[Openswan Users] ASSERTION FAILED using Openswan 2.3.0DR5
Axel Mueller
axel.mueller at avanux.de
Sat Jan 1 16:34:39 CET 2005
Hi Ken,
Thanks for your support. I built from CVS using the tag you told me.
Unfortunately it didn't work out much better (another assertion fails -
this time in demux.c):
Jan 1 16:24:06 gate pluto[6167]: packet from 192.168.70.5:500: received
Vendor ID payload [Dead Peer Detection]
Jan 1 16:24:06 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5
#1: responding to Main Mode from unknown peer 192.168.70.5
Jan 1 16:24:06 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Hessen,
L=Altenstadt-Lindheim, O=mueller-family, CN=miraculix.mueller-family.de,
E=axel at mueller-family.de'
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[1] 192.168.70.5
#1: crl update for "C=DE, ST=Hessen, L=Altenstadt-Lindheim,
O=mueller-family, CN=CA, E=ca at mueller-family.de" is overdue since Aug 15
11:43:12 UTC 2004
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#1: deleting connection "mueller-family-wlan" instance with peer
192.168.70.5 {isakmp=#0/ipsec=#0}
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#1: I am sending my cert
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#1: sent MR3, ISAKMP SA established
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: responding to Quick Mode
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: ESP transform ESP_AES / auth AUTH_ALGORITHM_HMAC_SHA1 not
implemented yet
Jan 1 16:24:07 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: ERROR: netlink response for Del SA unk0.b281 at 192.168.70.1 included
errno 3: No such process
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: ASSERTION FAILED at demux.c:1799: STATE_IKE_FLOOR <= from_state &&
from_state <= STATE_IKE_ROOF
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: interface lo/lo ::1
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: interface lo/lo 127.0.0.1
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: interface eth0/eth0 169.254.0.1
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: interface eth1/eth1 192.168.69.1
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: interface eth2/eth2 192.168.70.1
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: interface ppp0/ppp0 80.128.168.176
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: %myid = (none)
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: debug none
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan": 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen,
L=Altenstadt-Lindheim, O=mueller-family, CN=mueller-family.dyndns.org,
E=axel at mueller-family.de]...%virtual===?; unrouted; eroute owner: #0
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan": srcip=unset; dstip=unset
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan": CAs: 'C=DE, ST=Hessen,
L=Altenstadt-Lindheim, O=mueller-family, CN=CA,
E=ca at mueller-family.de'...'%any'
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 0,32; interface: eth2;
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan": newest ISAKMP SA: #0; newest IPsec SA: #0;
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan"[2]: 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen,
L=Altenstadt-Lindheim, O=mueller-family, CN=mueller-family.dyndns.org,
E=axel at mueller-family.de]...192.168.70.5[C=DE, ST=Hessen,
L=Altenstadt-Lindheim, O=mueller-family, CN=miraculix.mueller-family.de,
E=axel at mueller-family.de]; unrouted; eroute owner: #0
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan"[2]: srcip=unset; dstip=unset
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan"[2]: CAs: 'C=DE, ST=Hessen,
L=Altenstadt-Lindheim, O=mueller-family, CN=CA,
E=ca at mueller-family.de'...'%any'
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan"[2]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan"[2]: policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan"[2]: newest ISAKMP SA: #1; newest IPsec SA: #0;
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: "mueller-family-wlan"[2]: IKE algorithm newest:
3DES_CBC_192-MD5-MODP1536
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: #2: "mueller-family-wlan"[2] 192.168.70.5 (null) ((null));
EVENT_CRYPTO_FAILED in 290s; lastdpd=-1s(seq in:0 out:0)
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5
#2: #1: "mueller-family-wlan"[2] 192.168.70.5 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3320s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0)
Jan 1 16:24:17 gate pluto[6167]: "mueller-family-wlan"[2] 192.168.70.5 #2:
Jan 1 16:24:17 gate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 1: 6167 Aborted /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--uniqueids --virtual_private %v4:192.168.70.0/24
Jan 1 16:24:17 gate ipsec__plutorun: !pluto failure!: exited with
error status 134 (signal 6)
Jan 1 16:24:17 gate ipsec__plutorun: restarting IPsec after pause...
