[Openswan Users] Problem with start/stop of ipsec 2.1.1

matt-openswan at kindjal.net matt-openswan at kindjal.net
Mon Apr 26 14:43:53 CEST 2004 

Alex,

This is related to openswan-2.1.1's pluto daemon segfaulting when
reading a crl.pem file.  Get 2.1.2rc3, and patch x509.c thusly:

# --- cut
--- openswan-2.1.2rc3/programs/pluto/x509.c.orig        2004-04-26 09:39:27.000000000 -0500
+++ openswan-2.1.2rc3/programs/pluto/x509.c     2004-04-26 09:40:57.000000000 -0500
@@ -1767,7 +1767,7 @@
                if (load_coded_file(filename, NULL, "crl", &blob, &pgp))
                {
                    chunk_t crl_uri;
-                   crl_uri.len = 7 + sizeof(CRL_PATH) + strlen(filename);
+                   crl_uri.len = 8 + strlen(CRL_PATH) + strlen(filename);
                    crl_uri.ptr = alloc_bytes(crl_uri.len + 1, "crl uri");

                    /* build CRL file URI */
# --- cut

Now pluto won't die, and the init script won't fail to clean itself up.

Matt


Alexander Samad alex at samad.com.au wrote:

> Fri Mar 26 20:07:55 CET 2004
> 
>     * Previous message: [Openswan Users] NAT-T and rpm
>     * Next message: [Openswan Users] ANNOUNCE: strongSwan mailing list
>     * created
>     * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> 
> Hi
> 
> I have taken 2.1.1 and compiled and installed it on a debian testing
> with 2.6.4 (with some netfilter patches).
> 
> I originally used the freeswan 2.04-1 (Debian package), worked fine but
> no NAT-T.
> 
> So I have 
> 
> make programs
> make install
> 
> updated my ipsec.conf
> 
> but when i do a /etc/init.d/ipsec stop I get this
> 
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: Attempt to shut Pluto down failed!  Trying kill:
> ipsec_setup: /usr/local/lib/ipsec/_realsetup: line 1: kill: (5577) - No
> such process
> 
> 
> and when I do a ps I still see pluto running around in the background, I
> have tried to kill it off, but to no avail till I do something like
> 
> ps axuw | awk '/[p]luto/ {print $2}' | xargs kill
> 
> Note before I do this I can still run ipsec auto --status and sometimes
> I get an empty but running status (ie interfaces but no conn's) and
> other times it replies that pluto isn't running
> 
> does this happen to any one else
> 
> Any ideas where I should look to resolve this
> 
> Alex

More information about the Users mailing list