Hi,<br><br>I am using openswan 2.6.24. I have configured one connection at VPN gateway where many road warriors can connect the tunnel from different IPs.<br>Below is my configuration.<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>config setup<br> nat_traversal=yes<br> oe=off<br> protostack=netkey<br><br><br>conn ng<br> right=%any<br> rightsubnet="vhost:%v:<a href="http://0.0.0.0/0">0.0.0.0/0</a>"<br>
left=10.103.6.71<br> leftsubnet=<a href="http://10.1.1.0/255.255.255.0">10.1.1.0/255.255.255.0</a><br> leftnexthop=10.103.6.1<br> auto=add<br> x_rightdynamic=yes<br> authby=secret<br>
compress=no<br> failureshunt=drop<br> dpddelay=15<br> dpdtimeout=60<br> dpdaction=restart<br> pfs=yes<br> ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048<br>
esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1<br><br><br>I have kept dpdaction=restart. After successfully establishing the connection, I plug out the road-warrior from network. So when DPD is hit at my VPN gateway, the dpdaction restart is called.<br>
I get the segfault at this place.<br>The problem is 100% re creatable.<br><br>Find the /var/log/messages for this.<br><br>Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T<br>Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)<br>
Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from <a href="http://10.103.6.93:4500">10.103.6.93:4500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from <a href="http://10.103.6.93:4500">10.103.6.93:4500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 <br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from <a href="http://10.103.6.93:4500">10.103.6.93:4500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 <br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from <a href="http://10.103.6.93:4500">10.103.6.93:4500</a>: received Vendor ID payload [RFC 3947] method set to=109 <br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from <a href="http://10.103.6.93:4500">10.103.6.93:4500</a>: received Vendor ID payload [Dead Peer Detection]<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: responding to Main Mode from unknown peer 10.103.6.93<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: Main mode peer ID is ID_IPV4_ADDR: '10.1.2.11'<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: switched from "ng" to "ng"<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: deleting connection "ng" instance with peer 10.103.6.93 {isakmp=#0/ipsec=#0}<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: Dead Peer Detection (RFC 3706): enabled<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: the peer proposed: <a href="http://10.1.1.0/24:0/0">10.1.1.0/24:0/0</a> -> <a href="http://10.1.2.11/32:0/0">10.1.2.11/32:0/0</a><br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: responding to Quick Mode proposal {msgid:341f6228}<br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: us: <a href="http://10.1.1.0/24===10.103.6.71">10.1.1.0/24===10.103.6.71</a><10.103.6.71>[+S=C]---10.103.6.1<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: them: 10.103.6.93[10.1.2.11,+S=C]<br>Mar 28 18:03:53 netgenie authpriv.debug pluto[19074]: | NAT-OA: 32 tunnel: 0 <br>Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: Dead Peer Detection (RFC 3706): enabled<br>
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xd9d12c60 <0xf1bb6bc0 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=<a href="http://10.103.6.93:4500">10.103.6.93:4500</a> DPD=enabled}<br>
Mar 28 18:04:42 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port 4500, complainant <a href="http://10.103.6.71">10.103.6.71</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Mar 28 18:04:57 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port 4500, complainant <a href="http://10.103.6.71">10.103.6.71</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: DPD: No response from peer - declaring peer dead<br>Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: DPD: Restarting Connection<br>
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying state (STATE_QUICK_R2)<br>Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying state (STATE_QUICK_R2)<br>Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA <a href="mailto:esp.d9d12c60@10.103.6.93">esp.d9d12c60@10.103.6.93</a> included errno 3: No such process<br>
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA <a href="mailto:esp.f1bb6bc0@10.103.6.71">esp.f1bb6bc0@10.103.6.71</a> included errno 3: No such process<br>Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: deleting connection "ng" instance with peer 10.103.6.93 {isakmp=#1/ipsec=#2}<br>
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: deleting state (STATE_QUICK_R2)<br>Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA <a href="mailto:esp.d9d12c60@10.103.6.93">esp.d9d12c60@10.103.6.93</a> included errno 3: No such process<br>
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA <a href="mailto:esp.f1bb6bc0@10.103.6.71">esp.f1bb6bc0@10.103.6.71</a> included errno 3: No such process<br>Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #1: deleting state (STATE_MAIN_R3)<br>
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: DPD: Restarting all connections that share this peer<br>Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: Segmentation fault<br>Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)<br>
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: restarting IPsec after pause...<br>Mar 28 18:05:09 netgenie authpriv.warn pluto[19079]: pluto_crypto_helper: helper (0) is normal exiting <br><br><br>Regards,<br>Nrupen<br>