[Swan] Pluto core observered on openswan-2.6.32-37.el6.x86_64

Paul Wouters paul at nohats.ca
Sun May 19 14:52:35 UTC 2019 

You keep saying openswan, and not libreswan ?

Libreswan is a continuation of openswan as a result of a lawsuit back in 2012. Openswan has been more or less abandoned since then. And it’s FIPS mode wouldn’t pass today’s FIPS requirements.

The backtrace is missing symbols and you should install the openswan-debuginfo package to get symbol names.

If you run an up to date RHEL6 or CentOS6, you would have been upgraded to libreswan years ago.

We can’t really help you with 7 year old software that is tainted by a lawsuit. Please retry with the proper libreswan package. If you still have issues with that, we are happy to help here on this list.

Paul 

Sent from mobile device

> On May 19, 2019, at 08:43, Madhan Raj <madhanrajrm at gmail.com> wrote:
> 
> Hi All,
> 
> This is my /etc/ipsec.conf file.
> [root at msd policy]# cat /etc/ipsec.conf
> 
> # Openswan IKE daemon configuration file
> #
> # Generated during Platform Install
> #
> # We will place user config files in /etc/ipsec.d/conf ending in .conf
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         # For Red Hat Enterprise Linux, leave protostack=netkey
>         protostack=netkey
>         # plutodebug=crypt control controlmore pfkey dpd
>         plutodebug=all
>         klipsdebug=all
>         nat_traversal=yes
>         virtual_private=
>         oe=off
>         # Enable this if you see failed to find any available worker
>         nhelpers=0
>         plutorestartoncrash=yes
>         # NSS DB Storage
>         plutoopts="--ipsecdir /usr/local/platform/.security/ipsec"
>         # Pluto core file if it cores...
>         dumpdir=/var/log/active/core
>         # For redirecting pluto logs, use plutostderrlog=directory of our choice
> 
> conn block
> 
>         auto=ignore
> 
> conn private
> 
>         auto=ignore
> 
> conn private-or-clear
> 
>         auto=ignore
> 
> conn clear-or-private
> 
>         auto=ignore
> 
> conn clear
> 
>         auto=ignore
> 
> conn packetdefault
> 
>         auto=ignore
> 
> # Place all our user configurations (.conf) files below
> #include /etc/ipsec.d/conf/*.conf
> include /etc/ipsec.d/conf/1015323275.conf
> 
> and the corresponding conf file  /etc/ipsec.d/conf/1015323275.conf file :-
> [root at msd policy]# cat /etc/ipsec.d/conf/1015323275.conf
> conn 1015323275_x509
>         left=10.76.214.247
>         leftcert=ipsec-db
>         leftrsasigkey=%cert
>         leftprotoport=tcp/0
>         leftid="C=IN, O=i, OU=ind, CN=msd, ST=TN, L=ipsec"
>         right=10.78.171.146
>         rightcert=ucbu-aricent-vm31.cisco.com
>         rightrsasigkey=%cert
>         rightprotoport=tcp/0
>         rightid=""
>         type=transport
>         auth=esp
>         authby=rsasig
>         keyexchange=ike
>         keyingtries=%forever
>         rekey=yes
>         ike=aes256-sha2_256-modp1024
>         esp=aes256-sha2_256
>         ikelifetime=3600s
>         salifetime=3600s
>         pfs=no
>         auto=start
> 
> Core Backtrace :- 
> 
> Loaded symbols for /usr/lib64/libfreeblpriv3.so
> Reading symbols from /usr/lib64/libnssdbm3.so...(no debugging symbols found)...done.
> Loaded symbols for /usr/lib64/libnssdbm3.so
> Core was generated by `/usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /'.
> Program terminated with signal 6, Aborted.
> #0  0x00007fe93cde8495 in raise () from /lib64/libc.so.6
> (gdb) bt
> #0  0x00007fe93cde8495 in raise () from /lib64/libc.so.6
> #1  0x00007fe93cde9c75 in abort () from /lib64/libc.so.6
> #2  0x00007fe93eca58f1 in ?? ()
> #3  0x00007fe93eca5944 in passert_fail ()
> #4  0x00007fe93eca938f in ?? ()
> #5  0x00007fe93ec9aa2b in ?? ()
> #6  0x00007fe93ec9aacf in ?? ()
> #7  0x00007fe93ec9ae9a in ?? ()
> #8  0x00007fe93eca9bc8 in ?? ()
> #9  0x00007fe93ecdde3a in ?? ()
> #10 0x00007fe93ecacd5f in ?? ()
> #11 0x00007fe93ecaab7c in main ()
> (gdb) 
> 
> 
> ipsec startup command outputs:- 
> [root at msd policy]# ipsec auto --add 1015323275_x509
> [root at msd policy]# ipsec auto --up 1015323275_x509
> 117 "1015323275_x509" #5051: STATE_QUICK_I1: initiate
> 004 "1015323275_x509" #5051: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x52b4320a <0x4d1320b1 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=none}
> [root at msd policy]#
> 
> Pluto cores after connection gets established for few minutes or hours.
> 
> NOTE: openswan is in FIPS mode.
> 
> Am I missing something here ??
> 
> Thanks,
> Madhan
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190519/175a8302/attachment-0001.html>

More information about the Swan mailing list