[Openswan dev] [Openswan Users] Troubleshooting pluto crash - NSS related (fwd)

Avesh Agarwal avagarwa at redhat.com
Fri Jul 22 09:16:44 EDT 2011


Hello Paul,

On 07/21/2011 07:54 PM, Paul Wouters wrote:
>
> Is there a good reason for asserting on obtaining an NSS free slot? It 
> seems this is should just be a "not available try again later" error?
>
The main reason is that if returned slot is NULL, it is not possible to 
proceed. Ideally this should never happen, because no further exchange 
can be carried out if returned slot is always NULL afterwards.

> Though to properly do that, calc_ke() would need a non-void return and
> its return value should be checked.
Yes. But it seems the caller of calc_ke, pluto_do_crypto_op returns void 
too. So changing this may require substantial changes.

>
> Paul
>
> ---------- Forwarded message ----------
> Date: Thu, 21 Jul 2011 12:39:27 -0700
> From: Kevin Keane <subscription at kkeane.com>
> Cc: "users at openswan.org" <users at openswan.org>
> Subject: Re: [Openswan Users] Troubleshooting pluto crash - NSS related
>
> Here it is. Note: remoteip and localip are actual IP addresses mangled 
> for confidentiality. localFQDN and remoteFQDN are actual valid FQDNs.
>
> (I hope this wraps correctly)
>
> Jul 21 19:08:17 mymachine pluto[31333]: |
> Jul 21 19:08:17 mymachine pluto[31333]: | *received 481 bytes from 
> remoteip:500 on eth0 (port=500)
> Jul 21 19:08:17 mymachine pluto[31333]: |   c4 ff e2 bc  42 ac a8 b5  
> 00 00 00 00  00 00 00 00
> ... 29 lines deleted
> Jul 21 19:08:17 mymachine pluto[31333]: |   12
> Jul 21 19:08:17 mymachine pluto[31333]: | **parse ISAKMP Message:
> Jul 21 19:08:17 mymachine pluto[31333]: |    initiator cookie:
> Jul 21 19:08:17 mymachine pluto[31333]: |   c4 ff e2 bc  42 ac a8 b5
> Jul 21 19:08:17 mymachine pluto[31333]: |    responder cookie:
> Jul 21 19:08:17 mymachine pluto[31333]: |   00 00 00 00  00 00 00 00
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_SA
> Jul 21 19:08:17 mymachine pluto[31333]: |    ISAKMP version: ISAKMP 
> Version 1.0 (rfc2407)
> Jul 21 19:08:17 mymachine pluto[31333]: |    exchange type: 
> ISAKMP_XCHG_AGGR
> Jul 21 19:08:17 mymachine pluto[31333]: |    flags: none
> Jul 21 19:08:17 mymachine pluto[31333]: |    message ID:  00 00 00 00
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 481
> Jul 21 19:08:17 mymachine pluto[31333]: |  processing version=1.0 
> packet with exchange type=ISAKMP_XCHG_AGGR (4)
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2(ISAKMP_NEXT_SA) needed: 0x432 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Security 
> Association Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_KE
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 52
> Jul 21 19:08:17 mymachine pluto[31333]: |    DOI: ISAKMP_DOI_IPSEC
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x10(ISAKMP_NEXT_KE) needed: 0x430 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Key Exchange 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_NONCE
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 196
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x400(ISAKMP_NEXT_NONCE) needed: 0x420 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Nonce Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_ID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 24
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x20(ISAKMP_NEXT_ID) needed: 0x20 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP 
> Identification Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 33
> Jul 21 19:08:17 mymachine pluto[31333]: |    ID type: ID_FQDN
> Jul 21 19:08:17 mymachine pluto[31333]: |    DOI specific A: 0
> Jul 21 19:08:17 mymachine pluto[31333]: |    DOI specific B: 0
> Jul 21 19:08:17 mymachine pluto[31333]: |      obj:   69 6e 74 72  61 
> 6e 65 74  2e 6e 63 74  65 63 68 63
> Jul 21 19:08:17 mymachine pluto[31333]: |      obj:   65 6e 74 65  72 
> 2e 63 6f  6d 0d 00 00  0c 40 4b f4
> Jul 21 19:08:17 mymachine pluto[31333]: |      obj:   39
