[Openswan Users] Pluto crash problem
Andy Gay
andy at andynet.net
Mon Aug 14 05:06:41 EDT 2006
On Mon, 2006-08-14 at 14:49 +0800, Shinping Chen wrote:
> Hi all,
>
> I use openswan 2.4.4 on Debian linux with kernel 2.6.13
> but when I use ipsec verify command
> I got these messages.
>
> # ipsec verify
> Checking your system to see if IPsec got installed and started
> correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.4.4/K2.6.13(netkey)
> Checking for IPsec support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running
> [FAILED]
> whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl"
> failed (146 Connection refused)
> Checking for 'ip' command
> [FAILED]
You need to install the iproute package.
I don't think that's causing this problem, but without it you'll have
other problems later.
> Checking for 'iptables' command [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support
> [FAILED]
> Opportunistic Encryption Support
> [DISABLED]
>
> I check /var/log/auth.log ,find these logs
> (It's a quite long message)
>
> Aug 13 17:48:01 localhost ipsec__plutorun: Starting Pluto subsystem...
> Aug 13 17:48:03 localhost pluto[918]: Starting Pluto (Openswan Version
> 2.4.4 X.509-1.5.4 PL
> UTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
> Aug 13 17:48:04 localhost pluto[918]: Setting NAT-Traversal port-4500
> floating to off
> Aug 13 17:48:04 localhost pluto[918]: port floating activation
> criteria nat_t=0/port_fload=1
> Aug 13 17:48:04 localhost pluto[918]: including NAT-Traversal patch
> (Version 0.6c) [disabled]
> ↑
> In Fedora Core 4, got same log message ,I think that isn't a problem
Correct.
>
> Aug 13 17:48:05 localhost pluto[918]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Aug 13 17:48:05 localhost pluto[918]: starting up 1 cryptographic
> helpers
> Aug 13 17:48:05 localhost pluto[918]: started helper pid=923 (fd:6)
> Aug 13 17:48:05 localhost pluto[918]: Using Linux 2.6 IPsec interface
> code on MailScanner has detected a possible fraud attempt from
> "2.6.13.5" claiming to be MailScanner has detected a possible fraud
> attempt from "2.6.13.5" claiming to be MailScanner warning: numerical
> links are often malicious: 2.6.13.5
Did you compile this kernel yourself?
> Aug 13 17:48:05 localhost pluto[918]: ASSERTION FAILED at
> kernel_alg.c:264: buflen>0
This is the problem. It may indicate that some crypto algorithms are not
available in the kernel. If you compiled the kernel yourself, check that
the options for des, aes, md5 and sha are all enabled. If you compiled
them as modules, make sure the modules are loaded before you start
Openswan.
You could also try a more recent Openswan. 2.4.6 is the latest. The
startup scripts should take care of module loading, that may work better
in more recent versions.
You also need to check all the necessary IPsec options are enabled in
the kernel config. As you're using debian, I'd recommend you try
installing a current Debian kernel package.
> Aug 13 17:48:05 localhost pluto[918]: %myid = (none)
> Aug 13 17:48:05 localhost pluto[918]: debug none
> ↑
> I guess problem in here,but I don't know how to slove this problem
>
> Aug 13 17:48:05 localhost pluto[918]:
> Aug 13 17:48:06 localhost pluto[918]:
> Aug 13 17:48:06 localhost pluto[918]: algorithm IKE encrypt: id=5,
> name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> Aug 13 17:48:06 localhost pluto[918]: algorithm IKE encrypt: id=7,
> name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE hash: id=1,
> name=OAKLEY_MD5, hashsize=16
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE hash: id=2,
> name=OAKLEY_SHA1, hashsize=20
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits=1024
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits=1536
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> Aug 13 17:48:07 localhost pluto[918]: algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> Aug 13 17:48:08 localhost pluto[918]:
> Aug 13 17:48:08 localhost pluto[918]: stats db_ops.c: {curr_cnt,
> total_cnt, maxsz} :context
> ={0,0,0} trans={0,0,0} attrs={0,0,0}
> Aug 13 17:48:08 localhost pluto[918]:
> Aug 13 17:48:08 localhost last message repeated 2 times
> Aug 13 17:48:22 localhost ipsec__plutorun: Restarting Pluto
> subsystem...
>
> so Pluto can't start successfully
>
>
> Thanks for ur help
> --
> Shinping Chen
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list