Jan 1 16:24:28 gate kernel: NET: Unregistered protocol family 15
Jan 1 16:24:28 gate ipsec_setup: ...Openswan IPsec stopped
Jan 1 16:24:29 gate ipsec_setup: Stopping Openswan IPsec...
Jan 1 16:24:29 gate ipsec_setup: Removing orphaned /var/run/pluto.pid:
Jan 1 16:24:29 gate kernel: NET: Registered protocol family 15
Jan 1 16:24:30 gate kernel: Initializing IPsec netlink socket
Jan 1 16:24:30 gate ipsec_setup: KLIPS ipsec0 on eth2
192.168.70.1/255.255.255.0 broadcast 192.168.70.255
Jan 1 16:24:30 gate ipsec__plutorun: Restarting Pluto subsystem...
Jan 1 16:24:31 gate ipsec_setup: ...Openswan IPsec started
Jan 1 16:24:31 gate pluto[8156]: Starting Pluto (Openswan Version 2.3.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Jan 1 16:24:31 gate pluto[8156]: Setting port floating to off
Jan 1 16:24:31 gate pluto[8156]: port floating activate 0/1
Jan 1 16:24:31 gate pluto[8156]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jan 1 16:24:31 gate pluto[8156]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jan 1 16:24:31 gate pluto[8156]: starting up 1 cryptographic helpers
Jan 1 16:24:31 gate pluto[8156]: started helper pid=8165 (fd:6)
Jan 1 16:24:31 gate pluto[8156]: Using Linux 2.6 IPsec interface code
Jan 1 16:24:31 gate pluto[8156]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan 1 16:24:31 gate pluto[8156]: loaded CA cert file 'cacert.pem'
(1249 bytes)
Jan 1 16:24:31 gate pluto[8156]: Could not change to directory
'/etc/ipsec.d/aacerts'
Jan 1 16:24:31 gate pluto[8156]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jan 1 16:24:31 gate pluto[8156]: Changing to directory '/etc/ipsec.d/crls'
Jan 1 16:24:31 gate pluto[8156]: loaded crl file 'crl.pem' (508 bytes)
Jan 1 16:24:31 gate ipsec_setup: Restarting Openswan IPsec 2.3.0...
Jan 1 16:24:31 gate ipsec_setup: insmod
/lib/modules/2.6.10/kernel/net/key/af_key.ko
Jan 1 16:24:31 gate ipsec_setup: insmod
/lib/modules/2.6.10/kernel/net/ipv4/xfrm4_tunnel.ko
Jan 1 16:24:31 gate ipsec_setup: insmod
/lib/modules/2.6.10/kernel/net/xfrm/xfrm_user.ko
Jan 1 16:24:32 gate pluto[8156]: loaded host cert file
'/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
Jan 1 16:24:32 gate pluto[8156]: added connection description
"mueller-family-wlan"
Jan 1 16:24:33 gate pluto[8156]: listening for IKE messages
Jan 1 16:24:33 gate pluto[8156]: adding interface ppp0/ppp0 80.128.168.176
Jan 1 16:24:33 gate pluto[8156]: adding interface eth2/eth2 192.168.70.1
Jan 1 16:24:33 gate pluto[8156]: adding interface eth1/eth1 192.168.69.1
[...]
Let me know if I might try another shot ;-)
Axel
Ken Bantoft wrote:
>
> Hi Axel,
>
> Fixed in CVS...
>
> checkout -rPRE2_3 for the 2.3.x branch, or wait a day until I post
> another release.
>
>
>
> Axel Mueller wrote:
>
>> For some months I was running a combination of Openswan 2.10 using
>> kernel 2.6.4 on client side and kernel 2.4.22 on server side.
>> It was using X.509 based authentication which I got running thanks to
>> Nate Carlsons HowTo.
>>
>> Yesterday I switched to kernel 2.6.10 for client and server using the
>> configuration (certificates, config files, etc.) that worked well so
>> far:
>>
>> # ipsec version
>> Linux Openswan U2.3.0dr5/K2.6.10 (netkey)
>>
>> Openswan startup on server side looks good:
>>
>> Dec 28 15:14:33 gate ipsec_setup: Starting Openswan IPsec
>> U2.1.4/K2.6.10...
