[Openswan Users] pluto aborted

Norbert Wegener nw at sbs.de
Tue Feb 8 16:38:55 CET 2005


I am using openswan-2.2.0-8 on a Suse9.2 system and want to  setup an 
l2tp/ipsec connection.
This works fine under Suse9.0 and  a very old superfreeswan-1.99.8, but 
fails on the actual system with the foloowing message:

Feb  8 15:00:08 lnxtst ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 
215:  2124 Aborted                 /usr/lib/ipsec/pluto 
--nofork--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d 
--debug-parsing --debug-control --uniqueids --nat_traversal
Feb  8 15:00:08 lnxtst ipsec__plutorun: !pluto failure!:  exited with 
error status 134 (signal 6)
Feb  8 15:00:08 lnxtst ipsec__plutorun: restarting IPsec after pause...

l2tp-winxp with a windowsXP client works without problems, linux clients 
with the connection l2tp-linuxnat cause the failure.
I can provide all the logging, but this would be a little much for the list.
Here the relevant part from the ipsec.conf:

version 2.0

config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        #plutodebug = "parsing crypt emitting control"
        plutodebug=all
        #plutoopts=perpeerlog
        # Use auto= parameters in conn descriptions to control startup 
actions.
        ### Commented out by freeswan %post
        #plutoload=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
       

# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=3
        # RSA authentication with keys from DNS.
        authby=rsasig
        keylife=8.0h
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        rightupdown="/etc/ipsec.d/ccert/updown-road-central"

conn l2tp-winxp
        # How persistent to be in (re)keying negotiations (0 means very).
        #nw keyingtries=0
        keyingtries=3
        # RSA authentication with keys from DNS.
        authby=rsasig
        keylife=24.0h
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        rightnexthop=213.148.150.201
        rightupdown="/etc/ipsec.d/ccert/updown_srv"
        pfs=no
        right=213.148.150.202
        
rightid="/C=DE/ST=NRW/L=Essen/O=SBS/OU=Relax/CN=lnxvpn/emailAddress=relax at sbs.de"
        rightcert=/etc/ipsec.d/ccert/uebergangsca.cert
        leftca=%same
        left=%any
        leftprotoport=17/1701
        rightprotoport=17/1701
        auto=add



conn l2tp-linuxnat
        # How persistent to be in (re)keying negotiations (0 means very).
        leftsubnet=vhost:%priv
        keyingtries=3
        # RSA authentication with keys from DNS.
        authby=rsasig
        keylife=24.0h
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        rightnexthop=213.148.150.201
        rightupdown="/etc/ipsec.d/ccert/updown_srv"
        pfs=no
        right=213.148.150.202
        
rightid="/C=DE/ST=NRW/L=Essen/O=SBS/OU=Relax/CN=lnxvpn/emailAddress=relax at sbs.de"
        rightcert=/etc/ipsec.d/ccert/uebergangsca.cert
        leftca=%same
        left=%any
        auto=add


Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   CAs: 'C=DE, ST=NRW, L=Essen, 
O=SBS, OU=Relax,CN=uebergangs-ca, E=relax at sbs.de'...'C=DE, ST=NRW, 
L=Essen, O=SBS, OU=Relax, CN=uebergangs-ca, E=relax at sbs.de'
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   ike_life: 3600s; ipsec_life: 
86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   policy: RSASIG+ENCRYPT+TUNNEL; 
prio: 32,32; interface: eth1;
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   newest ISAKMP SA: #0; newest 
IPsec SA: #0;
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   IKE algorithms wanted: 
5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   IKE algorithms found:  
5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   ESP algorithms wanted: 3_000-1, 
3_000-2, flags=-strict
Feb  8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0): 
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb  8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0): 
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp":   ESP algorithms loaded: 3_000-1, 
3_000-2, flags=-strict
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]: 213.148.150.202:4500[C=DE, 
ST=NRW, L=Essen, O=SBS, OU=Relax, CN=lnxvpn, 
E=relax at sbs.de]:17/1701---213.148.150.201...217.85.248.26:14502[O=Siemens-2004, 
CN=Norbert Wegener TCGID=ZZZZZ1EC]:17/1701; unrouted; eroute owner: #0
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   CAs: 'C=DE, ST=NRW, L=Essen, 
O=SBS, OU=Relax, CN=uebergangs-ca, E=relax at sbs.de'...'C=DE, ST=NRW, 
L=Essen, O=SBS, OU=Relax, CN=uebergangs-ca, E=relax at sbs.de'
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   ike_life: 3600s; ipsec_life: 
86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   policy: 
RSASIG+ENCRYPT+TUNNEL; prio: 32,32; interface: eth1;
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   newest ISAKMP SA: #1; newest 
IPsec SA: #0;
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   IKE algorithms wanted: 
5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   IKE algorithms found:  
5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   IKE algorithm newest: 
3DES_CBC_192-MD5-MODP1536
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   ESP algorithms wanted: 
3_000-1, 3_000-2, flags=-strict
Feb  8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0): 
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb  8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0): 
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: "l2tp-winxp"[2]:   ESP algorithms loaded: 
3_000-1, 3_000-2, flags=-strict
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2:
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: #2: "l2tp-linuxnat"[1] 217.85.248.26:14502 
(null) (fail erouted); EVENT_SO_DISCARD in 0s
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2: #1: "l2tp-winxp"[2] 217.85.248.26:14502 
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 
3330s; newest ISAKMP
Feb  8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1] 
217.85.248.26:14502 #2:
Feb  8 16:37:52 lnxtst ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 
215: 16720 Aborted                 /usr/lib/ipsec/pluto --nofork 
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-all 
--uniqueids --nat_traversal --virtual_private 
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
Feb  8 16:37:52 lnxtst ipsec__plutorun: !pluto failure!:  exited with 
error status 134 (signal 6)
Feb  8 16:37:52 lnxtst ipsec__plutorun: restarting IPsec after pause...
Feb  8 16:38:00 lnxtst kernel: Kernel logging (proc) stopped.
Feb  8 16:38:00 lnxtst kernel: Kernel log daemon terminating.

Any ideas?

Norbert




More information about the Users mailing list