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 12
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 12
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 20
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 20
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 20
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 20
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 12
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_VID
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 20
> Jul 21 19:08:17 mymachine pluto[31333]: | got payload 
> 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
> Jul 21 19:08:17 mymachine pluto[31333]: | ***parse ISAKMP Vendor ID 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_NONE
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 12
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> ignoring unknown Vendor ID payload [<S/N>]
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> received Vendor ID payload [RFC 3947] meth=109, but port floating is off
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, 
> but port floating is off
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, 
> but port floating is off
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> ignoring Vendor ID payload [Sonicwall 2 (3.1.0.12-86s?)]
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> received Vendor ID payload [Dead Peer Detection]
> Jul 21 19:08:17 mymachine pluto[31333]: packet from remoteip:500: 
> received Vendor ID payload [XAUTH]
> Jul 21 19:08:17 mymachine pluto[31333]: | find_host_connection2 called 
> from aggr_inI1_outR1_common, me=localip:500 him=remoteip:500 policy=none
> Jul 21 19:08:17 mymachine pluto[31333]: | find_host_pair: comparing to 
> localip:500 remoteip:500
> Jul 21 19:08:17 mymachine pluto[31333]: | find_host_pair_conn 
> (find_host_connection2): localip:500 remoteip:500 -> hp:homeoffice
> Jul 21 19:08:17 mymachine pluto[31333]: | find_host_connection returns 
> homeoffice
> Jul 21 19:08:17 mymachine pluto[31333]: | creating state object #1 at 
> 0x7f182c384080
> Jul 21 19:08:17 mymachine pluto[31333]: "homeoffice" #1: Aggressive 
> mode peer ID is ID_FQDN: '@remoteFQDN'
> Jul 21 19:08:17 mymachine pluto[31333]: | refine_connection: starting 
> with homeoffice
> Jul 21 19:08:17 mymachine pluto[31333]: | started looking for secret 
> for @localFQDN->@remoteFQDN of kind PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | actually looking for secret 
> for @localFQDN->@remoteFQDN of kind PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | line 1: key type 
> PPK_PSK(@localFQDN) to type PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | 1: compared key @remoteFQDN 
> to @localFQDN / @remoteFQDN -> 4
> Jul 21 19:08:17 mymachine pluto[31333]: | 2: compared key @localFQDN 
> to @localFQDN / @remoteFQDN -> 12
> Jul 21 19:08:17 mymachine pluto[31333]: | line 1: match=12
> Jul 21 19:08:17 mymachine pluto[31333]: | best_match 0>12 
> best=0x7f182c374630 (line=1)
> Jul 21 19:08:17 mymachine pluto[31333]: | concluding with 
> best_match=12 best=0x7f182c374630 (lineno=1)
> Jul 21 19:08:17 mymachine pluto[31333]: |    match_id a=@remoteFQDN
> Jul 21 19:08:17 mymachine pluto[31333]: |             b=@remoteFQDN
> Jul 21 19:08:17 mymachine pluto[31333]: |    results  matched
> Jul 21 19:08:17 mymachine pluto[31333]: |   trusted_ca called with 
> a=(empty) b=(empty)
> Jul 21 19:08:17 mymachine pluto[31333]: | refine_connection: checking 
> homeoffice against homeoffice, best=(none) with 
> match=1(id=1/ca=1/reqca=1)
> Jul 21 19:08:17 mymachine pluto[31333]: | refine_connection: checked 
> homeoffice against homeoffice, now for see if best
> Jul 21 19:08:17 mymachine pluto[31333]: | started looking for secret 
> for @localFQDN->@remoteFQDN of kind PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | actually looking for secret 
> for @localFQDN->@remoteFQDN of kind PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | line 1: key type 
> PPK_PSK(@localFQDN) to type PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | 1: compared key @remoteFQDN 
