[Openswan Users] pluto aborted
Norbert Wegener
nw at sbs.de
Tue Feb 8 16:38:55 CET 2005
I am using openswan-2.2.0-8 on a Suse9.2 system and want to setup an
l2tp/ipsec connection.
This works fine under Suse9.0 and a very old superfreeswan-1.99.8, but
fails on the actual system with the foloowing message:
Feb 8 15:00:08 lnxtst ipsec__plutorun: /usr/lib/ipsec/_plutorun: line
215: 2124 Aborted /usr/lib/ipsec/pluto
--nofork--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--debug-parsing --debug-control --uniqueids --nat_traversal
Feb 8 15:00:08 lnxtst ipsec__plutorun: !pluto failure!: exited with
error status 134 (signal 6)
Feb 8 15:00:08 lnxtst ipsec__plutorun: restarting IPsec after pause...
l2tp-winxp with a windowsXP client works without problems, linux clients
with the connection l2tp-linuxnat cause the failure.
I can provide all the logging, but this would be a little much for the list.
Here the relevant part from the ipsec.conf:
version 2.0
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
#plutodebug = "parsing crypt emitting control"
plutodebug=all
#plutoopts=perpeerlog
# Use auto= parameters in conn descriptions to control startup
actions.
### Commented out by freeswan %post
#plutoload=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=3
# RSA authentication with keys from DNS.
authby=rsasig
keylife=8.0h
leftrsasigkey=%cert
rightrsasigkey=%cert
rightupdown="/etc/ipsec.d/ccert/updown-road-central"
conn l2tp-winxp
# How persistent to be in (re)keying negotiations (0 means very).
#nw keyingtries=0
keyingtries=3
# RSA authentication with keys from DNS.
authby=rsasig
keylife=24.0h
leftrsasigkey=%cert
rightrsasigkey=%cert
rightnexthop=213.148.150.201
rightupdown="/etc/ipsec.d/ccert/updown_srv"
pfs=no
right=213.148.150.202
rightid="/C=DE/ST=NRW/L=Essen/O=SBS/OU=Relax/CN=lnxvpn/emailAddress=relax at sbs.de"
rightcert=/etc/ipsec.d/ccert/uebergangsca.cert
leftca=%same
left=%any
leftprotoport=17/1701
rightprotoport=17/1701
auto=add
conn l2tp-linuxnat
# How persistent to be in (re)keying negotiations (0 means very).
leftsubnet=vhost:%priv
keyingtries=3
# RSA authentication with keys from DNS.
authby=rsasig
keylife=24.0h
leftrsasigkey=%cert
rightrsasigkey=%cert
rightnexthop=213.148.150.201
rightupdown="/etc/ipsec.d/ccert/updown_srv"
pfs=no
right=213.148.150.202
rightid="/C=DE/ST=NRW/L=Essen/O=SBS/OU=Relax/CN=lnxvpn/emailAddress=relax at sbs.de"
rightcert=/etc/ipsec.d/ccert/uebergangsca.cert
leftca=%same
left=%any
auto=add
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": CAs: 'C=DE, ST=NRW, L=Essen,
O=SBS, OU=Relax,CN=uebergangs-ca, E=relax at sbs.de'...'C=DE, ST=NRW,
L=Essen, O=SBS, OU=Relax, CN=uebergangs-ca, E=relax at sbs.de'
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": ike_life: 3600s; ipsec_life:
86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": policy: RSASIG+ENCRYPT+TUNNEL;
prio: 32,32; interface: eth1;
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": newest ISAKMP SA: #0; newest
IPsec SA: #0;
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": IKE algorithms wanted:
5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": IKE algorithms found:
5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": ESP algorithms wanted: 3_000-1,
3_000-2, flags=-strict
Feb 8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0):
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb 8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0):
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp": ESP algorithms loaded: 3_000-1,
3_000-2, flags=-strict
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: 213.148.150.202:4500[C=DE,
ST=NRW, L=Essen, O=SBS, OU=Relax, CN=lnxvpn,
E=relax at sbs.de]:17/1701---213.148.150.201...217.85.248.26:14502[O=Siemens-2004,
CN=Norbert Wegener TCGID=ZZZZZ1EC]:17/1701; unrouted; eroute owner: #0
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: CAs: 'C=DE, ST=NRW, L=Essen,
O=SBS, OU=Relax, CN=uebergangs-ca, E=relax at sbs.de'...'C=DE, ST=NRW,
L=Essen, O=SBS, OU=Relax, CN=uebergangs-ca, E=relax at sbs.de'
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: ike_life: 3600s; ipsec_life:
86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: policy:
RSASIG+ENCRYPT+TUNNEL; prio: 32,32; interface: eth1;
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: newest ISAKMP SA: #1; newest
IPsec SA: #0;
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: IKE algorithms wanted:
5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: IKE algorithms found:
5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: IKE algorithm newest:
3DES_CBC_192-MD5-MODP1536
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: ESP algorithms wanted:
3_000-1, 3_000-2, flags=-strict
Feb 8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0):
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb 8 16:37:52 lnxtst pluto[16720]: | kernel_alg_esp_enc_ok(3,0):
alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: "l2tp-winxp"[2]: ESP algorithms loaded:
3_000-1, 3_000-2, flags=-strict
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2:
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: #2: "l2tp-linuxnat"[1] 217.85.248.26:14502
(null) (fail erouted); EVENT_SO_DISCARD in 0s
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2: #1: "l2tp-winxp"[2] 217.85.248.26:14502
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3330s; newest ISAKMP
Feb 8 16:37:52 lnxtst pluto[16720]: "l2tp-linuxnat"[1]
217.85.248.26:14502 #2:
Feb 8 16:37:52 lnxtst ipsec__plutorun: /usr/lib/ipsec/_plutorun: line
215: 16720 Aborted /usr/lib/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-all
--uniqueids --nat_traversal --virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
Feb 8 16:37:52 lnxtst ipsec__plutorun: !pluto failure!: exited with
error status 134 (signal 6)
Feb 8 16:37:52 lnxtst ipsec__plutorun: restarting IPsec after pause...
Feb 8 16:38:00 lnxtst kernel: Kernel logging (proc) stopped.
Feb 8 16:38:00 lnxtst kernel: Kernel log daemon terminating.
Any ideas?
Norbert
More information about the Users
mailing list