>> Dec 28 15:14:33 gate ipsec_setup: KLIPS ipsec0 on eth2
>> 192.168.70.1/255.255.255.0 broadcast 192.168.70.255
>> Dec 28 15:14:33 gate ipsec__plutorun: Starting Pluto subsystem...
>> Dec 28 15:14:33 gate pluto[17347]: Starting Pluto (Openswan Version
>> 2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
>> Dec 28 15:14:33 gate pluto[17347]: including NAT-Traversal patch
>> (Version 0.6c) [disabled]
>> Dec 28 15:14:33 gate pluto[17347]: Using Linux 2.6 IPsec interface code
>> Dec 28 15:14:34 gate ipsec_setup: ...Openswan IPsec started
>> Dec 28 15:14:34 gate pluto[17347]: Changing to directory
>> '/etc/ipsec.d/cacerts'
>> Dec 28 15:14:34 gate pluto[17347]: loaded cacert file 'cacert.pem'
>> (1249 bytes)
>> Dec 28 15:14:34 gate pluto[17347]: Changing to directory
>> '/etc/ipsec.d/crls'
>> Dec 28 15:14:34 gate pluto[17347]: loaded crl file 'crl.pem' (508
>> bytes)
>> Dec 28 15:14:35 gate pluto[17347]: loaded host cert file
>> '/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
>> Dec 28 15:14:35 gate pluto[17347]: added connection description
>> "mueller-family-wlan"
>> Dec 28 15:14:35 gate pluto[17347]: listening for IKE messages
>> Dec 28 15:14:35 gate pluto[17347]: adding interface ppp0/ppp0
>> 80.128.172.213
>> Dec 28 15:14:35 gate pluto[17347]: adding interface eth2/eth2
>> 192.168.70.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface eth1/eth1
>> 192.168.69.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface eth0/eth0
>> 169.254.0.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo 127.0.0.1
>> Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo ::1
>> Dec 28 15:14:35 gate pluto[17347]: loading secrets from
>> "/etc/ipsec.secrets"
>> Dec 28 15:14:35 gate pluto[17347]: loaded private key file
>> '/etc/ipsec.d/private/mueller-family.dyndns.org.key' (1692 bytes)
>>
>>
>> When I start up the Openswan client an assertion occures causing
>> Openswan to be restarted:
>>
>> Dec 28 18:16:39 gate pluto[21517]: packet from 192.168.70.5:500:
>> received Vendor ID payload [Dead Peer Detection]
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
>> 192.168.70.5 #1: responding to Main Mode from unknown peer 192.168.70.5
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
>> 192.168.70.5 #1: transition from state STATE_MAIN_R0 to state
>> STATE_MAIN_R1
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
>> 192.168.70.5 #1: transition from state STATE_MAIN_R1 to state
>> STATE_MAIN_R2
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
>> 192.168.70.5 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE,
>> ST=Hessen, L=Altenstadt-Lindheim, O=mueller-family,
>> CN=miraculix.mueller-family.de, E=axel at mueller-family.de'
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
>> 192.168.70.5 #1: crl update for "C=DE, ST=Hessen,
>> L=Altenstadt-Lindheim, O=mueller-family, CN=CA,
>> E=ca at mueller-family.de" is overdue since Aug 15 11:43:12 UTC 2004
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #1: deleting connection "mueller-family-wlan" instance
>> with peer 192.168.70.5 {isakmp=#0/ipsec=#0}
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #1: I am sending my cert
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #1: transition from state STATE_MAIN_R2 to state
>> STATE_MAIN_R3
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #1: sent MR3, ISAKMP SA established
>> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: responding to Quick Mode
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: ASSERTION FAILED at ipsec_doi.c:3172: case 12
>> unexpected
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: interface lo/lo ::1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: interface lo/lo 127.0.0.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: interface eth0/eth0 169.254.0.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: interface eth1/eth1 192.168.69.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: interface eth2/eth2 192.168.70.1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: interface ppp0/ppp0 80.128.172.213
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: %myid = (none)
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: debug none
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
>> keysizemin=64, keysizemax=64
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>> keysizemin=192, keysizemax=192
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
