[Openswan Users]
Unable to handle kernel paging request on INVALID_ID_INFORMATION
frank
frank-openswan at magnusint.com
Mon Mar 7 21:40:12 CET 2005
Hi,
I have been trying to setup OpenSwan without success sofar. I have two questions:
- Is below configuration correct?
- What causes the kernel crash on gw1?
Let me give some background info on the problem:
I'm running OpenSwan 2.3.0 (both sides) on the following configuration:
--------------------------- ------------------------------- ------------------------------
| gw1 OpenWRT,OpenSwan2.3.0 | INTERNET | ADSL Router | | twingo Fedora3,OpenSwan2.3.0 |
10.69.0.0/24 <-> | 10.69.0.1 // 192.168.0.22 | <-> 0.0.0.0/0 <-> | 81.101.102.103 // 192.168.2.1 | <-> 192.168.2.0/24 <-> | 192.168.2.101 |
--------------------------- ------------------------------- ------------------------------
Twingo is running Fedora Core 3 with latest updates installed:
[root at twingo ~]# uname -a
Linux twingo.example.net 2.6.10-1.770_FC3 #1 Thu Feb 24 14:00:06 EST 2005 i686 i686 i386 GNU/Linux
Twingo is behind an ADSL router which is configured
with a fixed IP number 81.101.102.103. The ADSL router is
configured to use ip number 192.168.2.101 as its DMZ host
which means all traffic on the external IP number is
forwarded to twingo. The machine is configured with a
Shorewall firewall which allows the nescessary traffic on
the external interface (eth0).
GW1 is running OpenWRT, a pre-compiled kernel with NAT-T patch:
root at gw1:~# uname -a
Linux gw1 2.4.20 #1 Tue Mar 1 00:34:53 CET 2005 mips unknown
GW1 is behind a proxy server on IP number 192.168.0.22. The
proxy server is connected to the internet however the ISP
frequently changes the external IP number. GW1 is configured
with a Shorewall firewall which allows the nescessary
traffic on the external interface (vlan1).
With this setup Twingo is configured to accept VPN
connections from %any IP number. GW1 is initiating the
connection. On startup of IPSec on GW1 below dialog takes
place. The ISAKMP SA is established, however shortly after
GW1 crashes on a invalid kernel paging request. Most likely
this happens just after twingo sends the message
INVALID_ID_INFORMATION.
What happens here? I'm out of options...
Below configuration file of both systems as well as the log
dialog for both systems. Furthermore I attached barfs of
both systems. This will produce some errors on gw1 because
not all commands that barf calls are supported on OpenWRT.
If I need to provide additional info let me know.
Any help is appreciated!
regards
Frank
=================================================
ipsec.conf on Twingo
=================================================
# config twingo.example.net
# RSA 512 bits twingo.example.net Sat Mar 5 06:56:14 2005
# leftrsasigkey=0sAQNe8KZWy0hiE4cSVuhsNB+fnbPk1d8a7Xf6b8gsq2w/Zt95OitajQSkyR8g9oplXCScQ8K4xjZHi5UlK+jcjAZx
# RSA 512 bits gw1.example.net Sat Mar 5 06:56:28 2005
# leftrsasigkey=0sAQNbxdNOzPC8u28yRFPrWG/XSkybC+gnc1zpayWW/zIiGgHKs3II7Cix9ekOR9sRdUC6xheDMUwvPKKGXJcFWCml
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/24
conn %default
keyingtries=0
ikelifetime=3h
compress=no
disablearrivalcheck=no
authby=rsasig
leftid=@twingo.example.net
conn net84-net
leftsubnet=192.168.2.0/24
also=net84
conn net84
left=%defaultroute
leftrsasigkey=0sAQNe8KZWy0hiE4cSVuhsNB+fnbPk1d8a7Xf6b8gsq2w/Zt95OitajQSkyR8g9oplXCScQ8K4xjZHi5UlK+jcjAZx
right=%any
rightid=@gw1.example.net
rightrsasigkey=0sAQNbxdNOzPC8u28yRFPrWG/XSkybC+gnc1zpayWW/zIiGgHKs3II7Cix9ekOR9sRdUC6xheDMUwvPKKGXJcFWCml
rightsubnet=10.69.0.0/24
auto=add
pfs=no
include /etc/ipsec.d/examples/no_oe.conf
=================================================
Log file on fixed IP gateway
=================================================
Mar 7 14:34:44 twingo ipsec__plutorun: Starting Pluto subsystem...
