[Openswan Users] ASSERTION FAILED using Openswan 2.3.0DR5

Axel Mueller axel.mueller at avanux.de
Sat Jan 1 16:34:39 CET 2005


Hi Ken,

Thanks for your support. I built from CVS using the tag you told me. 
Unfortunately it didn't work out much better (another assertion fails - 
this time in demux.c):

Jan  1 16:24:06 gate pluto[6167]: packet from 192.168.70.5:500: received 
Vendor ID payload [Dead Peer Detection]
Jan  1 16:24:06 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5 
#1: responding to Main Mode from unknown peer 192.168.70.5
Jan  1 16:24:06 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5 
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5 
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5 
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=miraculix.mueller-family.de, 
E=axel at mueller-family.de'
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5 
#1: crl update for "C=DE, ST=Hessen, L=Altenstadt-Lindheim, 
O=mueller-family, CN=CA, E=ca at mueller-family.de" is overdue since Aug 15 
11:43:12 UTC 2004
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#1: deleting connection "mueller-family-wlan" instance with peer 
192.168.70.5 {isakmp=#0/ipsec=#0}
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#1: I am sending my cert
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#1: sent MR3, ISAKMP SA established
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: responding to Quick Mode
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: ESP transform ESP_AES / auth AUTH_ALGORITHM_HMAC_SHA1 not 
implemented yet
Jan  1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: ERROR: netlink response for Del SA unk0.b281 at 192.168.70.1 included 
errno 3: No such process
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: ASSERTION FAILED at demux.c:1799: STATE_IKE_FLOOR <= from_state && 
from_state <= STATE_IKE_ROOF
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface lo/lo ::1
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface lo/lo 127.0.0.1
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface eth0/eth0 169.254.0.1
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface eth1/eth1 192.168.69.1
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface eth2/eth2 192.168.70.1
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: interface ppp0/ppp0 80.128.168.176
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: %myid = (none)
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: debug none
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan": 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=mueller-family.dyndns.org, 
E=axel at mueller-family.de]...%virtual===?; unrouted; eroute owner: #0
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":     srcip=unset; dstip=unset
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   CAs: 'C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=CA, 
E=ca at mueller-family.de'...'%any'
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 0,32; interface: eth2;
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]: 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=mueller-family.dyndns.org, 
E=axel at mueller-family.de]...192.168.70.5[C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=miraculix.mueller-family.de, 
E=axel at mueller-family.de]; unrouted; eroute owner: #0
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:     srcip=unset; dstip=unset
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   CAs: 'C=DE, ST=Hessen, 
L=Altenstadt-Lindheim, O=mueller-family, CN=CA, 
E=ca at mueller-family.de'...'%any'
