[Openswan dev] fairly bogus conn causes openswan-2.0.0 (and sfs-1.9x) assertion failed

Paul Wouters paul at xtdnet.nl
Fri Jan 23 15:13:49 CET 2004 

It's hard to barf, since it stops right away, but here is the conn and the logs:

conn robertjc-paul
        left=80.126.230.84
        leftnexthop=195.190.244.80
        leftsubnet=10.20.30.0/24
        right=194.109.161.130
        rightsubnet=10.10.20.0/24
        auto=start
        authby=secret
        pfs=no
        auth=esp
        keyingtries=1

Note that this is probably a relic of a conn definition. This machine also does pptp,
so it has an ether to the ADSL modem:

10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth1

Which obviusly interferes with the rightsubnet above. I believe I might have changed
the above route to a mask of /24 in the past when trying to use this conn with nat-t.

Anyway, the ASSERTION in ipsec_doi should probably be handled a bit better.

Paul


Jan 23 07:02:41 nsavax ipsec__plutorun: Restarting Pluto subsystem...
Jan 23 07:02:41 nsavax pluto[11476]: Starting Pluto (FreeS/WAN Version openswan-2.0.0 X.509-1.4.8 PLUTO_USES_KEYRR)
Jan 23 07:02:41 nsavax pluto[11476]: Using KLIPS IPsec interface code
Jan 23 07:02:41 nsavax pluto[11476]: Changing to directory '/etc/ipsec.d/cacerts'
Jan 23 07:02:41 nsavax pluto[11476]:   Warning: empty directory
Jan 23 07:02:41 nsavax pluto[11476]: Changing to directory '/etc/ipsec.d/crls'
Jan 23 07:02:41 nsavax pluto[11476]:   Warning: empty directory
Jan 23 07:02:41 nsavax pluto[11476]: added connection description "amsterdam-ottawa"
Jan 23 07:02:41 nsavax pluto[11476]: added connection description "robertjc-paul"
Jan 23 07:02:42 nsavax pluto[11476]: added connection description "amsterdam-edinborough"
Jan 23 07:02:42 nsavax pluto[11476]: added connection description "amsterdam-bagheera"
Jan 23 07:02:43 nsavax pluto[11476]: added connection description "amsterdam-toronto"
Jan 23 07:02:43 nsavax pluto[11476]: added connection description "peace-extrude"
Jan 23 07:02:43 nsavax pluto[11476]: listening for IKE messages
Jan 23 07:02:43 nsavax pluto[11476]: adding interface ipsec1/ppp0 80.126.230.84
Jan 23 07:02:43 nsavax pluto[11476]: adding interface ipsec0/eth0 193.110.157.30
Jan 23 07:02:43 nsavax pluto[11476]: loading secrets from "/etc/ipsec.secrets"
Jan 23 07:02:44 nsavax pluto[11476]: "amsterdam-ottawa" #1: initiating Main Mode
Jan 23 07:02:44 nsavax pluto[11476]: "robertjc-paul" #2: initiating Main Mode
Jan 23 07:02:44 nsavax pluto[11476]: "amsterdam-edinborough" #3: initiating Main Mode
Jan 23 07:02:44 nsavax pluto[11476]: "amsterdam-bagheera" #4: initiating Main Mode
Jan 23 07:02:44 nsavax pluto[11476]: "amsterdam-bagheera" #4: ERROR: asynchronous network error report on ppp0 for message to 194.109.240.22 port 500, complainant 194.109.240.22: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jan 23 07:02:45 nsavax pluto[11476]: "amsterdam-toronto" #5: initiating Main Mode
Jan 23 07:02:45 nsavax pluto[11476]: "peace-extrude" #6: initiating Main Mode
Jan 23 07:02:45 nsavax pluto[11476]: "amsterdam-edinborough" #3: Peer ID is ID_IPV4_ADDR: '81.2.117.203'
Jan 23 07:02:45 nsavax pluto[11476]: "amsterdam-edinborough" #3: ISAKMP SA established
Jan 23 07:02:45 nsavax pluto[11476]: "amsterdam-edinborough" #7: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}
Jan 23 07:02:45 nsavax pluto[11476]: "peace-extrude" #6: Peer ID is ID_IPV4_ADDR: '213.136.9.110'
Jan 23 07:02:45 nsavax pluto[11476]: "peace-extrude" #6: ISAKMP SA established
Jan 23 07:02:45 nsavax pluto[11476]: "peace-extrude" #8: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#6}
Jan 23 07:02:45 nsavax pluto[11476]: "peace-extrude" #9: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#6}
Jan 23 07:02:45 nsavax pluto[11476]: "amsterdam-edinborough" #7: sent QI2, IPsec SA established {ESP=>0x5170466f <0xc52d6cc2}
Jan 23 07:02:45 nsavax pluto[11476]: "peace-extrude" #8: sent QI2, IPsec SA established {ESP=>0x44f8cffb <0xc52d6cc3}
Jan 23 07:02:45 nsavax pluto[11476]: "peace-extrude" #9: sent QI2, IPsec SA established {ESP=>0x44f8cffc <0xc52d6cc4}
Jan 23 07:02:48 nsavax pluto[11476]: "peace-extrude" #6: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x44f8b1ad) not found (maybe expired)
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #2: Peer ID is ID_IPV4_ADDR: '194.109.161.130'
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #2: ISAKMP SA established
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#2}
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: ASSERTION FAILED at ipsec_doi.c:1998: (st)->st_new_iv_len < sizeof((st)->st_new_iv)
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: interface ipsec0/eth0 193.110.157.30
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: interface ipsec1/ppp0 80.126.230.84
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: %myid = (none)
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: debug none
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10:
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-bagheera": 193.110.157.16/28===80.126.230.84---195.190.244.80...194.109.240.22[@bagheera.xs4all.nl]===192.168.0.0/24; prospective erouted; eroute owner: #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-bagheera":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-bagheera":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 28,24; interface: ppp0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-bagheera":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-edinborough": 193.110.157.16/28===80.126.230.84---195.190.244.80...81.2.117.203; erouted; eroute owner: #7
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-edinborough":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-edinborough":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 28,32; interface: ppp0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-edinborough":   newest ISAKMP SA: #3; newest IPsec SA: #7;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-ottawa": 193.110.157.16/28===80.126.230.84---195.190.244.80...205.150.200.134===205.150.200.160/28; prospective erouted; eroute owner: #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-ottawa":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-ottawa":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 28,28; interface: ppp0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-ottawa":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-toronto": 193.110.157.30/32===80.126.230.84[@amsterdam.xelerance.com]---195.190.244.80...24.141.217.143[@toronto.xelerance.com]===159.18.124.249/32; prospective erouted; eroute owner: #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-toronto":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-toronto":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: ppp0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "amsterdam-toronto":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "peace-extrude": 193.110.157.16/28===80.126.230.84---195.190.244.80...213.136.9.110===0.0.0.0/0; erouted; eroute owner: #9
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "peace-extrude":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "peace-extrude":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 0,28; interface: ppp0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "peace-extrude":   newest ISAKMP SA: #6; newest IPsec SA: #9;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "robertjc-paul": 10.20.30.0/24===80.126.230.84---195.190.244.80...194.109.161.130===10.10.20.0/24; prospective erouted; eroute owner: #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "robertjc-paul":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "robertjc-paul":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: "robertjc-paul":   newest ISAKMP SA: #2; newest IPsec SA: #0;
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10:
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #4: "amsterdam-bagheera" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 6s
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #4: pending Phase 2 for "amsterdam-bagheera" replacing #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #7: "amsterdam-edinborough" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28142s; newest IPSEC; eroute owner
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #7: "amsterdam-edinborough" esp.5170466f at 81.2.117.203 esp.c52d6cc2 at 80.126.230.84 tun.1002 at 81.2.117.203 tun.1001 at 80.126.230.84
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #3: "amsterdam-edinborough" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3018s; newest ISAKMP
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #1: "amsterdam-ottawa" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 6s
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #1: pending Phase 2 for "amsterdam-ottawa" replacing #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #5: "amsterdam-toronto" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 7s
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #5: pending Phase 2 for "amsterdam-toronto" replacing #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #9: "peace-extrude" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27795s; newest IPSEC; eroute owner
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #9: "peace-extrude" esp.44f8cffc at 213.136.9.110 esp.c52d6cc4 at 80.126.230.84 tun.1006 at 213.136.9.110 tun.1005 at 80.126.230.84
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #8: "peace-extrude" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27958s
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #8: "peace-extrude" esp.44f8cffb at 213.136.9.110 esp.c52d6cc3 at 80.126.230.84 tun.1004 at 213.136.9.110 tun.1003 at 80.126.230.84
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #6: "peace-extrude" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2834s; newest ISAKMP
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #10: "robertjc-paul" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_SO_DISCARD in 0s
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #2: "robertjc-paul" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2955s; newest ISAKMP
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10: #2: pending Phase 2 for "robertjc-paul" replacing #0
Jan 23 07:02:48 nsavax pluto[11476]: "robertjc-paul" #10:
Jan 23 07:02:50 nsavax ipsec__plutorun: Starting Pluto subsystem...

More information about the Dev mailing list