Mar 7 14:34:44 twingo pluto[17533]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 7 14:34:44 twingo pluto[17533]: Setting port floating to on
Mar 7 14:34:44 twingo pluto[17533]: port floating activate 1/1
Mar 7 14:34:44 twingo pluto[17533]: including NAT-Traversal patch (Version 0.6c)
Mar 7 14:34:44 twingo pluto[17533]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 7 14:34:44 twingo pluto[17533]: starting up 1 cryptographic helpers
Mar 7 14:34:44 twingo pluto[17533]: started helper pid=17539 (fd:6)
Mar 7 14:34:44 twingo pluto[17533]: Using Linux 2.6 IPsec interface code
Mar 7 14:34:45 twingo pluto[17533]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 7 14:34:45 twingo pluto[17533]: loaded CA cert file 'cacert.pem' (1285 bytes)
Mar 7 14:34:45 twingo pluto[17533]: Could not change to directory '/etc/ipsec.d/aacerts'
Mar 7 14:34:45 twingo pluto[17533]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Mar 7 14:34:45 twingo pluto[17533]: Changing to directory '/etc/ipsec.d/crls'
Mar 7 14:34:46 twingo pluto[17533]: loaded crl file 'crl.pem' (520 bytes)
Mar 7 14:34:46 twingo pluto[17533]: added connection description "net84"
Mar 7 14:34:47 twingo pluto[17533]: added connection description "net84-net"
Mar 7 14:34:47 twingo pluto[17533]: listening for IKE messages
Mar 7 14:34:47 twingo pluto[17533]: adding interface eth0/eth0 192.168.2.101
Mar 7 14:34:47 twingo pluto[17533]: adding interface eth0/eth0 192.168.2.101:4500
Mar 7 14:34:47 twingo pluto[17533]: adding interface lo/lo 127.0.0.1
Mar 7 14:34:47 twingo pluto[17533]: adding interface lo/lo 127.0.0.1:4500
Mar 7 14:34:47 twingo pluto[17533]: adding interface lo/lo ::1
Mar 7 14:34:47 twingo pluto[17533]: loading secrets from "/etc/ipsec.secrets"
Mar 7 14:35:40 twingo pluto[17533]: packet from 203.210.219.44:500: received Vendor ID payload [Dead Peer Detection]
Mar 7 14:35:40 twingo pluto[17533]: packet from 203.210.219.44:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 7 14:35:40 twingo pluto[17533]: packet from 203.210.219.44:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
Mar 7 14:35:40 twingo pluto[17533]: packet from 203.210.219.44:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 7 14:35:40 twingo pluto[17533]: "net84"[1] 203.210.219.44 #1: responding to Main Mode from unknown peer 203.210.219.44
Mar 7 14:35:40 twingo pluto[17533]: "net84"[1] 203.210.219.44 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 7 14:35:40 twingo pluto[17533]: "net84"[1] 203.210.219.44 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Mar 7 14:35:40 twingo pluto[17533]: "net84"[1] 203.210.219.44 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 7 14:35:41 twingo pluto[17533]: "net84"[1] 203.210.219.44 #1: Main mode peer ID is ID_FQDN: '@gw1.example.net'
Mar 7 14:35:41 twingo pluto[17533]: "net84"[1] 203.210.219.44 #1: I did not send a certificate because I do not have one.
