I1
> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: ignoring Delete SA
> payload: PROTO_IPSEC_ESP SA(0x8603a62d) not found (maybe expired)
> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received and ignored
> empty informational notification payload
> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received Delete SA
> payload: deleting ISAKMP State #1
> Jul 09 20:37:52 localhost pluto[2804]: packet from 198.185.66.15:4500:
> received and ignored empty informational notification payload
>
> I read that leftxauthserver means rekey=no, so I did add that but it
> didn't seem to make a difference (it just doesn't 'try' as hard).
>
> My config is (scrubbed):
>
> conn conn
> auto=start
> authby=secret
> left=%defaultroute
> leftid=@vpnusers
> leftxauthclient=yes
> leftmodecfgclient=yes
> leftxauthusername=blentz
> right=1.2.3.4
> rightxauthserver=yes
> rightmodecfgserver=yes
> modecfgpull=yes
> ike=3des-md5;modp1536
> esp=3des-sha1
> rekey=no
> remote_peer_type=cisco
> aggrmode=yes
> pfs=no
> ikev2=no
> sareftrack=no
>
> esp=3des-sha1 appears to have gotten me around the NO_PROPOSAL_CHOSEN
> problem but I didn't get a whole lot further. It feels like I'm 98%
> there but this last 2% is kicking my butt.
>
> I saw there was a release today, I might try pulling that down onto
> the Fedora 20 Live USB system to see if there's something in there
> that's fixed that I could benefit from.
>
> Any more ideas?
I pulled down all the latest software for my RHEL 6Server box:
$ rpm -q ldns unbound-libs libreswan libreswan-kmod
ldns-1.6.16-2.el6.x86_64
unbound-libs-1.4.21-1.el6.x86_64
libreswan-3.9-1.el6.x86_64
libreswan-kmod-3.5-1.el6.x86_64
... and with the above configuration I can start ipsec and I actually
don't get any errors at all! However I never get any new interfaces,
interface aliases, or routes still... just a running daemon and a munged
/etc/resolv.conf file. I must be missing something huge here.
More information about the Swan-dev
mailing list