[Openswan dev] XAUTH Code for "Domain"

Michael H. Warfield mhw at WittsEnd.com
Tue Jul 5 19:59:31 EDT 2011 

On Tue, 2011-07-05 at 19:39 -0400, Paul Wouters wrote: 
> On Tue, 5 Jul 2011, Michael H. Warfield wrote:
> 
> >> Is this past the authentication step? Can you trust that message?
> >
> > Yes, it's post auth.  We're all the way into the first couple of
> > quick-mode steps setting up the SA for ESP when it fails.

> Oki.

> >> Also, what other alternatives do we have then to keep on trying? If this
> >> is a misconfiguration on the remote end, we're better left trying and
> >> perhaps they will fix their end.
> >
> > I don't see we have any alternatives unless we want to try and implement
> > heuristics

> that's why we just keep trying the same thing, and hope the other is "gets fixed".

> > in what to try and that wouldn't make sense.  Seems like it's
> > a misconfiguration on our end but, for the life of me, I can see what it
> > is.
> >
> > There's something broken in the phase 2 transaction I'm not
> > understanding.  I see vpnc is negotiating a phase 2 of AES w/ 256 and
> > SHA1 without a problem and that's in our proposition list.  I now have 1
> > ASA that works with us and 3 that refuse to cooperate with the same
> > configurations and all 4 work with vpnc.
> 
> Make sure you have the right modp. Sometimes Cisco does not like some phase1
> thing, but will only silently fail later on. Perhaps you need modp1024 or modp1536
> instead of modp2048?

Been using modp1024 and that's what vpnc settles on.  But, isn't modp
just phase1 for the initial IKE key exchanges?

If it is both phase1 and phase 2, we've got another problem.  As soon as
I still more than one proposal in the phase2alg= param that has modp
parameters the libraries are hurling stack smashing hunks at me...

With:

phase2alg=aes256-sha1;modp1024,aes256-md5;modp1024,aes192-sha1;modp1024,aes192-md5;modp1024,aes128-sha1;modp1024

