<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:10pt"><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><span>Thanks Paul. That works. However, I see another issue. If I connect two linux boxes it works fine. Simiarly if I connect two windows boxes, it works fine. However, if I try to connect to a windows 2K8 box to a linux box, it does not work. Phase 1 and phase 2 SAs are both successfully established. But, when I telnet to windows box, the ESP packet reaches the windows box but there is not reply back. If I replace sha256 with sha1, it all works fine.</span></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><span><br></span></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><span>commands on windows to setup main mode and quick
mode:</span></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><span><br></span></div><div><span><font size="2"><div>C:\Users\Administrator>netsh advfirewall mainmode add rule name="test" endpoint1=10.1.3.18 endpoint2=any enable=yes profile=any type=static auth1=computerpsk auth1psk=secret mmsecmethods=dhgroup2:aes128-sha256</div><div><br></div><div><div>C:\Users\Administrator>netsh advfirewall consec add rule name="test" endpoint1=10.1.3.18 endpoint2=any action=requireinrequireout mode=transport enable=yes profile=any type=static protocol=tcp interfacetype=any auth1=computerpsk auth1psk=secret qmpfs=dhgroup2 qmsecmethods=esp:sha256-aes128 port1=any port2=23</div></div></font></span></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><span><br></span></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; ">On
linux, ipsec.conf:-</div><div><div><font size="2">conn test</font></div><div><font size="2"> type=transport</font></div><div><font size="2"> right=10.1.3.18</font></div><div><font size="2"> rightprotoport=tcp/any</font></div><div><font size="2"> left=10.1.2.48</font></div><div><font size="2"> leftprotoport=tcp/23</font></div><div><font size="2"> pfs=yes</font></div><div><font size="2"> phase2=esp</font></div><div><font size="2"> phase2alg=aes128-sha2_256;modp1024</font></div><div><font size="2"> ike=aes128-sha2_256;modp1024</font></div><div><font size="2"> authby=secret</font></div><div><font size="2"> auto=add</font></div></div><div style="font-family: 'bookman
old style', 'new york', times, serif; font-size: 10pt; "><span><br></span></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><span>Output of ipsec auto --up test</span></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><span><br></span></div><div><span><div><font size="2">104 "test" #1: STATE_MAIN_I1: initiate</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]</font></div><div><font size="2">003 "test" #1: received Vendor ID payload [RFC 3947] method set to=109 </font></div><div><font size="2">003 "test" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [FRAGMENTATION]</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [MS-Negotiation Discovery
Capable]</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [IKE CGA version 1]</font></div><div><font size="2">106 "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2</font></div><div><font size="2">003 "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div><div><font size="2">108 "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3</font></div><div><font size="2">004 "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=OAKLEY_SHA2_256 group=modp1024}</font></div><div><font size="2">117 "test" #2: STATE_QUICK_I1: initiate</font></div><div><font size="2">003 "test" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=26808dab</font></div><div><font size="2">004 "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xd7189d14 <0xf75f4f17 xfrm=AES_128-HMAC_SHA2_256 NATOA=none NATD=none
DPD=none}</font></div><div><font size="2">104 "test" #1: STATE_MAIN_I1: initiate</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]</font></div><div><font size="2">003 "test" #1: received Vendor ID payload [RFC 3947] method set to=109 </font></div><div><font size="2">003 "test" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [FRAGMENTATION]</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]</font></div><div><font size="2">003 "test" #1: ignoring Vendor ID payload [IKE CGA version 1]</font></div><div><font size="2">106 "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2</font></div><div><font size="2">003 "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</font></div><div><font
size="2">108 "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3</font></div><div><font size="2">004 "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=OAKLEY_SHA2_256 group=modp1024}</font></div><div><font size="2">117 "test" #2: STATE_QUICK_I1: initiate</font></div><div><font size="2">003 "test" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=bb7a6e24</font></div><div><font size="2">004 "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0bbe8772 <0x4a76db0b xfrm=AES_128-HMAC_SHA2_256 NATOA=none NATD=none DPD=none}</font></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><br></div></span></div><div><font size="2">Is this a known issue? Is there any solution for this?</font></div><div style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "> </div><div
style="font-family: 'bookman old style', 'new york', times, serif; font-size: 10pt; "><b><em> </em></b></div> <div style="font-size: 10pt; font-family: 'bookman old style', 'new york', times, serif; "> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div dir="ltr"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, February 2, 2012 8:18 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Openswan Users] pluto segfaults when using SHA2 256 hash<br> </font> </div> <br>
On Wed, 1 Feb 2012, Abhinav Bhagwat wrote:<br><br>> Hi when I use sha2 hash to connect using openswan 2.6.37 the pluto daemon<br>> seg faults with a message <br><br>> Am I missing something here or this is a bug?<br><br>It's a fixed bug, but we haven't had a release yet to fix it.<br><br>If you recompile with USE_EXTRACRYPTO=true set it will work properly.<br>Otherwise, see:<br><br>http://git.openswan.org/cgi-bin/cgit/openswan/commit/?id=33aea96b36ff282f64bc9cc2a69f89ffa908826c<br>http://git.openswan.org/cgi-bin/cgit/openswan/commit/?id=d9c6bad2e2ab5bdafc07cb948c8af85711076f67<br>http://git.openswan.org/cgi-bin/cgit/openswan/commit/?id=3203cd13660e0e5f09c83fb4343cf784a42c6192<br><br>We will try to get a release out next week.<br><br>Paul<br><br><br> </div> </div> </div></body></html>