[Swan-dev] pluto crashes with signal 11 when ike=des

Ben Lentz ben.lentz at gmail.com
Thu Jul 10 04:31:24 EEST 2014 

On 7/9/14, 8:53 PM, Ben Lentz wrote:
>
>> try:
>>
>>     remote_peer_type=cisco
>>     esp=aes-sha1;modp1024
>>
>> Paul
>
> Hey Paul,
> Thanks so much for your continued help with this. Unfortunately, I 
> continue to struggle. I found what I believe is an acceptable phase 2 
> proposal in 3des-sha1, discovered by reviewing the debug logs from a 
> successful tunnel connection from vpnc.
>
> I've tried migrating the configs into two different boxes; a RHEL 6.4 
> system running openswan-2.6.32-19.el6_3 and a Fedora 20 Live USB 
> running libreswan-3.6-1.fc20. The RHEL box crashes pluto with a signal 
> 11 (again! - even though I think we have an acceptable proposal) and 
> the Fedora 20 box doesn't die, complains of a duplicate packet during 
> quick mode. Oddly enough I end up with an updated /etc/resolv.conf but 
> no IP alias and no routes added.
>
> RHEL logs (this is /var/log/secure and /var/log/messages together so 
> the ipsec messages and daemon crash are shown together timing-wise):
>
> Jul  9 20:15:04 bentz pluto[18134]: "conn" #1: XAUTH: Successfully 
> Authenticated
> Jul  9 20:15:04 bentz pluto[18134]: "conn" #1: transition from state 
> STATE_XAUTH_I0 to state STATE_XAUTH_I1
> Jul  9 20:15:04 bentz pluto[18134]: "conn" #1: STATE_XAUTH_I1: XAUTH 
> client - awaiting CFG_set
> Jul  9 20:15:04 bentz pluto[18134]: "conn" #1: modecfg: Sending IP 
> request (MODECFG_I1)
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: received mode cfg reply
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: setting client address 
> to 192.168.0.79/32
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: setting ip source 
> address to 192.168.0.79/32
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: Received IP4 NETMASK 
> 255.255.255.0
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS 10.0.0.20, 
> len=10
> Jul  9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20, len=10
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS 
> 10.0.0.240, len=10
> Jul  9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20 
> 10.0.0.240, len=21
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: transition from state 
> STATE_MODE_CFG_I1 to state STATE_MAIN_I4
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #1: STATE_MAIN_I4: ISAKMP 
> SA established
> Jul  9 20:15:05 bentz pluto[18134]: "conn" #2: initiating Quick Mode 
> PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+AGGRESSIVE {using isakmp#1 
> msgid:d45f73bf proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
> Jul  9 20:15:05 bentz ipsec__plutorun: /usr/libexec/ipsec/_plutorun: 
> line 250: 18134 Segmentation fault      /usr/libexec/ipsec/pluto 
> --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d 
> --use-netkey --uniqueids --nat_traversal --virtual_private oe=off
> Jul  9 20:15:05 bentz ipsec__plutorun: !pluto failure!:  exited with 
> error status 139 (signal 11)
> Jul  9 20:15:05 bentz ipsec__plutorun: restarting IPsec after pause...
> Jul  9 20:15:15 bentz ipsec_setup: Stopping Openswan IPsec...
> Jul  9 20:15:15 bentz ipsec_setup: Removing orphaned 
> /var/run/pluto/pluto.pid:
> Jul  9 20:15:15 bentz ipsec_setup: ...Openswan IPsec stopped
> Jul  9 20:15:15 bentz ipsec_setup: Starting Openswan IPsec 
> U2.6.32/K2.6.32-358.el6.x86_64...
> Jul  9 20:15:15 bentz ipsec_setup: Using NETKEY(XFRM) stack
> Jul  9 20:15:15 bentz ipsec_setup: /usr/libexec/ipsec/addconn Non-fips 
> mode set in /proc/sys/crypto/fips_enabled
> Jul  9 20:15:15 bentz ipsec__plutorun: Starting Pluto subsystem...
> Jul  9 20:15:15 bentz ipsec_setup: ...Openswan IPsec started
> Jul  9 20:15:15 bentz ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> Jul  9 20:15:15 bentz pluto: adjusting ipsec.d to /etc/ipsec.d
> Jul  9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn 
> Non-fips mode set in /proc/sys/crypto/fips_enabled
> Jul  9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn 
> Non-fips mode set in /proc/sys/crypto/fips_enabled
> Jul  9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn 
> Non-fips mode set in /proc/sys/crypto/fips_enabled
> Jul  9 20:15:16 bentz pluto[18353]: nss directory plutomain: /etc/ipsec.d
> Jul  9 20:15:16 bentz pluto[18353]: NSS Initialized
> Jul  9 20:15:16 bentz pluto[18353]: Non-fips mode set in 
> /proc/sys/crypto/fips_enabled