Mar 7 14:35:41 twingo pluto[17533]: "net84"[1] 203.210.219.44 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 7 14:35:41 twingo pluto[17533]: | NAT-T: new mapping 203.210.219.44:500/2174)
Mar 7 14:35:41 twingo pluto[17533]: "net84"[1] 203.210.219.44:2174 #1: sent MR3, ISAKMP SA established
Mar 7 14:35:41 twingo pluto[17533]: "net84-net"[1] 203.210.219.44:2174 #2: responding to Quick Mode
Mar 7 14:35:42 twingo pluto[17533]: "net84-net"[1] 203.210.219.44:2174 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 7 14:35:42 twingo pluto[17533]: "net84"[1] 203.210.219.44:2174 #1: cannot respond to IPsec SA request because no connection is known for 192.168.2.0/24===192.168.2.101:4500[@twingo.example.net]...203.210.219.44:2174[@gw1.example.net]===192.168.0.22/32
Mar 7 14:35:42 twingo pluto[17533]: "net84"[1] 203.210.219.44:2174 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.210.219.44:2174
=================================================
ipsec.conf on gw1
=================================================
# config gw1.example.net
# RSA 512 bits twingo.example.net Sat Mar 5 06:56:14 2005
# leftrsasigkey=0sAQNe8KZWy0hiE4cSVuhsNB+fnbPk1d8a7Xf6b8gsq2w/Zt95OitajQSkyR8g9oplXCScQ8K4xjZHi5UlK+jcjAZx
# RSA 512 bits gw1.example.net Sat Mar 5 06:56:28 2005
# leftrsasigkey=0sAQNbxdNOzPC8u28yRFPrWG/XSkybC+gnc1zpayWW/zIiGgHKs3II7Cix9ekOR9sRdUC6xheDMUwvPKKGXJcFWCml
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.69.0.0/24
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftid=@gw1.example.net
conn net31-net
leftsubnet=10.69.0.0/24
also=net31
conn net31
left=%defaultroute
leftrsasigkey=0sAQNbxdNOzPC8u28yRFPrWG/XSkybC+gnc1zpayWW/zIiGgHKs3II7Cix9ekOR9sRdUC6xheDMUwvPKKGXJcFWCml
right=81.101.102.103
rightid=@twingo.example.net
rightrsasigkey=0sAQNe8KZWy0hiE4cSVuhsNB+fnbPk1d8a7Xf6b8gsq2w/Zt95OitajQSkyR8g9oplXCScQ8K4xjZHi5UlK+jcjAZx
rightsubnet=192.168.2.0/24
auto=start
pfs=no
include /etc/ipsec.d/examples/no_oe.conf
=================================================
Log file on dynamic IP gateway
=================================================
Mar 7 13:34:49 (none) kern.warn pluto[14656]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 7 13:34:49 (none) kern.warn pluto[14656]: Setting port floating to on
Mar 7 13:34:49 (none) kern.warn pluto[14656]: port floating activate 1/1
Mar 7 13:34:49 (none) kern.warn pluto[14656]: including NAT-Traversal patch (Version 0.6c)
Mar 7 13:34:49 (none) kern.warn pluto[14656]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 7 13:34:49 (none) kern.warn pluto[14656]: starting up 1 cryptographic helpers
Mar 7 13:34:49 (none) kern.warn pluto[14656]: started helper pid=14664 (fd:6)
Mar 7 13:34:49 (none) kern.warn pluto[14656]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 7 13:34:49 (none) kern.warn pluto[14656]: Could not change to directory '/etc/ipsec.d/aacerts'
Mar 7 13:34:49 (none) kern.warn pluto[14656]: Changing to directory '/etc/ipsec.d/ocspcerts'
Mar 7 13:34:49 (none) kern.warn pluto[14656]: Changing to directory '/etc/ipsec.d/crls'
Mar 7 13:34:49 (none) kern.warn pluto[14656]: Warning: empty directory
Mar 7 13:34:56 (none) kern.warn pluto[14656]: added connection description "net31"
Mar 7 13:34:59 (none) kern.warn pluto[14656]: added connection description "net31-net"
Mar 7 13:34:59 (none) kern.warn pluto[14656]: listening for IKE messages
Mar 7 13:34:59 (none) kern.warn pluto[14656]: adding interface ipsec0/vlan1 192.168.0.22
Mar 7 13:34:59 (none) kern.warn pluto[14656]: adding interface ipsec0/vlan1 192.168.0.22:4500
Mar 7 13:34:59 (none) kern.warn pluto[14656]: loading secrets from "/etc/ipsec.secrets"
Mar 7 13:35:00 (none) kern.warn pluto[14656]: "net31": prepare-host output: /usr/lib/ipsec/_updown: `route del -net 192.168.2.0 \011\011\011\011\011netmask 255.255.255.0 2>&1' failed (route: SIOC[ADD|DEL]RT: No such process)
Mar 7 13:35:00 (none) kern.warn pluto[14656]: "net31": prepare-host command exited with status 1
Mar 7 13:35:02 (none) kern.warn pluto[14656]: "net31" #1: initiating Main Mode
Mar 7 13:35:02 (none) kern.debug pluto[14656]: | no IKE algorithms for this connection
Mar 7 13:35:02 (none) kern.warn pluto[14656]: "net31" #1: received Vendor ID payload [Dead Peer Detection]
Mar 7 13:35:02 (none) kern.warn pluto[14656]: "net31" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 7 13:35:02 (none) kern.warn pluto[14656]: "net31" #1: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Mar 7 13:35:03 (none) kern.warn pluto[14656]: "net31" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 7 13:35:03 (none) kern.warn pluto[14656]: "net31" #1: I did not send a certificate because I do not have one.