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   policy: 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: "mueller-family-wlan"[2]:   IKE algorithm newest: 
3DES_CBC_192-MD5-MODP1536
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: #2: "mueller-family-wlan"[2] 192.168.70.5 (null) ((null)); 
EVENT_CRYPTO_FAILED in 290s; lastdpd=-1s(seq in:0 out:0)
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 
#2: #1: "mueller-family-wlan"[2] 192.168.70.5 STATE_MAIN_R3 (sent MR3, 
ISAKMP SA established); EVENT_SA_REPLACE in 3320s; newest ISAKMP; 
lastdpd=-1s(seq in:0 out:0)
Jan  1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan  1 16:24:17 gate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: 
line 1:  6167 Aborted                 /usr/local/libexec/ipsec/pluto 
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d 
--uniqueids --virtual_private %v4:192.168.70.0/24
Jan  1 16:24:17 gate ipsec__plutorun: !pluto failure!:  exited with 
error status 134 (signal 6)
Jan  1 16:24:17 gate ipsec__plutorun: restarting IPsec after pause...
Jan  1 16:24:28 gate kernel: NET: Unregistered protocol family 15
Jan  1 16:24:28 gate ipsec_setup: ...Openswan IPsec stopped
Jan  1 16:24:29 gate ipsec_setup: Stopping Openswan IPsec...
Jan  1 16:24:29 gate ipsec_setup: Removing orphaned /var/run/pluto.pid:
Jan  1 16:24:29 gate kernel: NET: Registered protocol family 15
Jan  1 16:24:30 gate kernel: Initializing IPsec netlink socket
Jan  1 16:24:30 gate ipsec_setup: KLIPS ipsec0 on eth2 
192.168.70.1/255.255.255.0 broadcast 192.168.70.255
Jan  1 16:24:30 gate ipsec__plutorun: Restarting Pluto subsystem...
Jan  1 16:24:31 gate ipsec_setup: ...Openswan IPsec started
Jan  1 16:24:31 gate pluto[8156]: Starting Pluto (Openswan Version 2.3.0 
X.509-1.5.4 PLUTO_USES_KEYRR)
Jan  1 16:24:31 gate pluto[8156]: Setting port floating to off
Jan  1 16:24:31 gate pluto[8156]: port floating activate 0/1
Jan  1 16:24:31 gate pluto[8156]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Jan  1 16:24:31 gate pluto[8156]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Jan  1 16:24:31 gate pluto[8156]: starting up 1 cryptographic helpers
Jan  1 16:24:31 gate pluto[8156]: started helper pid=8165 (fd:6)
Jan  1 16:24:31 gate pluto[8156]: Using Linux 2.6 IPsec interface code
Jan  1 16:24:31 gate pluto[8156]: Changing to directory 
'/etc/ipsec.d/cacerts'
Jan  1 16:24:31 gate pluto[8156]:   loaded CA cert file 'cacert.pem' 
(1249 bytes)
Jan  1 16:24:31 gate pluto[8156]: Could not change to directory 
'/etc/ipsec.d/aacerts'
Jan  1 16:24:31 gate pluto[8156]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
Jan  1 16:24:31 gate pluto[8156]: Changing to directory '/etc/ipsec.d/crls'
Jan  1 16:24:31 gate pluto[8156]:   loaded crl file 'crl.pem' (508 bytes)
Jan  1 16:24:31 gate ipsec_setup: Restarting Openswan IPsec 2.3.0...
Jan  1 16:24:31 gate ipsec_setup: insmod 
/lib/modules/2.6.10/kernel/net/key/af_key.ko
Jan  1 16:24:31 gate ipsec_setup: insmod 
/lib/modules/2.6.10/kernel/net/ipv4/xfrm4_tunnel.ko
Jan  1 16:24:31 gate ipsec_setup: insmod 
/lib/modules/2.6.10/kernel/net/xfrm/xfrm_user.ko
Jan  1 16:24:32 gate pluto[8156]:   loaded host cert file 
'/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
Jan  1 16:24:32 gate pluto[8156]: added connection description 
"mueller-family-wlan"
Jan  1 16:24:33 gate pluto[8156]: listening for IKE messages
Jan  1 16:24:33 gate pluto[8156]: adding interface ppp0/ppp0 80.128.168.176
Jan  1 16:24:33 gate pluto[8156]: adding interface eth2/eth2 192.168.70.1
Jan  1 16:24:33 gate pluto[8156]: adding interface eth1/eth1 192.168.69.1
[...]