>> ivlen=8, keysizemin=40, keysizemax=448
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP encrypt: id=11, name=ESP_NULL,
>> ivlen=0, keysizemin=0, keysizemax=0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP encrypt: id=252, name=ESP_SERPENT,
>> ivlen=8, keysizemin=128, keysizemax=256
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
>> ivlen=8, keysizemin=128, keysizemax=256
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP auth attr: id=1,
>> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP auth attr: id=2,
>> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP auth attr: id=5,
>> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm ESP auth attr: id=251, name=(null),
>> keysizemin=0, keysizemax=0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
>> blocksize=16, keydeflen=128
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
>> blocksize=8, keydeflen=192
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE dh group: id=2,
>> name=OAKLEY_GROUP_MODP1024, bits=1024
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE dh group: id=5,
>> name=OAKLEY_GROUP_MODP1536, bits=1536
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE dh group: id=14,
>> name=OAKLEY_GROUP_MODP2048, bits=2048
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE dh group: id=15,
>> name=OAKLEY_GROUP_MODP3072, bits=3072
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE dh group: id=16,
>> name=OAKLEY_GROUP_MODP4096, bits=4096
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE dh group: id=17,
>> name=OAKLEY_GROUP_MODP6144, bits=6144
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: algorithm IKE dh group: id=18,
>> name=OAKLEY_GROUP_MODP8192, bits=8192
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: stats db_ops.c: {curr_cnt, total_cnt, maxsz}
>> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan":
>> 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, L=Altenstadt-Lindheim,
>> O=mueller-family, CN=mueller-family.dyndns.org,
>> E=axel at mueller-family.de]...%virtual===?; unrouted; eroute owner: #0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan": srcip=unset; dstip=unset
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan": CAs: 'C=DE, ST=Hessen,
>> L=Altenstadt-Lindheim, O=mueller-family, CN=CA,
>> E=ca at mueller-family.de'...'%any'
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan": ike_life: 3600s;
>> ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan": policy:
>> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan": newest ISAKMP SA: #0;
>> newest IPsec SA: #0;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan"[2]:
>> 0.0.0.0/0===192.168.70.1[C=DE, ST=Hessen, L=Altenstadt-Lindheim,
>> O=mueller-family, CN=mueller-family.dyndns.org,
>> E=axel at mueller-family.de]...192.168.70.5[C=DE, ST=Hessen,
>> L=Altenstadt-Lindheim, O=mueller-family,
>> CN=miraculix.mueller-family.de, E=axel at mueller-family.de]; unrouted;
>> eroute owner: #0
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan"[2]: srcip=unset; dstip=unset
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan"[2]: CAs: 'C=DE, ST=Hessen,
>> L=Altenstadt-Lindheim, O=mueller-family, CN=CA,
>> E=ca at mueller-family.de'...'%any'
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan"[2]: ike_life: 3600s;
>> ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan"[2]: policy:
>> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan"[2]: newest ISAKMP SA: #1;
>> newest IPsec SA: #0;
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: "mueller-family-wlan"[2]: IKE algorithm newest:
>> 3DES_CBC_192-MD5-MODP1536
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: #2: "mueller-family-wlan"[2] 192.168.70.5 (null)
>> ((null)); EVENT_CRYPTO_FAILED in 299s; lastdpd=-1s(seq in:0 out:0)
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2: #1: "mueller-family-wlan"[2] 192.168.70.5
>> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
>> 3329s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
>> 192.168.70.5 #2:
>> Dec 28 18:16:40 gate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
>> line 1: 21517 Aborted /usr/local/libexec/ipsec/pluto
>> --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
>> --uniqueids --virtual_private %v4:192.168.70.0/24
>> Dec 28 18:16:40 gate ipsec__plutorun: !pluto failure!: exited with
>> error status 134 (signal 6)
>> Dec 28 18:16:40 gate ipsec__plutorun: restarting IPsec after pause...
