[Openswan Users] ASSERTION FAILED using Openswan 2.3.0DR5

Axel Mueller axel.mueller at avanux.de
Tue Dec 28 18:44:02 CET 2004 

For some months I was running a combination of Openswan 2.10 using 
kernel 2.6.4 on client side and kernel 2.4.22 on server side.
It was using X.509 based authentication which I got running thanks to 
Nate Carlsons HowTo.

Yesterday I switched to kernel 2.6.10 for client and server using the 
configuration (certificates, config files, etc.) that worked well so far:

# ipsec version
Linux Openswan U2.3.0dr5/K2.6.10 (netkey)

Openswan startup on server side looks good:

Dec 28 15:14:33 gate ipsec_setup: Starting Openswan IPsec U2.1.4/K2.6.10...
Dec 28 15:14:33 gate ipsec_setup: KLIPS ipsec0 on eth2 
192.168.70.1/255.255.255.0 broadcast 192.168.70.255
Dec 28 15:14:33 gate ipsec__plutorun: Starting Pluto subsystem...
Dec 28 15:14:33 gate pluto[17347]: Starting Pluto (Openswan Version 
2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Dec 28 15:14:33 gate pluto[17347]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Dec 28 15:14:33 gate pluto[17347]: Using Linux 2.6 IPsec interface code
Dec 28 15:14:34 gate ipsec_setup: ...Openswan IPsec started
Dec 28 15:14:34 gate pluto[17347]: Changing to directory 
'/etc/ipsec.d/cacerts'
Dec 28 15:14:34 gate pluto[17347]:   loaded cacert file 'cacert.pem' 
(1249 bytes)
Dec 28 15:14:34 gate pluto[17347]: Changing to directory 
'/etc/ipsec.d/crls'
Dec 28 15:14:34 gate pluto[17347]:   loaded crl file 'crl.pem' (508 bytes)
Dec 28 15:14:35 gate pluto[17347]:   loaded host cert file 
'/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
Dec 28 15:14:35 gate pluto[17347]: added connection description 
"mueller-family-wlan"
Dec 28 15:14:35 gate pluto[17347]: listening for IKE messages
Dec 28 15:14:35 gate pluto[17347]: adding interface ppp0/ppp0 
80.128.172.213
Dec 28 15:14:35 gate pluto[17347]: adding interface eth2/eth2 192.168.70.1
Dec 28 15:14:35 gate pluto[17347]: adding interface eth1/eth1 192.168.69.1
Dec 28 15:14:35 gate pluto[17347]: adding interface eth0/eth0 169.254.0.1
Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo 127.0.0.1
Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo ::1
Dec 28 15:14:35 gate pluto[17347]: loading secrets from 
"/etc/ipsec.secrets"
Dec 28 15:14:35 gate pluto[17347]:   loaded private key file 
'/etc/ipsec.d/private/mueller-family.dyndns.org.key' (1692 bytes)


When I start up the Openswan client an assertion occures causing 
Openswan to be restarted:

Dec 28 18:16:39 gate pluto[21517]: packet from 192.168.70.5:500: 
received Vendor ID payload [Dead Peer Detection]
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 192.168.70.5 
#1: responding to Main Mode from unknown peer 192.168.70.5
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 192.168.70.5 
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 192.168.70.5 
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 192.168.70.5 
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=miraculix.mueller-family.de, 
E=axel at mueller-family.de'
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 192.168.70.5 
#1: crl update for "C=DE, ST=Hessen, L=Altenstadt-Lindheim, 
O=mueller-family, CN=CA, E=ca at mueller-family.de" is overdue since Aug 15 
11:43:12 UTC 2004
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#1: deleting connection "mueller-family-wlan" instance with peer 
192.168.70.5 {isakmp=#0/ipsec=#0}
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#1: I am sending my cert
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#1: sent MR3, ISAKMP SA established
Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: responding to Quick Mode
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: ASSERTION FAILED at ipsec_doi.c:3172: case 12 unexpected
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface lo/lo ::1
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface lo/lo 127.0.0.1
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface eth0/eth0 169.254.0.1
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface eth1/eth1 192.168.69.1
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface eth2/eth2 192.168.70.1
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface ppp0/ppp0 80.128.172.213
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: %myid = (none)
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: debug none
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 #2
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=251, name=(null), keysizemin=0, 
keysizemax=0
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2:
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2:
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2:
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan": 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=mueller-family.dyndns.org, 
E=axel at mueller-family.de]...%virtual===?; unrouted; eroute owner: #0
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":     srcip=unset; dstip=unset
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   CAs: 'C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=CA, 
E=ca at mueller-family.de'...'%any'
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 0,32; interface: eth2;
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]: 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=mueller-family.dyndns.org, 
E=axel at mueller-family.de]...192.168.70.5[C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=miraculix.mueller-family.de, 
E=axel at mueller-family.de]; unrouted; eroute owner: #0
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:     srcip=unset; dstip=unset
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   CAs: 'C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=CA, 
E=ca at mueller-family.de'...'%any'
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   policy: 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   IKE algorithm newest: 
3DES_CBC_192-MD5-MODP1536
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2:
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: #2: "mueller-family-wlan"[2] 192.168.70.5 (null) ((null)); 
EVENT_CRYPTO_FAILED in 299s; lastdpd=-1s(seq in:0 out:0)
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2: #1: "mueller-family-wlan"[2] 192.168.70.5 STATE_MAIN_R3 (sent MR3, 
ISAKMP SA established); EVENT_SA_REPLACE in 3329s; newest ISAKMP; 
lastdpd=-1s(seq in:0 out:0)
Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 192.168.70.5 
#2:
Dec 28 18:16:40 gate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: 
line 1: 21517 Aborted                 /usr/local/libexec/ipsec/pluto 
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d 
--uniqueids --virtual_private %v4:192.168.70.0/24
Dec 28 18:16:40 gate ipsec__plutorun: !pluto failure!:  exited with 
error status 134 (signal 6)
Dec 28 18:16:40 gate ipsec__plutorun: restarting IPsec after pause...
Dec 28 18:16:51 gate kernel: NET: Unregistered protocol family 15
Dec 28 18:16:51 gate ipsec_setup: ...Openswan IPsec stopped
Dec 28 18:16:51 gate ipsec_setup: Stopping Openswan IPsec...
Dec 28 18:16:51 gate ipsec_setup: Removing orphaned /var/run/pluto.pid:
Dec 28 18:16:52 gate kernel: NET: Registered protocol family 15
Dec 28 18:16:53 gate kernel: Initializing IPsec netlink socket
Dec 28 18:16:53 gate ipsec_setup: KLIPS ipsec0 on eth2 
192.168.70.1/255.255.255.0 broadcast 192.168.70.255
Dec 28 18:16:53 gate ipsec__plutorun: Restarting Pluto subsystem...
Dec 28 18:16:53 gate ipsec_setup: ...Openswan IPsec started
Dec 28 18:16:53 gate pluto[22217]: Starting Pluto (Openswan Version 
2.3.0dr5 X.509-1.5.4 PLUTO_USES_KEYRR)
Dec 28 18:16:53 gate pluto[22217]: Setting port floating to off
Dec 28 18:16:53 gate pluto[22217]: port floating activate 0/1
Dec 28 18:16:53 gate pluto[22217]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Dec 28 18:16:53 gate pluto[22217]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Dec 28 18:16:53 gate pluto[22217]: starting up 1 cryptographic helpers
Dec 28 18:16:53 gate pluto[22217]: started helper pid=22226 (fd:6)
Dec 28 18:16:53 gate pluto[22217]: Using Linux 2.6 IPsec interface code
Dec 28 18:16:54 gate pluto[22217]: Changing to directory 
'/etc/ipsec.d/cacerts'
Dec 28 18:16:54 gate pluto[22217]:   loaded CA cert file 'cacert.pem' 
(1249 bytes)
Dec 28 18:16:54 gate pluto[22217]: Could not change to directory 
'/etc/ipsec.d/aacerts'
Dec 28 18:16:54 gate pluto[22217]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
Dec 28 18:16:54 gate pluto[22217]: Changing to directory 
'/etc/ipsec.d/crls'
Dec 28 18:16:54 gate ipsec_setup: Restarting Openswan IPsec 2.3.0dr5...
Dec 28 18:16:54 gate ipsec_setup: insmod 
/lib/modules/2.6.10/kernel/net/key/af_key.ko
Dec 28 18:16:54 gate ipsec_setup: insmod 
/lib/modules/2.6.10/kernel/net/ipv4/xfrm4_tunnel.ko
Dec 28 18:16:54 gate ipsec_setup: insmod 
/lib/modules/2.6.10/kernel/net/xfrm/xfrm_user.ko
Dec 28 18:16:54 gate pluto[22217]:   loaded crl file 'crl.pem' (508 bytes)
Dec 28 18:16:55 gate pluto[22217]:   loaded host cert file 
'/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
Dec 28 18:16:55 gate pluto[22217]: added connection description 
"mueller-family-wlan"
Dec 28 18:16:55 gate pluto[22217]: listening for IKE messages
Dec 28 18:16:55 gate pluto[22217]: adding interface ppp0/ppp0 
80.128.172.213
Dec 28 18:16:55 gate pluto[22217]: adding interface eth2/eth2 192.168.70.1
Dec 28 18:16:55 gate pluto[22217]: adding interface eth1/eth1 192.168.69.1
Dec 28 18:16:55 gate pluto[22217]: adding interface eth0/eth0 169.254.0.1
Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo 127.0.0.1
Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo ::1

The problem does not seem to relate on the kernel version on the client 
side - at least 2.6.9 shows the same behavior.
Any idea?

Axel

More information about the Users mailing list