> to @localFQDN / @remoteFQDN -> 4
> Jul 21 19:08:17 mymachine pluto[31333]: | 2: compared key @localFQDN 
> to @localFQDN / @remoteFQDN -> 12
> Jul 21 19:08:17 mymachine pluto[31333]: | line 1: match=12
> Jul 21 19:08:17 mymachine pluto[31333]: | best_match 0>12 
> best=0x7f182c374630 (line=1)
> Jul 21 19:08:17 mymachine pluto[31333]: | concluding with 
> best_match=12 best=0x7f182c374630 (lineno=1)
> Jul 21 19:08:17 mymachine pluto[31333]: | offered CA: '%none'
> Jul 21 19:08:17 mymachine pluto[31333]: | processing connection 
> homeoffice
> Jul 21 19:08:17 mymachine pluto[31333]: | NSS: sha1 init start
> Jul 21 19:08:17 mymachine pluto[31333]: | NSS: sha1 final end
> Jul 21 19:08:17 mymachine pluto[31333]: | ICOOKIE:  c4 ff e2 bc  42 ac 
> a8 b5
> Jul 21 19:08:17 mymachine pluto[31333]: | RCOOKIE:  82 aa 0a d4  90 41 
> d9 40
> Jul 21 19:08:17 mymachine pluto[31333]: | state hash entry 14
> Jul 21 19:08:17 mymachine pluto[31333]: | inserting state object #1 on 
> chain 14
> Jul 21 19:08:17 mymachine pluto[31333]: | inserting event 
> EVENT_SO_DISCARD, timeout in 0 seconds for #1
> Jul 21 19:08:17 mymachine pluto[31333]: | event added at head of queue
> Jul 21 19:08:17 mymachine pluto[31333]: "homeoffice" #1: responding to 
> Aggressive Mode, state #1, connection "homeoffice" from remoteip
> Jul 21 19:08:17 mymachine pluto[31333]: | ****parse IPsec DOI SIT:
> Jul 21 19:08:17 mymachine pluto[31333]: |    IPsec DOI SIT: 
> SIT_IDENTITY_ONLY
> Jul 21 19:08:17 mymachine pluto[31333]: | ****parse ISAKMP Proposal 
> Payload:
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_NONE
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 40
> Jul 21 19:08:17 mymachine pluto[31333]: |    proposal number: 1
> Jul 21 19:08:17 mymachine pluto[31333]: |    protocol ID: PROTO_ISAKMP
> Jul 21 19:08:17 mymachine pluto[31333]: |    SPI size: 0
> Jul 21 19:08:17 mymachine pluto[31333]: |    number of transforms: 1
> Jul 21 19:08:17 mymachine pluto[31333]: | *****parse ISAKMP Transform 
> Payload (ISAKMP):
> Jul 21 19:08:17 mymachine pluto[31333]: |    next payload type: 
> ISAKMP_NEXT_NONE
> Jul 21 19:08:17 mymachine pluto[31333]: |    length: 32
> Jul 21 19:08:17 mymachine pluto[31333]: |    transform number: 1
> Jul 21 19:08:17 mymachine pluto[31333]: |    transform ID: KEY_IKE
> Jul 21 19:08:17 mymachine pluto[31333]: | ******parse ISAKMP Oakley 
> attribute:
> Jul 21 19:08:17 mymachine pluto[31333]: |    af+type: 
> OAKLEY_ENCRYPTION_ALGORITHM
> Jul 21 19:08:17 mymachine pluto[31333]: |    length/value: 5
> Jul 21 19:08:17 mymachine pluto[31333]: |    [5 is OAKLEY_3DES_CBC]
> Jul 21 19:08:17 mymachine pluto[31333]: | 
> ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192, 
> keydeflen=192, keymaxlen=192, ret=1
> Jul 21 19:08:17 mymachine pluto[31333]: | ******parse ISAKMP Oakley 
> attribute:
> Jul 21 19:08:17 mymachine pluto[31333]: |    af+type: 
> OAKLEY_HASH_ALGORITHM
> Jul 21 19:08:17 mymachine pluto[31333]: |    length/value: 2
> Jul 21 19:08:17 mymachine pluto[31333]: |    [2 is OAKLEY_SHA1]
> Jul 21 19:08:17 mymachine pluto[31333]: | ******parse ISAKMP Oakley 
> attribute:
> Jul 21 19:08:17 mymachine pluto[31333]: |    af+type: 
> OAKLEY_GROUP_DESCRIPTION
> Jul 21 19:08:17 mymachine pluto[31333]: |    length/value: 5
> Jul 21 19:08:17 mymachine pluto[31333]: |    [5 is OAKLEY_GROUP_MODP1536]
> Jul 21 19:08:17 mymachine pluto[31333]: | ******parse ISAKMP Oakley 
> attribute:
> Jul 21 19:08:17 mymachine pluto[31333]: |    af+type: 
> OAKLEY_AUTHENTICATION_METHOD
> Jul 21 19:08:17 mymachine pluto[31333]: |    length/value: 1
> Jul 21 19:08:17 mymachine pluto[31333]: |    [1 is OAKLEY_PRESHARED_KEY]
> Jul 21 19:08:17 mymachine pluto[31333]: | started looking for secret 
> for @localFQDN->@remoteFQDN of kind PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | actually looking for secret 
> for @localFQDN->@remoteFQDN of kind PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | line 1: key type 
