[Openswan Users] Road Warrior Ignored / makes Pluto crash

Craig O'Toole nospam2craig at remex.com.au
Wed Jun 2 20:00:49 CEST 2004 




Hi,

I am using a Netgear FVS318 to terminate to freeswan/openswan (I have tried
both). When the ipsec.conf settings explicitly define the right ip address,
everything works really well. If the right address is set to %any then the
result is it consistantly gets a segmentation fault at connection or it
gets through to connect and happens at re-keying.

Has anyone else has seen this issue kind of issue? (If it is something
which has been dealt with before, please tell me, however I have looked
around on this list and searched high and low on google with no luck)

I have tried this on both redhat 9 and fedora core 1 with varying similar
results. (RH9 seems to last to re-keying and FC1 drops out almost
immediately.)

I currently use the Netgears with RH7 using the same config (and version 2
of freeswan) without any problems. The issue appeared on testing an
upgraded system. Firmware is up to date on the Netgear (Firmware Version
V2.2 Nov. 3 2003 )

I am stumped and would greatly appreciate any help offered.

Thanks in advance

Craig O'Toole

a.b.c.d = real world address of ipsec machine
a.b.c.f = gateway address for ipsec machine
a.b.c.e = broadcast address ipsec machine outside

192.168.104.0/24===a.b.c.d[@test.remex.com.au]---a.b.c.f...%any[@test1.reme
x.com.au]===192.168.99.0/24

</var/log/messages>
Jun  2 11:26:09 template ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 1:
16033 Segmentation fault      /usr/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --policygroupsdir /etc/ipsec.d/policies
--uniqueids
Jun  2 11:26:09 template ipsec__plutorun: !pluto failure!:  exited with
error status 139 (signal 11)
Jun  2 11:26:09 template ipsec__plutorun: restarting IPsec after pause...
Jun  2 11:26:19 template ipsec_setup: Stopping FreeS/WAN IPsec...
Jun  2 11:26:19 template ipsec_setup: Removing orphaned /var/run/pluto.pid:
Jun  2 11:26:19 template kernel: IPSEC EVENT: KLIPS device ipsec0 shut
down.
Jun  2 11:26:19 template kernel:
Jun  2 11:26:19 template kernel:
Jun  2 11:26:19 template kernel: klips_info:pfkey_cleanup: shutting down
PF_KEY domain sockets.
Jun  2 11:26:19 template kernel: klips_info:cleanup_module: ipsec module
unloaded.
Jun  2 11:26:19 template ipsec_setup: ...FreeS/WAN IPsec stopped
Jun  2 11:26:20 template ipsec_setup: Restarting FreeS/WAN IPsec 2.05...
Jun  2 11:26:20 template ipsec_setup: Using
/lib/modules/2.4.22-1.2188.nptl/kernel/net/freeswan/ipsec.o
Jun  2 11:26:20 template kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.05
Jun  2 11:26:20 template ipsec_setup: KLIPS debug `none'
Jun  2 11:26:20 template kernel:
Jun  2 11:26:20 template ipsec_setup: KLIPS ipsec0 on eth0
a.b.c.d/255.255.255.224 broadcast a.b.c.e
Jun  2 11:26:20 template ipsec_setup: ...FreeS/WAN IPsec started

<ipsec auto --status |grep templatetest>
000 "templatetest":
192.168.104.0/24===a.b.c.d[@test.remex.com.au]---a.b.c.f...%any[@test1.reme
x.com.au]===192.168.99.0/24; unrouted; eroute owner: #0
000 "templatetest":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "templatetest":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24;
interface: eth0;
000 "templatetest":   newest ISAKMP SA: #0; newest IPsec SA: #0;


</etc/ipsec.conf>
conn templatetest
        type=tunnel
        left=a.b.c.d
        leftnexthop=a.b.c.f
        leftsubnet=192.168.104.0/24
        leftid=@test.remex.com.au
        right=%any
        rightsubnet=192.168.99.0/24
        rightid=@test1.remex.com.au
        authby=secret
        esp=3des-sha1-96
        auto=add

</etc/ipsec.secrets>
a.b.c.d 0.0.0.0 : PSK "1234567234567wertyuwertyu"
@test.remex.com.au @test1.remex.com.au "1234567234567wertyuwertyu"

<ipsec barf snippet>
template.remex.com.au
Wed Jun  2 18:59:45 EST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 2.1.1 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.22-1.2188.nptl (bhcompile at daffy.perf.redhat.com) (gcc
version 3.2.3 20030422 (Red Hat Linux 3.2.3-6)) #1 Wed Apr 21 20:36:05 EDT
2004
+ _________________________ proc/net/ipsec_eroute

More information about the Users mailing list