[Openswan Users] More bizarre ipsec problems; service ipsec stop hangs; random hosts offline; /var/log/secure going nuts...
Greg Scott
GregScott at Infrasupport.com
Mon Jul 19 13:38:34 EDT 2010
Here is a third customer with a bizarre set of ipsec problems. Both
sites are running Openswan 2.6.25 on either Fedora 12 or 13. The left
side is named Audubon, right size named MN.
First problem - the interfaces are bridged on both sides. Given
hindsight, maybe this wasn't such a good idea. Anyway, device br0 in MN
has both a public and private IP Address. If the public IP Address is
first, then ipsec seems to come up normally. Well, maybe. The MN site
had a power failure last night and they turned everything on today. My
phone rang a while ago. Looking at /var/log/messages, I saw dozens of
messages flying out every second like this:
Jul 19 11:34:44 audubon-fw1 pluto[1885]: "mn-hq" #198978: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #182609
{using isakmp#115214 msgid:77f84cf2 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Jul 19 11:34:44 audubon-fw1 pluto[1885]: "mn-hq" #182608: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jul 19 11:34:44 audubon-fw1 pluto[1885]: "mn-hq" #182608: starting
keying attempt 13 of an unlimited number
Jul 19 11:34:44 audubon-fw1 pluto[1885]: "mn-hq" #198979: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #182608
{using isakmp#115214 msgid:01145cae proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Jul 19 11:34:44 audubon-fw1 pluto[1885]: "mn-hq" #182607: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jul 19 11:34:44 audubon-fw1 pluto[1885]: "mn-hq" #182607: starting
keying attempt 13 of an unlimited number
Jul 19 11:34:44 audubon-fw1 pluto[1885]: "mn-hq" #198980: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #182607
{using isakmp#115214 msgid:bee017dd proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Good thing I intervened when I did - take a look at how big
/var/log/secure has grown on both sides:
[root at audubon-fw1 ~]# ls -al /var/log/secure
-rw-------. 1 root root 110850999 Jul 19 12:17 /var/log/secure
and
[root at MN-fw1 firewall-scripts]# ls -al /var/log/secure
-rw-------. 1 root root 5203737 Jul 19 12:17 /var/log/secure
[root at MN-fw1 firewall-scripts]#
Trying to restart ipsec at the audubon site hung. This time I captured
some output and did date commands each time so you can see the hang. I
eventually got it to shut down by killing some processes by hand.
[root at audubon-fw1 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
^[[A^[[A
^C
[root at audubon-fw1 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
^C
[root at audubon-fw1 ~]# date
Mon Jul 19 11:36:14 CDT 2010
[root at audubon-fw1 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
^C
[root at audubon-fw1 ~]# date
Mon Jul 19 11:37:01 CDT 2010
[root at audubon-fw1 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
^C
[root at audubon-fw1 ~]# date
Mon Jul 19 11:38:05 CDT 2010
[root at audubon-fw1 ~]# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
^C
[root at audubon-fw1 ~]# sh -v /etc/rc.d/init.d/ipsec stop
#!/bin/sh
# IPsec startup and shutdown script
#
### BEGIN INIT INFO
# Provides: openswan
# Required-Start: $network $syslog $named
# Required-Stop: $syslog
# Default-Start:
# Default-Stop: 0 1 6
# Short-Description: Start Openswan IPsec at boot time
# Description: Enable automatic key management for IPsec (KLIPS
and NETKEY)
### END INIT INFO
#
# Copyright (C) 1998, 1999, 2001 Henry Spencer.
# Copyright (C) 2002 Michael Richardson <mcr at freeswan.org>
# Copyright (C) 2006 Michael Richardson <mcr at xelerance.com>
# Copyright (C) 2008 Michael Richardson <mcr at sandelman.ca>
#
# This program is free software; you can redistribute it and/or modify
it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License
# for more details.
#
#
# ipsec init.d script for starting and stopping
# the IPsec security subsystem (KLIPS and Pluto).
#
# This script becomes /etc/rc.d/init.d/ipsec (or possibly
/etc/init.d/ipsec)
# and is also accessible as "ipsec setup" (the preferred route for human
# invocation).
#
# The startup and shutdown times are a difficult compromise (in
particular,
# it is almost impossible to reconcile them with the insanely early/late
# times of NFS filesystem startup/shutdown). Startup is after startup
of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated
communications; \
# KLIPS is the kernel half of it, Pluto is the user-level management
daemon.
prog='ipsec setup' # for messages
# where the private directory and the config files are
IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/libexec/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
IPSEC_CONFS="${IPSEC_CONFS-/etc}"
if [ `id -u` -ne 0 ]
then
echo "permission denied (must be superuser)" |
logger -s -p daemon.error -t ipsec_setup 2>&1
exit 4
fi
id -u
if test " $IPSEC_DIR" = " " # if we were not called by the ipsec
command
then
# we must establish a suitable PATH ourselves
PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
export PATH
IPSEC_DIR="$IPSEC_LIBDIR"
export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
fi
# misc setup
umask 022
mkdir -p /var/run/pluto
RETVAL=0
start() {
test -x $IPSEC_SBINDIR/ipsec || exit 5
test -f /etc/ipsec.conf || exit 6
# Pick up IPsec configuration (until we have done this,
successfully, we
# do not know where errors should go, hence the explicit
"daemon.error"s.)
