<div dir="ltr"><div>I am also seeing the following in ipsec.log now:<br><br>"test" #1: ERROR: asynchronous network error report on bond0.3 (sport=500) for message to 192.168.165.74 port 500, complainant <a href="http://192.168.165.74">192.168.165.74</a>: No route to host [errno 113, origin ICMP type 3 code 10 (not authenticated)]<br>
<br><br></div>Alan<br><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 19, 2014 at 1:40 PM, Alan Chester <span dir="ltr"><<a href="mailto:amcheste@gmail.com" target="_blank">amcheste@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hello,<br><br></div>I am currently seeing an issue with pluto core dumping when using IKEv2. I am using openswan version 2.6.41. <br>
<br></div>Here is my current setup please let me know if I have something configured in correctly:<br>
<br><br><div><div> /etc/ipsec.conf - Openswan IPsec configuration file<br>#<br># Manual: ipsec.conf.5<br>#<br># Please place your own config files in /etc/ipsec.d/ ending in .conf<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br>
<br># basic configuration<br>config setup<br> # Debug-logging controls: "none" for (almost) none, "all" for lots.<br> # klipsdebug=none<br> # plutodebug="control parsing"<br>
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<br> protostack=netkey<br> nat_traversal=yes<br> virtual_private=<br> oe=off<br> plutostderrlog=/var/log/ipsec.log<br>
dumpdir=/var/TKLC/core<br> plutorestartoncrash=no<br> # Enable this if you see "failed to find any available worker"<br> # nhelpers=0<br><br>#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.<br>
include /etc/ipsec.d/*.conf<br><br><br></div><div>Box A:<br>From test.conf:<br>conn test<br> left=192.168.165.70<br> pfs=yes<br> keylife=15m<br> ikev2=yes<br> authby=secret<br> right=192.168.165.74<br> auto=start<br>
type=tunnel<br> ike=aes128-sha1;modp2048<br> phase2alg=aes128-sha1<br><br></div><div>Box B:<br></div><div>From test.conf:<br>conn test<br> left=192.168.165.74<br> pfs=yes<br> keylife=15m<br> ikev2=yes<br> authby=secret<br>
right=192.168.165.70<br> auto=start<br> type=tunnel<br> ike=aes128-sha1;modp2048<br> phase2alg=aes128-sha1<br><br></div><div>The connection will successfully come up and function for a while but eventually pluto will core dump. I notice the failure faster the lower my keylife is.<br>
</div><div><br clear="all"></div><div><div>I noticed the following in /var/log/messages:<br>Aug 17 04:18:20 localhost ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-431.17.1.el6prerel7.0.0.0.0_86.7.0.x86_64...<br>Aug 17 04:18:20 localhost ipsec_setup: Using NETKEY(XFRM) stack<br>
Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock not detected.<br>Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock Hash Engine not detected.<br>Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock not detected.<br>
Aug 17 04:18:20 localhost ipsec_setup: ...Openswan IPsec started<br>Aug 17 04:18:20 localhost pluto: adjusting ipsec.d to /etc/ipsec.d<br>Aug 17 04:18:21 localhost ipsec__plutorun: 002 added connection description "test"<br>
Aug 17 04:18:21 localhost ipsec__plutorun: 133 "test" #1: STATE_PARENT_I1: initiate<br>Aug 17 04:27:06 localhost rsyslogd: -- MARK --<br>Aug 17 04:42:06 localhost rsyslogd: -- MARK --<br>Aug 17 04:57:06 localhost rsyslogd: -- MARK --<br>
Aug 17 05:12:06 localhost rsyslogd: -- MARK --<br>Aug 17 05:14:25 localhost kernel: pluto[5829]: segfault at 0 ip 00007f87e7f0e676 sp 00007fffdb0aa3c0 error 4 in pluto[7f87e7ea3000+fd000]<br>Aug 17 05:14:25 localhost ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 250: 5829 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --virtual_private oe=off --stderrlog 2>> /var/log/ipsec.log<br>
Aug 17 05:14:25 localhost ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)<br>Aug 17 05:14:25 localhost ipsec__plutorun: restarting IPsec after pause...<br>Aug 17 05:14:35 localhost ipsec_setup: Stopping Openswan IPsec...<br>
Aug 17 05:14:35 localhost ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:<br>Aug 17 05:14:35 localhost ipsec_setup: ...Openswan IPsec stopped<br><br></div><div>The following is from /var/log/ipsec:<br>...<br>"test" #1: initiating v2 parent SA<br>
"test" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1<br>"test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1<br>"test" #2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2<br>
"test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}<br>| found connection: test<br>"test" #3: transition from state STATE_IKEv2_START to state STATE_PARENT_R1<br>
"test" #3: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}<br>"test" #3: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.165.70'<br>
| CHILD SA proposals received<br>"test" #3: PAUL: this is where we have to check the TSi/TSr<br>| printing contents struct traffic_selector<br>| ts_type: IKEv2_TS_IPV4_ADDR_RANGE<br>| ipprotoid: 0<br>| startport: 0<br>