Let me know if I might try another shot ;-)

Axel



Ken Bantoft wrote:

>
> Hi Axel,
>
> Fixed in CVS...
>
> checkout  -rPRE2_3 for the 2.3.x branch, or wait a day until I post 
> another release.
>
>
>
> Axel Mueller wrote:
>
>> For some months I was running a combination of Openswan 2.10 using 
>> kernel 2.6.4 on client side and kernel 2.4.22 on server side.
>> It was using X.509 based authentication which I got running thanks to 
>> Nate Carlsons HowTo.
>>
>> Yesterday I switched to kernel 2.6.10 for client and server using the 
>> configuration (certificates, config files, etc.) that worked well so 
>> far:
>>
>> # ipsec version
>> Linux Openswan U2.3.0dr5/K2.6.10 (netkey)
>>
>> Openswan startup on server side looks good:
>>
>> Dec 28 15:14:33 gate ipsec_setup: Starting Openswan IPsec 
>> U2.1.4/K2.6.10...
>> Dec 28 15:14:33 gate ipsec_setup: KLIPS ipsec0 on eth2 
>> 192.168.70.1/255.255.255.0 broadcast 192.168.70.255
>> Dec 28 15:14:33 gate ipsec__plutorun: Starting Pluto subsystem...
>> Dec 28 15:14:33 gate pluto[17347]: Starting Pluto (Openswan Version 
>> 2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
>> Dec 28 15:14:33 gate pluto[17347]:   including NAT-Traversal patch 
>> (Version 0.6c) [disabled]
>> Dec 28 15:14:33 gate pluto[17347]: Using Linux 2.6 IPsec interface code
>> Dec 28 15:14:34 gate ipsec_setup: ...Openswan IPsec started
>> Dec 28 15:14:34 gate pluto[17347]: Changing to directory 
>> '/etc/ipsec.d/cacerts'
>> Dec 28 15:14:34 gate pluto[17347]:   loaded cacert file 'cacert.pem' 
>> (1249 bytes)
>> Dec 28 15:14:34 gate pluto[17347]: Changing to directory 
>> '/etc/ipsec.d/crls'
>> Dec 28 15:14:34 gate pluto[17347]:   loaded crl file 'crl.pem' (508 
>> bytes)
>> Dec 28 15:14:35 gate pluto[17347]:   loaded host cert file 
>> '/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
>> Dec 28 15:14:35 gate pluto[17347]: added connection description 
>> "mueller-family-wlan"
>> Dec 28 15:14:35 gate pluto[17347]: listening for IKE messages
>> Dec 28 15:14:35 gate pluto[17347]: adding interface ppp0/ppp0 
>> 80.128.172.213
>> Dec 28 15:14:35 gate pluto[17347]: adding interface eth2/eth2 
>> 192.168.70.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface eth1/eth1 
>> 192.168.69.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface eth0/eth0 
>> 169.254.0.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo 127.0.0.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo ::1
>> Dec 28 15:14:35 gate pluto[17347]: loading secrets from 
>> "/etc/ipsec.secrets"
>> Dec 28 15:14:35 gate pluto[17347]:   loaded private key file 
>> '/etc/ipsec.d/private/mueller-family.dyndns.org.key' (1692 bytes)
>>
>>
>> When I start up the Openswan client an assertion occures causing 
>> Openswan to be restarted:
>>
>> Dec 28 18:16:39 gate pluto[21517]: packet from 192.168.70.5:500: 
>> received Vendor ID payload [Dead Peer Detection]
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 
>> 192.168.70.5 #1: responding to Main Mode from unknown peer 192.168.70.5
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 
>> 192.168.70.5 #1: transition from state STATE_MAIN_R0 to state 
>> STATE_MAIN_R1
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 
>> 192.168.70.5 #1: transition from state STATE_MAIN_R1 to state 
>> STATE_MAIN_R2
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 
>> 192.168.70.5 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, 
>> ST=Hessen, L=Altenstadt-Lindheim, O=mueller-family, 
>> CN=miraculix.mueller-family.de, E=axel at mueller-family.de'
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1] 
>> 192.168.70.5 #1: crl update for "C=DE, ST=Hessen, 
>> L=Altenstadt-Lindheim, O=mueller-family, CN=CA, 
>> E=ca at mueller-family.de" is overdue since Aug 15 11:43:12 UTC 2004
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #1: deleting connection "mueller-family-wlan" instance 
>> with peer 192.168.70.5 {isakmp=#0/ipsec=#0}
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #1: I am sending my cert
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #1: transition from state STATE_MAIN_R2 to state 
>> STATE_MAIN_R3
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #1: sent MR3, ISAKMP SA established
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: responding to Quick Mode
