[Openswan dev] DPD action restart creates segfault in Roadwarrior connection

Ruchir Thakkar ruchir.thakkar at gmail.com
Wed Mar 28 13:57:28 EDT 2012


Hi Nrupen,

Do not keep dpd action "restart" in connection definition where the peer ip
is wildcard.

Regards,
Ruchir.
 On Mar 28, 2012 8:39 AM, "Nrupen Chudasma" <nrupen at gmail.com> wrote:

> Hi,
>
> I am using openswan 2.6.24. I have configured one connection at VPN
> gateway where many road warriors can connect the tunnel from different IPs.
> Below is my configuration.
>
> version 2.0      # conforms to second version of ipsec.conf specification
>
> config setup
>         nat_traversal=yes
>         oe=off
>         protostack=netkey
>
>
> conn ng
>         right=%any
>         rightsubnet="vhost:%v:0.0.0.0/0"
>         left=10.103.6.71
>         leftsubnet=10.1.1.0/255.255.255.0
>         leftnexthop=10.103.6.1
>         auto=add
>         x_rightdynamic=yes
>         authby=secret
>         compress=no
>         failureshunt=drop
>         dpddelay=15
>         dpdtimeout=60
>         dpdaction=restart
>         pfs=yes
>
> ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
>
> esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1
>
>
> I have kept dpdaction=restart. After successfully establishing the
> connection, I plug out the road-warrior from network. So when DPD is hit at
> my VPN gateway, the dpdaction restart is called.
> I get the segfault at this place.
> The problem is 100% re creatable.
>
> Find the /var/log/messages for this.
>
> Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal:
> Trying new style NAT-T
> Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal:
> ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
> Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal:
> Trying old style NAT-T
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
> 10.103.6.93:4500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
> 10.103.6.93:4500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
> 10.103.6.93:4500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
> 10.103.6.93:4500: received Vendor ID payload [RFC 3947] method set to=109
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from
> 10.103.6.93:4500: received Vendor ID payload [Dead Peer Detection]
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: responding to Main Mode from unknown peer 10.103.6.93
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: Main mode peer ID is ID_IPV4_ADDR: '10.1.2.11'
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93
> #1: switched from "ng" to "ng"
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: deleting connection "ng" instance with peer 10.103.6.93
> {isakmp=#0/ipsec=#0}
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: Dead Peer Detection (RFC 3706): enabled
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: the peer proposed: 10.1.1.0/24:0/0 -> 10.1.2.11/32:0/0
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2: responding to Quick Mode proposal {msgid:341f6228}
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2:     us: 10.1.1.0/24===10.103.6.71<10.103.6.71>[+S=C]---10.103.6.1
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2:   them: 10.103.6.93[10.1.2.11,+S=C]
> Mar 28 18:03:53 netgenie authpriv.debug pluto[19074]: | NAT-OA: 32 tunnel:
> 0
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2: Dead Peer Detection (RFC 3706): enabled
> Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xd9d12c60
> <0xf1bb6bc0 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=10.103.6.93:4500DPD=enabled}
> Mar 28 18:04:42 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous
> network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port
> 4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP
> type 3 code 1 (not authenticated)]
> Mar 28 18:04:57 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous
> network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port
> 4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP
> type 3 code 1 (not authenticated)]
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: DPD: No response from peer - declaring peer dead
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: DPD: Restarting Connection
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying
> state (STATE_QUICK_R2)
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying
> state (STATE_QUICK_R2)
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
> netlink response for Del SA esp.d9d12c60 at 10.103.6.93 included errno 3: No
> such process
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
> netlink response for Del SA esp.f1bb6bc0 at 10.103.6.71 included errno 3: No
> such process
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93
> #1: deleting connection "ng" instance with peer 10.103.6.93
> {isakmp=#1/ipsec=#2}
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: deleting
> state (STATE_QUICK_R2)
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
> netlink response for Del SA esp.d9d12c60 at 10.103.6.93 included errno 3: No
> such process
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR:
> netlink response for Del SA esp.f1bb6bc0 at 10.103.6.71 included errno 3: No
> such process
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #1: deleting
> state (STATE_MAIN_R3)
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: DPD: Restarting all
> connections that share this peer
> Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: Segmentation fault
> Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: !pluto failure!:
> exited with error status 139 (signal 11)
> Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: restarting IPsec
> after pause...
> Mar 28 18:05:09 netgenie authpriv.warn pluto[19079]: pluto_crypto_helper:
> helper (0) is  normal exiting
>
>
> Regards,
> Nrupen
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/dev/attachments/20120328/2cd519a9/attachment.html>


More information about the Dev mailing list