Mar 7 13:35:03 (none) kern.warn pluto[14656]: "net31" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Mar 7 13:35:03 (none) kern.warn pluto[14656]: "net31" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 7 13:35:04 (none) kern.warn pluto[14656]: "net31" #1: Main mode peer ID is ID_FQDN: '@twingo.example.net'
Mar 7 13:35:04 (none) kern.warn pluto[14656]: "net31" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 7 13:35:04 (none) kern.warn pluto[14656]: "net31" #1: ISAKMP SA established
Mar 7 13:35:04 (none) kern.warn pluto[14656]: "net31-net" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
Mar 7 13:35:04 (none) kern.warn pluto[14656]: "net31" #3: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
Mar 7 13:35:05 (none) kern.alert kernel: Unable to handle kernel paging request at virtual address 3a644924, epc == c01599c8, ra == c01599d4
Mar 7 13:35:05 (none) kern.warn kernel: Oops in fault.c::do_page_fault, line 192:
Mar 7 13:35:05 (none) kern.warn kernel: $0 : 00000000 00000002 3a644924 08000000 0000001b 00000000 00000001 00000000
Mar 7 13:35:05 (none) kern.warn kernel: $8 : 00000000 00000000 00000000 00000000 80581cac fffffffa 0000000a ffffffff
Mar 7 13:35:05 (none) kern.warn kernel: $16: 00000000 00000363 80980910 80980880 00000003 00000000 00000001 00000000
Mar 7 13:35:05 (none) kern.warn kernel: $24: 00000002 00000001 80580000 80581d08 c01830e4 c01599d4
Mar 7 13:35:05 (none) kern.warn kernel: Hi : 00000000
Mar 7 13:35:05 (none) kern.warn kernel: Lo : 00000800
Mar 7 13:35:05 (none) kern.warn kernel: epc : c01599c8 Not tainted
Mar 7 13:35:05 (none) kern.warn kernel: Status: 1000fc03
Mar 7 13:35:05 (none) kern.warn kernel: Cause : 00000008
Mar 7 13:35:05 (none) kern.warn kernel: Process pluto (pid: 14656, stackpage=80580000)
Mar 7 13:35:05 (none) kern.warn kernel: Stack: 00000000 00000000 00000000 00000000 805f4400 80581e18 00000002
Mar 7 13:35:05 (none) kern.warn kernel: 8002b3d8 80a3e800 80581e18 00000002 80581e88 80a3e800 80980880 00000002
Mar 7 13:35:05 (none) kern.warn kernel: 80581e88 80581e08 805f4400 00000000 7fff72b0 00000002 c0147adc 000000b8
Mar 7 13:35:05 (none) kern.warn kernel: 800c7b3c 80581d88 800c5648 00000040 8012f13c 80b39ec0 80581e88 80b39ec0
Mar 7 13:35:05 (none) kern.warn kernel: 800c7a9c 80980880 80980890 00000000 00000000 00000000 809808a8 809808c0
Mar 7 13:35:05 (none) kern.warn kernel: 00000000 ...
Mar 7 13:35:05 (none) kern.warn kernel: Call Trace: [<8002b3d8>] [<c0147adc>] [<800c7b3c>] [<800c5648>] [<8012f13c>]
Mar 7 13:35:05 (none) kern.warn kernel: [<800c7a9c>] [<800c5648>] [<8002b390>] [<c013ff9c>] [<c013fe74>] [<800213f0>]
Mar 7 13:35:05 (none) kern.warn kernel: [<800c2b34>] [<800c2af8>] [<800c1a24>] [<800c1e9c>] [<800c1c74>] [<800465d0>]
Mar 7 13:35:05 (none) kern.warn kernel: [<80034b48>] [<800082e4>] [<800082e4>]
Mar 7 13:35:05 (none) kern.warn kernel:
Mar 7 13:35:05 (none) kern.warn kernel: Code: 00021080 005e1021 8c420000 <8c420000> 0040f809 02402021 3c05c018 8ca55960 10400011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gw1.barf
Type: application/octet-stream
Size: 24456 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050307/adfcb557/gw1-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twingo.barf
Type: application/octet-stream
Size: 64540 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050307/adfcb557/twingo-0001.obj
More information about the Users
mailing list