| endport: 65535<br>| ip low: 192.168.165.74<br>| ip high: 192.168.165.74<br>| printing contents struct traffic_selector<br>| ts_type: IKEv2_TS_IPV4_ADDR_RANGE<br>| ipprotoid: 0<br>| startport: 0<br>| endport: 65535<br>
| ip low: 192.168.165.70<br>| ip high: 192.168.165.70<br>"test" #4: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2<br>"test" #4: negotiated tunnel [192.168.165.74,192.168.165.74:0-65535 0] -> [192.168.165.70,192.168.165.70:0-65535 0]<br>
"test" #4: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP=>0x14aeeb9a <0x36b9246b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>| releasing whack for #4 (sock=-1)<br>| releasing whack for #3 (sock=-1)<br>
"test" #5: initiating Main Mode<br>pluto_crypto_helper: helper (2) is normal exiting<br>...<br><br></div><div>The following backtrace was created from the core file:<br><br></div><div>Core file created at UTC: 1408373805.<br>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<br>[New Thread 5708]<br>[Thread debugging using libthread_db enabled]<br>
Core was generated by `/usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /'.<br>Program terminated with signal 11, Segmentation fault.<br>#0 0x00007fd4bd53e311 in oakley_alg_makedb (ai=<value optimized out>, base=0x7fd4bd7c8620, maxtrans=-1) at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:191<br>
191 /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c: No such file or directory.<br> in /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c<br>
<br>Thread 1 (Thread 0x7fd4bd4cb700 (LWP 5708)):<br>#0 0x00007fd4bd53e311 in oakley_alg_makedb (ai=<value optimized out>, base=0x7fd4bd7c8620, maxtrans=-1) at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:191<br>
hash = <value optimized out><br> auth = 0x7fd4bdd5a3d0<br> grp = <value optimized out><br> enc = <value optimized out><br> enc_keylen = <value optimized out><br>
new_auth = <value optimized out><br> trans = 0x7fd4bdd5a3a0<br> prop = 0x7fd4bdd5a380<br> cprop = 0x7fd4bdd5c540<br> gsp = <value optimized out><br> emp_sp = 0x7fd4bdd5a350<br>
ike_info = <value optimized out><br> ealg = 7<br> halg = 2<br> modp = <value optimized out><br> eklen = <value optimized out><br> last_modp = <value optimized out><br>
wrong_modp = <value optimized out><br> enc_desc = <value optimized out><br> transcnt = <value optimized out><br> i = <value optimized out><br>#1 0x00007fd4bd5418cf in out_sa (outs=0x7fff24fcdb08, sadb=0x7fd4bd7c8620, st=0x7fd4bdd5d420, oakley_mode=1, aggressive_mode=<value optimized out>, np=13 '\r') at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_v1_struct.c:259<br>
sa_pbs = {container = 0x7fff24fce76c, desc = 0x7fff24fcdb08, name = 0x7fff24fce750 "\257\264\017Q\372\312R\306", start = 0x0, cur = 0x53f2142d <Address 0x53f2142d out of bounds>, roof = 0x0, lenfld = 0x7fd4bd7e27a0 "", lenfld_desc = 0x7fd4bd7c33d0}<br>
pcn = <value optimized out><br> ret = 0<br> ah_spi_generated = 0<br> esp_spi_generated = 0<br> ipcomp_cpi_generated = 0<br> revised_sadb = <value optimized out><br>#2 0x00007fd4bd515243 in main_outI1 (whack_sock=<value optimized out>, c=0x7fd4bdd56f60, predecessor=0x0, policy=<value optimized out>, try=140551688890300, importance=<value optimized out>) at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/ikev1_main.c:192<br>
sa_start = 0x7fd4bd7d27bc "$"<br> np = 13<br> st = 0x7fd4bdd5d420<br>#3 0x00007fd4bd50a98b in handle_next_timer_event () at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/timer.c:584<br>
c = <value optimized out><br> newest = <value optimized out><br> ev = 0x7fd4bdd5c990<br> tm = 1408373805<br> type = 5<br> st = 0x7fd4bdd5ca90<br>#4 0x00007fd4bd50ad7a in handle_timer_event () at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/timer.c:435<br>
tm = <value optimized out><br> ev = <value optimized out><br> type = 5<br>#5 0x00007fd4bd5088e1 in call_server () at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/server.c:806<br>
readfds = {__osfds_bits = {0 <repeats 128 times>}}<br> writefds = {__osfds_bits = {0 <repeats 128 times>}}<br> ndes = <value optimized out><br> ifp = <value optimized out><br>
#6 0x00007fd4bd50567a in main (argc=12, argv=0x7fff24fcf488) at /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/plutomain.c:1110<br> fork_desired = <value optimized out><br> lockfd = -1119045976<br>
ocspuri = 0x0<br> nhelpers = -1<br> coredir = <value optimized out><br> oco = 0x7fd4bd7d22a0<br> nat_traversal = 1<br> nat_t_spf = 1<br> keep_alive = 0<br> force_keepalive = 0<br>
virtual_private = 0x7fff24fd0c56 "oe=off"<br><br></div><div>Is there something wrong with my configuration? I am just passing ICMP traffic. I do not notice this area with IKEv1.<span class="HOEnZb"><font color="#888888"><br>
<br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>Alan<br>
</div><br></font></span></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Alan Chester
</div>