[Openswan dev] DPD action restart creates segfault in Roadwarrior connection

Nrupen Chudasma nrupen at gmail.com
Wed Mar 28 08:39:28 EDT 2012 

Hi,

I am using openswan 2.6.24. I have configured one connection at VPN gateway
where many road warriors can connect the tunnel from different IPs.
Below is my configuration.

version 2.0      # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        oe=off
        protostack=netkey


conn ng
        right=%any
        rightsubnet="vhost:%v:0.0.0.0/0"
        left=10.103.6.71
        leftsubnet=10.1.1.0/255.255.255.0
        leftnexthop=10.103.6.1
        auto=add
        x_rightdynamic=yes
        authby=secret
        compress=no
        failureshunt=drop
        dpddelay=15
        dpdtimeout=60
        dpdaction=restart
        pfs=yes

ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048

esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1


I have kept dpdaction=restart. After successfully establishing the
connection, I plug out the road-warrior from network. So when DPD is hit at
my VPN gateway, the dpdaction restart is called.
I get the segfault at this place.
The problem is 100% re creatable.

Find the /var/log/messages for this.

Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal:
Trying new style NAT-T
Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal:
Trying old style NAT-T
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
10.103.6.93:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
10.103.6.93:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
10.103.6.93:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
10.103.6.93:4500: received Vendor ID payload [RFC 3947] method set to=109
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
10.103.6.93:4500: received Vendor ID payload [Dead Peer Detection]
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: responding to Main Mode from unknown peer 10.103.6.93
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: Main mode peer ID is ID_IPV4_ADDR: '10.1.2.11'
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
#1: switched from "ng" to "ng"
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: deleting connection "ng" instance with peer 10.103.6.93
{isakmp=#0/ipsec=#0}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: Dead Peer Detection (RFC 3706): enabled
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: the peer proposed: 10.1.1.0/24:0/0 -> 10.1.2.11/32:0/0
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2: responding to Quick Mode proposal {msgid:341f6228}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2:     us: 10.1.1.0/24===10.103.6.71<10.103.6.71>[+S=C]---10.103.6.1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2:   them: 10.103.6.93[10.1.2.11,+S=C]
Mar 28 18:03:53 netgenie authpriv.debug pluto[19074]: | NAT-OA: 32 tunnel:
0
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2: Dead Peer Detection (RFC 3706): enabled
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xd9d12c60
<0xf1bb6bc0 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=10.103.6.93:4500DPD=enabled}
Mar 28 18:04:42 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous
network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port
4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP
type 3 code 1 (not authenticated)]
Mar 28 18:04:57 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous
network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port
4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP
type 3 code 1 (not authenticated)]
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: DPD: No response from peer - declaring peer dead
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: DPD: Restarting Connection
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying
state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying
state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
netlink response for Del SA esp.d9d12c60 at 10.103.6.93 included errno 3: No
such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
netlink response for Del SA esp.f1bb6bc0 at 10.103.6.71 included errno 3: No
such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
#1: deleting connection "ng" instance with peer 10.103.6.93
{isakmp=#1/ipsec=#2}
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: deleting
state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
netlink response for Del SA esp.d9d12c60 at 10.103.6.93 included errno 3: No
such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
netlink response for Del SA esp.f1bb6bc0 at 10.103.6.71 included errno 3: No
such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #1: deleting
state (STATE_MAIN_R3)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: DPD: Restarting all
connections that share this peer
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: Segmentation fault
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: !pluto failure!:
exited with error status 139 (signal 11)
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: restarting IPsec after
pause...
Mar 28 18:05:09 netgenie authpriv.warn pluto[19079]: pluto_crypto_helper:
helper (0) is  normal exiting


Regards,
Nrupen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/dev/attachments/20120328/fe35b27f/attachment.html>

More information about the Dev mailing list