> Jul  9 20:15:16 bentz pluto[18353]: Starting Pluto (Openswan Version 
> 2.6.32; Vendor ID OEhyLdACecfa) pid:18353
>
> Here's the Fedora journalctl -f output:
>
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: XAUTH: Successfully 
> Authenticated
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from 
> state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_XAUTH_I1: 
> XAUTH client - awaiting CFG_set
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: modecfg: Sending IP 
> request (MODECFG_I1)
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: received mode cfg reply
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IPv4 
> address: 192.168.0.38/32
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: setting ip source 
> address to 192.168.0.38/32
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IP4 NETMASK 
> 255.255.255.0
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.20
> Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20, 
> len=10
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.240
> Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20 
> 10.0.0.240, len=21
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Cisco 
> ModeCFG Domain: conn.com
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Domain: 
> conn.com
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from 
> state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_MAIN_I4: 
> ISAKMP SA established
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: initiating Quick 
> Mode PSK+ENCRYPT+TUNNEL+UP+XAUTH+MODECFGPULL+AGGRESSIVE+IKE_FRAG 
> {using isakmp#1 msgid:2886c6de 
> proposal=3DES(3)_192-SHA1(2)_1...fsgroup=no-pfs}
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output: 
> updating resolvconf
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output: 
> Current resolv.conf is generated by Libreswan, and backup resolv.conf 
> already exists, so doing nothing
> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client command 
> exited with status 1
> Jul 09 20:37:34 localhost pluto[2804]: "conn" #2: discarding duplicate 
> packet; already STATE_QUICK_I1
> Jul 09 20:37:36 localhost pluto[2804]: "conn" #2: discarding duplicate 
> packet; already STATE_QUICK_I1
> Jul 09 20:37:44 localhost pluto[2804]: "conn" #2: discarding duplicate 
> packet; already STATE_QUICK_I1
> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: ignoring Delete SA 
> payload: PROTO_IPSEC_ESP SA(0x8603a62d) not found (maybe expired)
> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received and ignored 
> empty informational notification payload
> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received Delete SA 
> payload: deleting ISAKMP State #1
> Jul 09 20:37:52 localhost pluto[2804]: packet from 198.185.66.15:4500: 
> received and ignored empty informational notification payload
>
> I read that leftxauthserver means rekey=no, so I did add that but it 
> didn't seem to make a difference (it just doesn't 'try' as hard).
>
> My config is (scrubbed):
>
> conn conn
>     auto=start
>     authby=secret
>     left=%defaultroute
>     leftid=@vpnusers
>     leftxauthclient=yes
>     leftmodecfgclient=yes
>     leftxauthusername=blentz
>     right=1.2.3.4
>     rightxauthserver=yes
>     rightmodecfgserver=yes
>     modecfgpull=yes
>     ike=3des-md5;modp1536
>     esp=3des-sha1
>     rekey=no
>     remote_peer_type=cisco
>     aggrmode=yes
>     pfs=no
>     ikev2=no
>     sareftrack=no
>
> esp=3des-sha1 appears to have gotten me around the NO_PROPOSAL_CHOSEN 
> problem but I didn't get a whole lot further. It feels like I'm 98% 
> there but this last 2% is kicking my butt.
>
> I saw there was a release today, I might try pulling that down onto 
> the Fedora 20 Live USB system to see if there's something in there 
> that's fixed that I could benefit from.
>
> Any more ideas?

I pulled down all the latest software for my RHEL 6Server box:

$ rpm -q ldns unbound-libs libreswan libreswan-kmod
ldns-1.6.16-2.el6.x86_64
unbound-libs-1.4.21-1.el6.x86_64
libreswan-3.9-1.el6.x86_64
libreswan-kmod-3.5-1.el6.x86_64

... and with the above configuration I can start ipsec and I actually 
don't get any errors at all! However I never get any new interfaces, 
interface aliases, or routes still... just a running daemon and a munged 
/etc/resolv.conf file. I must be missing something huge here.

More information about the Swan-dev mailing list