# Note the "--export", which exports the variables created.
variables=`ipsec addconn /etc/ipsec.conf --varprefix IPSEC
--configsetup`
eval $variables
if [ $? != 0 ]
then
echo "Failed to parse config setup portion of ipsec.conf"
exit $?
fi
IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
export IPSEC_confreadsection
IPSECsyslog=${IPSECsyslog-daemon.error}
export IPSECsyslog
# remove for: @cygwin_END@
(
ipsec _realsetup start
RETVAL=$?
) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
return $RETVAL
}
stop() {
IPSECsyslog=${IPSECsyslog-daemon.error}
export IPSECsyslog
(
ipsec _realsetup stop
RETVAL=$?
) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
return $RETVAL
}
restart() {
stop
start
}
condrestart() {
test -x $IPSEC_SBINDIR/ipsec || exit 5
ipsec _realsetup status || exit 0
restart
}
status() {
test -x $IPSEC_SBINDIR/ipsec || exit 5
ipsec _realsetup status
RETVAL=$?
return $RETVAL
}
version() {
ipsec version
RETVAL=$?
return $RETVAL
}
# do it
case "$1" in
start|--start)
start
;;
stop|--stop)
stop
;;
restart|--restart)
restart
;;
reload|force-reload)
restart
;;
condrestart|try-restart)
condrestart
;;
status|--status)
status
;;
version)
version
;;
*)
echo $"Usage: $prog
{start|stop|restart|reload|force-reload|condrestart|try-restart|status|v
ersion}"
RETVAL=2
esac
ipsec_setup: Stopping Openswan IPsec...
^C
[root at audubon-fw1 ~]# date
Mon Jul 19 11:39:28 CDT 2010
[root at audubon-fw1 ~]# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
^C
[root at audubon-fw1 ~]# ps ax | grep ipsec
1878 ? S 0:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug
--uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
--nat_traversal yes --keep_alive --protostack netkey --force_keepalive
no --disable_port_floating no --virtual_private oe=off
--crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog
--wait no --pre --post --log daemon.error --plutorestartoncrash true
--pid /var/run/pluto/pluto.pid
1879 ? S 0:00 logger -s -p daemon.error -t ipsec__plutorun
1882 ? S 0:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug
--uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
--nat_traversal yes --keep_alive --protostack netkey --force_keepalive
no --disable_port_floating no --virtual_private oe=off
--crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog
--wait no --pre --post --log daemon.error --plutorestartoncrash true
--pid /var/run/pluto/pluto.pid
1883 ? S 0:00 /bin/sh /usr/libexec/ipsec/_plutoload --wait
no --post
1885 ? R 91:59 /usr/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey
--uniqueids --nat_traversal --virtual_private oe=off --nhelpers 0
4949 pts/0 S+ 0:00 grep ipsec
[root at audubon-fw1 ~]# date
Mon Jul 19 11:40:21 CDT 2010
[root at audubon-fw1 ~]#
[root at audubon-fw1 ~]# kill -9 1878
[root at audubon-fw1 ~]# kill -9 1879
[root at audubon-fw1 ~]# kill -9 1882
[root at audubon-fw1 ~]# kill -9 1883
-bash: kill: (1883) - No such process
[root at audubon-fw1 ~]# kill -9 1885
[root at audubon-fw1 ~]# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:
[root at audubon-fw1 ~]#
But I'm not out of the woods yet. After restarting ipsec on both sides,
Audubon can see some hosts on the MN side, but not all. The Audubon LAN
is 10.0.0/24 and the MN LAN is 192.168.0/24. Host 10.0.0.50 at the
Audubon site could ping MN host 192.168.0.52, but not MN server at
192.168.0.1. After restarting ipsec at the Audubon site again, now
Audubon can ping everything in the MN site.
But we're still not out of the woods. Interface br0 has 2 IP Addresses
- a public and private. Problem is, ipsec seems to only work when the
public IP Address is first in the list. But this breaks dhcpd, which
wants the private IP Address first in the list.
extremely frustrating- this has all worked reasonably well for years and
now every tunnel I build with the new version is unstable. What broke?
Thanks
- Greg Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100719/d4921350/attachment-0001.html
More information about the Users
mailing list