> PPK_PSK(@localFQDN) to type PPK_PSK
> Jul 21 19:08:17 mymachine pluto[31333]: | 1: compared key @remoteFQDN 
> to @localFQDN / @remoteFQDN -> 4
> Jul 21 19:08:17 mymachine pluto[31333]: | 2: compared key @localFQDN 
> to @localFQDN / @remoteFQDN -> 12
> Jul 21 19:08:17 mymachine pluto[31333]: | line 1: match=12
> Jul 21 19:08:17 mymachine pluto[31333]: | best_match 0>12 
> best=0x7f182c374630 (line=1)
> Jul 21 19:08:17 mymachine pluto[31333]: | concluding with 
> best_match=12 best=0x7f182c374630 (lineno=1)
> Jul 21 19:08:17 mymachine pluto[31333]: | ******parse ISAKMP Oakley 
> attribute:
> Jul 21 19:08:17 mymachine pluto[31333]: |    af+type: OAKLEY_LIFE_TYPE
> Jul 21 19:08:17 mymachine pluto[31333]: |    length/value: 1
> Jul 21 19:08:17 mymachine pluto[31333]: |    [1 is OAKLEY_LIFE_SECONDS]
> Jul 21 19:08:17 mymachine pluto[31333]: | ******parse ISAKMP Oakley 
> attribute:
> Jul 21 19:08:17 mymachine pluto[31333]: |    af+type: 
> OAKLEY_LIFE_DURATION
> Jul 21 19:08:17 mymachine pluto[31333]: |    length/value: 28800
> Jul 21 19:08:17 mymachine pluto[31333]: | Oakley Transform 1 accepted
> Jul 21 19:08:17 mymachine pluto[31333]: | DH public value received:
> Jul 21 19:08:17 mymachine pluto[31333]: |   ca 68 f8 08  85 9a ca 02  
> b0 c5 92 48  70 07 5e c8
> Jul 21 19:08:17 mymachine pluto[31333]: |   17 5f 73 3d  88 78 d1 b4  
> 83 ad db 68  c8 3f e4 ea
> Jul 21 19:08:17 mymachine pluto[31333]: |   ee e6 09 1a  1c 42 ca 0e  
> fd 4d 05 19  c5 31 9e db
> Jul 21 19:08:17 mymachine pluto[31333]: |   a9 b4 07 39  18 ec c2 63  
> 19 d8 a5 1f  ef ef b5 01
> Jul 21 19:08:17 mymachine pluto[31333]: |   f5 fe ba a7  50 ae 8d 13  
> 44 aa bb 07  68 de ff c1
> Jul 21 19:08:17 mymachine pluto[31333]: |   e6 fe af c3  c4 48 16 1e  
> da d5 33 d2  0a 9c a6 d9
> Jul 21 19:08:17 mymachine pluto[31333]: |   63 08 e4 7f  68 fe ea da  
> 8a 71 71 a4  69 6a cb 17
> Jul 21 19:08:17 mymachine pluto[31333]: |   1f d9 4f e7  c3 bd 13 f8  
> 43 a1 cd 8e  32 46 28 f4
> Jul 21 19:08:17 mymachine pluto[31333]: |   47 a8 0d d7  92 50 64 cd  
> f5 b7 05 3a  f3 b7 56 23
> Jul 21 19:08:17 mymachine pluto[31333]: |   03 a0 00 62  34 a3 fd 70  
> 6d 6f 6a 40  c9 b2 da 9f
> Jul 21 19:08:17 mymachine pluto[31333]: |   b4 82 d4 2d  ee 38 97 6e  
> 75 ea 65 95  3a 44 b6 d3
> Jul 21 19:08:17 mymachine pluto[31333]: |   80 d6 7c 65  d7 c5 c3 c1  
> ee c8 e9 81  f3 fc dd 55
> Jul 21 19:08:17 mymachine pluto[31333]: | helper -1 doing 
> build_kenonce op id: 0
> Jul 21 19:08:18 mymachine pluto[31333]: packet from remoteip:500: NSS: 
> slot for DH key gen is NULL
> Jul 21 19:08:29 mymachine ipsec__plutorun: Restarting Pluto subsystem...
>
> Kevin Keane
> The NetTech
> http://www.4nettech.com
>
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, July 21, 2011 6:58 AM
> To: Kevin Keane
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Troubleshooting pluto crash - NSS related
>
> On Thu, 21 Jul 2011, Kevin Keane wrote:
>
>> I'm trying to get openswan to establish an IPSec connection to my 
>> Sonicwall firewall. It works fine with a shared secret, but I can't 
>> get openswan to work with certificates. I'm using CentOS 5.6, with 
>> openswan 2.6.21-5.el5_6.4
>>
>> This version of Openswan uses NSS for certificate management. 
>> Unfortunately, as soon as I add my client certificate to the NSS 
>> database, pluto crashes with an error "NSS: slot for DH key gen is 
>> NULL" when the peer first tries to connect.
>>
>> This seems to be strictly related to the certificate database, not to 
>> the actual connection configuration. It happens even if I leave my 
>> tunnel configured for shared secret. I can resolve the problem simply 
>> by deleting the three certificate DB files and restarting openswan; a 
>> new, empty, certificate database does not trigger this problem.
>>
>> Any ideas how to solve this would be appreciated!
>
> Can you do this with plutodebug=all and post it to the list?
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


-- 
Thanks and Regards
Avesh



More information about the Dev mailing list