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: ASSERTION FAILED at ipsec_doi.c:3172: case 12 
>> unexpected
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: interface lo/lo ::1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: interface lo/lo 127.0.0.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: interface eth0/eth0 169.254.0.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: interface eth1/eth1 192.168.69.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: interface eth2/eth2 192.168.70.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: interface ppp0/ppp0 80.128.172.213
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: %myid = (none)
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: debug none
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
>> keysizemin=64, keysizemax=64
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
>> keysizemin=192, keysizemax=192
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, 
>> ivlen=8, keysizemin=40, keysizemax=448
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP encrypt: id=11, name=ESP_NULL, 
>> ivlen=0, keysizemin=0, keysizemax=0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP encrypt: id=252, name=ESP_SERPENT, 
>> ivlen=8, keysizemin=128, keysizemax=256
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, 
>> ivlen=8, keysizemin=128, keysizemax=256
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP auth attr: id=1, 
>> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP auth attr: id=2, 
>> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP auth attr: id=5, 
>> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm ESP auth attr: id=251, name=(null), 
>> keysizemin=0, keysizemax=0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
>> blocksize=16, keydeflen=128
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
>> blocksize=8, keydeflen=192
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE dh group: id=2, 
>> name=OAKLEY_GROUP_MODP1024, bits=1024
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE dh group: id=5, 
>> name=OAKLEY_GROUP_MODP1536, bits=1536
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE dh group: id=14, 
>> name=OAKLEY_GROUP_MODP2048, bits=2048
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE dh group: id=15, 
>> name=OAKLEY_GROUP_MODP3072, bits=3072
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE dh group: id=16, 
>> name=OAKLEY_GROUP_MODP4096, bits=4096
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE dh group: id=17, 
>> name=OAKLEY_GROUP_MODP6144, bits=6144
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: algorithm IKE dh group: id=18, 
>> name=OAKLEY_GROUP_MODP8192, bits=8192
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: stats db_ops.c: {curr_cnt, total_cnt, maxsz} 
>> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan": 
>> 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, L=Altenstadt-Lindheim, 
>> O=mueller-family, CN=mueller-family.dyndns.org, 
>> E=axel at mueller-family.de]...%virtual===?; unrouted; eroute owner: #0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan":     srcip=unset; dstip=unset
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan":   CAs: 'C=DE, ST=Hessen, 
>> L=Altenstadt-Lindheim, O=mueller-family, CN=CA, 
>> E=ca at mueller-family.de'...'%any'
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan":   ike_life: 3600s; 
>> ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan":   policy: 
>> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan":   newest ISAKMP SA: #0; 
>> newest IPsec SA: #0;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan"[2]: 
>> 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, L=Altenstadt-Lindheim, 
>> O=mueller-family, CN=mueller-family.dyndns.org, 
>> E=axel at mueller-family.de]...192.168.70.5[C=DE, ST=Hessen, 
>> L=Altenstadt-Lindheim, O=mueller-family, 
>> CN=miraculix.mueller-family.de, E=axel at mueller-family.de]; unrouted; 
>> eroute owner: #0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan"[2]:     srcip=unset; dstip=unset
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan"[2]:   CAs: 'C=DE, ST=Hessen, 
>> L=Altenstadt-Lindheim, O=mueller-family, CN=CA, 
>> E=ca at mueller-family.de'...'%any'
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan"[2]:   ike_life: 3600s; 
>> ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan"[2]:   policy: 
>> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan"[2]:   newest ISAKMP SA: #1; 
>> newest IPsec SA: #0;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: "mueller-family-wlan"[2]:   IKE algorithm newest: 
>> 3DES_CBC_192-MD5-MODP1536
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: #2: "mueller-family-wlan"[2] 192.168.70.5 (null) 
>> ((null)); EVENT_CRYPTO_FAILED in 299s; lastdpd=-1s(seq in:0 out:0)
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2: #1: "mueller-family-wlan"[2] 192.168.70.5 
>> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 
>> 3329s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2] 
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: 
>> line 1: 21517 Aborted                 /usr/local/libexec/ipsec/pluto 
>> --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d 
>> --uniqueids --virtual_private %v4:192.168.70.0/24
>> Dec 28 18:16:40 gate ipsec__plutorun: !pluto failure!:  exited with 
>> error status 134 (signal 6)
>> Dec 28 18:16:40 gate ipsec__plutorun: restarting IPsec after pause...
>> Dec 28 18:16:51 gate kernel: NET: Unregistered protocol family 15
>> Dec 28 18:16:51 gate ipsec_setup: ...Openswan IPsec stopped
>> Dec 28 18:16:51 gate ipsec_setup: Stopping Openswan IPsec...
>> Dec 28 18:16:51 gate ipsec_setup: Removing orphaned /var/run/pluto.pid:
>> Dec 28 18:16:52 gate kernel: NET: Registered protocol family 15
>> Dec 28 18:16:53 gate kernel: Initializing IPsec netlink socket
>> Dec 28 18:16:53 gate ipsec_setup: KLIPS ipsec0 on eth2 
>> 192.168.70.1/255.255.255.0 broadcast 192.168.70.255
>> Dec 28 18:16:53 gate ipsec__plutorun: Restarting Pluto subsystem...
>> Dec 28 18:16:53 gate ipsec_setup: ...Openswan IPsec started
>> Dec 28 18:16:53 gate pluto[22217]: Starting Pluto (Openswan Version 
>> 2.3.0dr5 X.509-1.5.4 PLUTO_USES_KEYRR)
>> Dec 28 18:16:53 gate pluto[22217]: Setting port floating to off
>> Dec 28 18:16:53 gate pluto[22217]: port floating activate 0/1
>> Dec 28 18:16:53 gate pluto[22217]:   including NAT-Traversal patch 
>> (Version 0.6c) [disabled]
>> Dec 28 18:16:53 gate pluto[22217]: ike_alg_register_enc(): Activating 
>> OAKLEY_AES_CBC: Ok (ret=0)
>> Dec 28 18:16:53 gate pluto[22217]: starting up 1 cryptographic helpers
>> Dec 28 18:16:53 gate pluto[22217]: started helper pid=22226 (fd:6)
>> Dec 28 18:16:53 gate pluto[22217]: Using Linux 2.6 IPsec interface code
>> Dec 28 18:16:54 gate pluto[22217]: Changing to directory 
>> '/etc/ipsec.d/cacerts'
>> Dec 28 18:16:54 gate pluto[22217]:   loaded CA cert file 'cacert.pem' 
>> (1249 bytes)
>> Dec 28 18:16:54 gate pluto[22217]: Could not change to directory 
>> '/etc/ipsec.d/aacerts'
>> Dec 28 18:16:54 gate pluto[22217]: Changing to directory 
>> '/etc/ipsec.d/ocspcerts'
>> Dec 28 18:16:54 gate pluto[22217]: Changing to directory 
>> '/etc/ipsec.d/crls'
>> Dec 28 18:16:54 gate ipsec_setup: Restarting Openswan IPsec 2.3.0dr5...
>> Dec 28 18:16:54 gate ipsec_setup: insmod 
>> /lib/modules/2.6.10/kernel/net/key/af_key.ko
>> Dec 28 18:16:54 gate ipsec_setup: insmod 
>> /lib/modules/2.6.10/kernel/net/ipv4/xfrm4_tunnel.ko
>> Dec 28 18:16:54 gate ipsec_setup: insmod 
>> /lib/modules/2.6.10/kernel/net/xfrm/xfrm_user.ko
>> Dec 28 18:16:54 gate pluto[22217]:   loaded crl file 'crl.pem' (508 
>> bytes)
>> Dec 28 18:16:55 gate pluto[22217]:   loaded host cert file 
>> '/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
>> Dec 28 18:16:55 gate pluto[22217]: added connection description 
>> "mueller-family-wlan"
>> Dec 28 18:16:55 gate pluto[22217]: listening for IKE messages
>> Dec 28 18:16:55 gate pluto[22217]: adding interface ppp0/ppp0 
>> 80.128.172.213
>> Dec 28 18:16:55 gate pluto[22217]: adding interface eth2/eth2 
>> 192.168.70.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface eth1/eth1 
>> 192.168.69.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface eth0/eth0 
>> 169.254.0.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo 127.0.0.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo ::1
>>
>> The problem does not seem to relate on the kernel version on the 
>> client side - at least 2.6.9 shows the same behavior.
>> Any idea?
>>
>> Axel
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
>
>
>


More information about the Users mailing list