[root at canyon ipsec.d]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec... 
ipsec_setup: Starting Openswan IPsec U2.6.34/K2.6.35.13-92.fc14.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root at canyon ipsec.d]# *** stack smashing detected ***: /usr/libexec/ipsec/pluto terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fe95e7b0127]
/lib64/libc.so.6(__fortify_fail+0x0)[0x7fe95e7b00f0]
/usr/libexec/ipsec/pluto(+0x85032)[0x7fe95ff3b032]
/usr/libexec/ipsec/pluto(+0x8511c)[0x7fe95ff3b11c]
/usr/libexec/ipsec/pluto(+0x860e7)[0x7fe95ff3c0e7]
/usr/libexec/ipsec/pluto(+0x1af4d)[0x7fe95fed0f4d]
/usr/libexec/ipsec/pluto(+0x572b6)[0x7fe95ff0d2b6]
/usr/libexec/ipsec/pluto(+0x57d21)[0x7fe95ff0dd21]
/usr/libexec/ipsec/pluto(+0x2d4ea)[0x7fe95fee34ea]
/usr/libexec/ipsec/pluto(main+0x708)[0x7fe95fee00d8]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7fe95e6d4e5d]
/usr/libexec/ipsec/pluto(+0x18499)[0x7fe95fece499]
======= Memory map: ========
7fe95d533000-7fe95d55a000 r-xp 00000000 fd:01 479550                     /usr/lib64/libnssdbm3.so
7fe95d55a000-7fe95d759000 ---p 00027000 fd:01 479550                     /usr/lib64/libnssdbm3.so
7fe95d759000-7fe95d75a000 rw-p 00026000 fd:01 479550                     /usr/lib64/libnssdbm3.so
7fe95d75a000-7fe95d7e9000 r-xp 00000000 fd:01 479945                     /usr/lib64/libsqlite3.so.0.8.6
7fe95d7e9000-7fe95d9e8000 ---p 0008f000 fd:01 479945                     /usr/lib64/libsqlite3.so.0.8.6
7fe95d9e8000-7fe95d9ec000 rw-p 0008e000 fd:01 479945                     /usr/lib64/libsqlite3.so.0.8.6
7fe95d9ec000-7fe95da29000 r-xp 00000000 fd:01 479622                     /usr/lib64/libsoftokn3.so
7fe95da29000-7fe95dc28000 ---p 0003d000 fd:01 479622                     /usr/lib64/libsoftokn3.so
7fe95dc28000-7fe95dc2a000 rw-p 0003c000 fd:01 479622                     /usr/lib64/libsoftokn3.so
7fe95dc2a000-7fe95dc87000 r-xp 00000000 fd:05 245788                     /lib64/libfreebl3.so
7fe95dc87000-7fe95de86000 ---p 0005d000 fd:05 245788                     /lib64/libfreebl3.so
7fe95de86000-7fe95de88000 rw-p 0005c000 fd:05 245788                     /lib64/libfreebl3.so
7fe95de88000-7fe95de8c000 rw-p 00000000 00:00 0 
7fe95de8c000-7fe95de8f000 r-xp 00000000 fd:05 246006                     /lib64/libplds4.so
7fe95de8f000-7fe95e08e000 ---p 00003000 fd:05 246006                     /lib64/libplds4.so
7fe95e08e000-7fe95e08f000 rw-p 00002000 fd:05 246006                     /lib64/libplds4.so
7fe95e08f000-7fe95e093000 r-xp 00000000 fd:05 246003                     /lib64/libplc4.so
7fe95e093000-7fe95e292000 ---p 00004000 fd:05 246003                     /lib64/libplc4.so
7fe95e292000-7fe95e293000 rw-p 00003000 fd:05 246003                     /lib64/libplc4.so
7fe95e293000-7fe95e2ad000 r-xp 00000000 fd:01 476439                     /usr/lib64/libnssutil3.so
7fe95e2ad000-7fe95e4ac000 ---p 0001a000 fd:01 476439                     /usr/lib64/libnssutil3.so
7fe95e4ac000-7fe95e4b2000 rw-p 00019000 fd:01 476439                     /usr/lib64/libnssutil3.so
7fe95e4b2000-7fe95e4b4000 r-xp 00000000 fd:05 245852                     /lib64/libdl-2.13.so
7fe95e4b4000-7fe95e6b4000 ---p 00002000 fd:05 245852                     /lib64/libdl-2.13.so
7fe95e6b4000-7fe95e6b5000 r--p 00002000 fd:05 245852                     /lib64/libdl-2.13.so
7fe95e6b5000-7fe95e6b6000 rw-p 00003000 fd:05 245852                     /lib64/libdl-2.13.so
7fe95e6b6000-7fe95e847000 r-xp 00000000 fd:05 245792                     /lib64/libc-2.13.so
7fe95e847000-7fe95ea47000 ---p 00191000 fd:05 245792                     /lib64/libc-2.13.so
7fe95ea47000-7fe95ea4b000 r--p 00191000 fd:05 245792                     /lib64/libc-2.13.so
7fe95ea4b000-7fe95ea4c000 rw-p 00195000 fd:05 245792                     /lib64/libc-2.13.so
7fe95ea4c000-7fe95ea52000 rw-p 00000000 00:00 0 
7fe95ea52000-7fe95ea67000 r-xp 00000000 fd:05 245831                     /lib64/libgcc_s-4.5.1-20100924.so.1
7fe95ea67000-7fe95ec66000 ---p 00015000 fd:05 245831                     /lib64/libgcc_s-4.5.1-20100924.so.1
7fe95ec66000-7fe95ec67000 rw-p 00014000 fd:05 245831                     /lib64/libgcc_s-4.5.1-20100924.so.1
7fe95ec67000-7fe95ecbe000 r-xp 00000000 fd:01 497241                     /usr/lib64/libgmp.so.3.5.0
7fe95ecbe000-7fe95eebe000 ---p 00057000 fd:01 497241                     /usr/lib64/libgmp.so.3.5.0
7fe95eebe000-7fe95eec3000 rw-p 00057000 fd:01 497241                     /usr/lib64/libgmp.so.3.5.0
7fe95eec3000-7fe95eeca000 r-xp 00000000 fd:05 245956                     /lib64/libcrypt-2.13.so
7fe95eeca000-7fe95f0ca000 ---p 00007000 fd:05 245956                     /lib64/libcrypt-2.13.so
7fe95f0ca000-7fe95f0cb000 r--p 00007000 fd:05 245956                     /lib64/libcrypt-2.13.so

Yeah, I know...  All that cruft is in the libnss stuff.  Don't get me
started.  I'm giving THAT the Scarlet O'Hare treatment (Gone With The
Wind) and saying I'll worry about THAT tomorrow.

If I don't specify any modp params to phase2 I can load'm up.  But...
Maybe it's not doing anything and not telling me?

I can rebuild without the nss stuff and cut that out of the confusion
factor as well.

> Paul

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20110705/09198750/attachment-0001.bin

More information about the Dev mailing list