>> Dec 28 18:16:51 gate kernel: NET: Unregistered protocol family 15
>> Dec 28 18:16:51 gate ipsec_setup: ...Openswan IPsec stopped
>> Dec 28 18:16:51 gate ipsec_setup: Stopping Openswan IPsec...
>> Dec 28 18:16:51 gate ipsec_setup: Removing orphaned /var/run/pluto.pid:
>> Dec 28 18:16:52 gate kernel: NET: Registered protocol family 15
>> Dec 28 18:16:53 gate kernel: Initializing IPsec netlink socket
>> Dec 28 18:16:53 gate ipsec_setup: KLIPS ipsec0 on eth2
>> 192.168.70.1/255.255.255.0 broadcast 192.168.70.255
>> Dec 28 18:16:53 gate ipsec__plutorun: Restarting Pluto subsystem...
>> Dec 28 18:16:53 gate ipsec_setup: ...Openswan IPsec started
>> Dec 28 18:16:53 gate pluto[22217]: Starting Pluto (Openswan Version
>> 2.3.0dr5 X.509-1.5.4 PLUTO_USES_KEYRR)
>> Dec 28 18:16:53 gate pluto[22217]: Setting port floating to off
>> Dec 28 18:16:53 gate pluto[22217]: port floating activate 0/1
>> Dec 28 18:16:53 gate pluto[22217]: including NAT-Traversal patch
>> (Version 0.6c) [disabled]
>> Dec 28 18:16:53 gate pluto[22217]: ike_alg_register_enc(): Activating
>> OAKLEY_AES_CBC: Ok (ret=0)
>> Dec 28 18:16:53 gate pluto[22217]: starting up 1 cryptographic helpers
>> Dec 28 18:16:53 gate pluto[22217]: started helper pid=22226 (fd:6)
>> Dec 28 18:16:53 gate pluto[22217]: Using Linux 2.6 IPsec interface code
>> Dec 28 18:16:54 gate pluto[22217]: Changing to directory
>> '/etc/ipsec.d/cacerts'
>> Dec 28 18:16:54 gate pluto[22217]: loaded CA cert file 'cacert.pem'
>> (1249 bytes)
>> Dec 28 18:16:54 gate pluto[22217]: Could not change to directory
>> '/etc/ipsec.d/aacerts'
>> Dec 28 18:16:54 gate pluto[22217]: Changing to directory
>> '/etc/ipsec.d/ocspcerts'
>> Dec 28 18:16:54 gate pluto[22217]: Changing to directory
>> '/etc/ipsec.d/crls'
>> Dec 28 18:16:54 gate ipsec_setup: Restarting Openswan IPsec 2.3.0dr5...
>> Dec 28 18:16:54 gate ipsec_setup: insmod
>> /lib/modules/2.6.10/kernel/net/key/af_key.ko
>> Dec 28 18:16:54 gate ipsec_setup: insmod
>> /lib/modules/2.6.10/kernel/net/ipv4/xfrm4_tunnel.ko
>> Dec 28 18:16:54 gate ipsec_setup: insmod
>> /lib/modules/2.6.10/kernel/net/xfrm/xfrm_user.ko
>> Dec 28 18:16:54 gate pluto[22217]: loaded crl file 'crl.pem' (508
>> bytes)
>> Dec 28 18:16:55 gate pluto[22217]: loaded host cert file
>> '/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
>> Dec 28 18:16:55 gate pluto[22217]: added connection description
>> "mueller-family-wlan"
>> Dec 28 18:16:55 gate pluto[22217]: listening for IKE messages
>> Dec 28 18:16:55 gate pluto[22217]: adding interface ppp0/ppp0
>> 80.128.172.213
>> Dec 28 18:16:55 gate pluto[22217]: adding interface eth2/eth2
>> 192.168.70.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface eth1/eth1
>> 192.168.69.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface eth0/eth0
>> 169.254.0.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo 127.0.0.1
>> Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo ::1
>>
>> The problem does not seem to relate on the kernel version on the
>> client side - at least 2.6.9 shows the same behavior.
>> Any idea?
>>
>> Axel
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
>
>
>
More information about the Users
mailing list