[Swan] Frequent Crashing with libreswan 3.10/pluto
Reuben Farrelly
reuben-libreswan at reub.net
Tue Oct 7 05:32:41 EEST 2014
On 07/10/2014 12:07 PM, Paul Wouters wrote:
> On Tue, 7 Oct 2014, Reuben Farrelly wrote:
>
>> I've recently set up an IPSec VPN between a VPS I run and a Cisco IOS
>> router. This seems to function just fine (initiates and passes traffic
>> as designed) however I'm seeing frequent crashes on the libreswan end,
>> which is causing disruptions in connectivity. The frequency of the
>> crashing is usually 1-2 times per day.
>>
>> The Cisco end is an 800 series router running 15.4(3)M which acts as a
>> spoke, initiating connections. The VPS end is acting as a hub and is
>> a Gentoo x86_64 VM running on Linode, who use Xen. I am using the
>> kernel they supply as part of the VPS, which is currently 3.15.4. I
>> am running with libreswan-3.10 and nss-3.17.1 from Gentoo portage.
>>
>> The IPSec connection uses IKEv2 and runs in tunnel mode, and I have
>> separate /32s on each end of the link and only encrypt data between
>> the two endpoints.
>>
>> The libreswan config I have is:
>>
>> conn reub.net
>> type=tunnel
>> left=106.187.48.126
>> leftid=@lightning.reub.net
>> leftsubnet=192.168.6.1/32
>> leftsourceip=192.168.6.1
>> right=%any
>> rightid=@router-2.reub.net
>> rightsubnet=192.168.6.2/32
>> authby=secret
>> ikev2=insist
>> ike=aes256-sha1;modp1536
>> esp=aes128-sha1;modp1536
>> mtu=1438
>> dpddelay=15
>> dpdtimeout=45
>> dpdaction=restart
>> auto=add
>
> Can you try adding ikelifetime=15m and salifetime=30m ? It seems like
> the cisco is giving a message we don't like.
Sure - done.
>> Frequently the libreswan end seems to just die. Pluto crashes out
>> entirely and the VPN goes down.
>>
>> At the time of this the following is logged in the kernel log:
>>
>> Oct 6 14:52:06 lightning kernel: pluto[23223]: segfault at 58 ip
>> 00007f8f85f0c8d0 sp 00007fffb30275b8 error 4 in
>> libnss3.so[7f8f85ebc000+11f000]
>>
>> And in the auth.log the lines preceding this are:
>>
>> Oct 6 14:50:12 lightning pluto[23223]: | V2 microcode entry (R2:
>> process INFORMATIONAL) has unspecified timeout_event
>
> It would be useful to have the full debug log for that with more
> history.
Now set - so waiting for it to fail again. I have set debugging to all
this time too.
There are two other possible issues that are probably unrelated that
I've observed:
1. "ipsec verify" spits out errors and fails with python-3.4:
ightning log # ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.10 (netkey) on 3.15.4-x86_64-linode45
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax Traceback (most
recent call last):
File "/usr/libexec/ipsec/verify", line 476, in <module>
main()
File "/usr/libexec/ipsec/verify", line 465, in main
plutocheck()
File "/usr/libexec/ipsec/verify", line 121, in plutocheck
ipsecsecretcheck()
File "/usr/libexec/ipsec/verify", line 374, in ipsecsecretcheck
output = output.decode(prefencoding)
AttributeError: 'str' object has no attribute 'decode'
lightning log #
Seems to be OK with python-2.7 though:
lightning log # python2.7 /usr/libexec/ipsec/verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.10 (netkey) on 3.15.4-x86_64-linode45
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [FAILED]
[OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 35 errors - see 'man ipsec_verify' for help
lightning log #
Note the IP command result, particularly.
2. When the link is torn down, the MTU command is failing:
2014-10-06 19:28:06 "reub.net": unroute-client output:
/usr/libexec/ipsec/_updown.netkey: doroute "ip route del 192.168.6.2/32
dev eth0 mtu 1438PLUTO_ADDTIME=0 " failed (Error: argument
"1438PLUTO_ADDTIME=0" is wrong: "mtu" value is invalid)
(the spacing is shown as logged - it seems there may be a space missing
after the MTU value...?)
Thanks,
Reuben
More information about the Swan
mailing list