[Openswan Users] "can not start crypto helper: failed to find any available worker", what's going wrong?

Thorsten Günther thorsten.guenther at basconsult.de
Thu May 19 16:44:58 CEST 2005 

Hello everyone,

I'm using OpenSWAN 2.3.1 on two FC3 box with kernel 2.6.11-1.14_FC3.
Multiple tunnels between two vpn gateways are configured. On both ends are
dynamic ip addresses used, therefor I have configured two connections per
each tunnel, one for incomming from an unknown peer (other side is
restarting the connection) and one for outgoing to the dyndns address of the
other side (my side is restarting the connection). Unfortuatly only four of
my seven tunnels are starting automaticly (it does'nt matter which side is
currently initiating the tunnels), all other are complaining with "can not
start crypto helper: failed to find any available worker" (see attached
"/var/log/secure"). The curious is that the connection can be started with
"ipsec auto --up ..." but is not stgarted automaticly. I've tested this with
various configurations (rsa keys, certificates), nothing helped.

Can anybody tell me what I'm doing wrong?
Thanks for help.

regards

Thorsten

(in this config are only three tunnels, this makes no difference [only two
are working])
/etc/ipsec.conf (my side = left):
# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

conn %default
        dpddelay=30
        dpdtimeout=10
        dpdaction=clear
        authby=rsasig
        left=%defaultroute
        keyingtries=0

# Add connections here
conn bc-vpntest
        also=left_rsa
        left=%defaultroute
        also=right_rsa
        right=vpnbascon1. ...
        auto=start

conn bcnet-vpntestnet
        also=left_rsa
        left=%defaultroute
        also=right_rsa
        right=vpnbascon1. ...
        leftsubnet=192.168.111.0/24
        rightsubnet=192.168.101.0/24
        auto=start

conn neknet-vpntestnet
        also=left_rsa
        left=%defaultroute
        also=right_rsa
        right=vpnbascon1. ...
        leftsubnet=10.143.126.0/24
        rightsubnet=192.168.101.0/24
        auto=start

# incomming
conn vpntest-bc
        also=left_rsa
        left=%defaultroute
        also=right_rsa
        right=%any
        keyingtries=1
        auto=add

conn vpntestnet-bcnet
        also=left_rsa
        left=%defaultroute
        also=right_rsa
        right=%any
        keyingtries=1
        leftsubnet=192.168.111.0/24
        rightsubnet=192.168.101.0/24
        auto=add

conn vpntestnet-neknet
        also=left_rsa
        left=%defaultroute
        also=right_rsa
        right=%any
        keyingtries=1
        leftsubnet=10.143.126.0/24
        rightsubnet=192.168.101.0/24
        auto=add

conn left_rsa
        leftid=@router.bascon.local
        # RSA 2192 bits   router02.bascon.local   Thu May 19 11:06:37 2005
        leftrsasigkey=0sAQNzQdu...

conn right_rsa
        rightid=@router.vpntest.local
        # RSA 2192 bits   router.vpntest.local   Thu May 19 11:07:52 2005
        rightrsasigkey=0sAQPUN...

#Disable Opportunistic Encryption
include /etc/ipsec.d/includes/no_oe.conf

/etc/ipsec.conf (other side = right):
# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

conn %default
        dpddelay=30
        dpdtimeout=10
        dpdaction=clear
        authby=rsasig
        right=%defaultroute
        keyingtries=0

# Add connections here
conn vpntest-bc
        also=right_rsa
        right=%defaultroute
        also=left_rsa
        left=vpnbascon.dnsalias.org
        auto=start

conn vpntestnet-bcnet
        also=right_rsa
        right=%defaultroute
        also=left_rsa
        left=vpnbascon.dnsalias.org
        leftsubnet=192.168.111.0/24
        rightsubnet=192.168.101.0/24
        auto=start

conn vpntestnet-neknet
        also=right_rsa
        right=%defaultroute
        also=left_rsa
        left=vpnbascon.dnsalias.org
        leftsubnet=10.143.126.0/24
        rightsubnet=192.168.101.0/24
        auto=start

# incomming
conn bc-vpntest
        also=right_rsa
        right=%defaultroute
        also=left_rsa
        left=%any
        keyingtries=1
        auto=add

conn bcnet-vpntestnet
        also=right_rsa
        right=%defaultroute
        also=left_rsa
        left=%any
        keyingtries=1
        leftsubnet=192.168.111.0/24
        rightsubnet=192.168.101.0/24
        auto=add

conn neknet-vpntestnet
        also=right_rsa
        right=%defaultroute
        also=left_rsa
        left=%any
        keyingtries=1
        leftsubnet=10.143.126.0/24
        rightsubnet=192.168.101.0/24
        auto=add

conn left_rsa
        leftid=@router.bascon.local
        # RSA 2192 bits   router02.bascon.local   Thu May 19 11:06:37 2005
        leftrsasigkey=0sAQNz...

conn right_rsa
        rightid=@router.vpntest.local
        # RSA 2192 bits   router.vpntest.local   Thu May 19 11:07:52 2005
        rightrsasigkey=0sAQPU...

#Disable Opportunistic Encryption
include /etc/ipsec.d/includes/no_oe.conf

/var/log/secure:
May 19 15:03:41 router02 pluto[11378]: added connection description
"vpntest-bc"
May 19 15:03:42 router02 pluto[11378]: added connection description
"vpntestnet-neknet"
May 19 15:03:42 router02 pluto[11378]: added connection description
"vpntestnet-bcnet"
May 19 15:03:42 router02 pluto[11378]: added connection description
"bcnet-vpntestnet"
May 19 15:03:43 router02 pluto[11378]: added connection description
"neknet-vpntestnet"
May 19 15:03:43 router02 pluto[11378]: added connection description
"bc-vpntest"
May 19 15:03:43 router02 pluto[11378]: listening for IKE messages
May 19 15:03:43 router02 pluto[11378]: adding interface ppp0/ppp0
194.97.121.181:500
May 19 15:03:43 router02 pluto[11378]: adding interface eth8/eth8
10.99.99.98:500
May 19 15:03:43 router02 pluto[11378]: adding interface eth4/eth4
46.149.38.11:500
May 19 15:03:43 router02 pluto[11378]: adding interface eth3/eth3
130.143.127.125:500
May 19 15:03:43 router02 pluto[11378]: adding interface eth2/eth2
10.106.1.25:500
May 19 15:03:43 router02 pluto[11378]: adding interface eth1/eth1
10.143.126.241:500
May 19 15:03:43 router02 pluto[11378]: adding interface eth0/eth0
192.168.111.253:500
May 19 15:03:43 router02 pluto[11378]: adding interface lo/lo 127.0.0.1:500
May 19 15:03:43 router02 pluto[11378]: adding interface lo/lo ::1:500
May 19 15:03:43 router02 pluto[11378]: loading secrets from
"/etc/ipsec.secrets"
May 19 15:03:44 router02 pluto[11378]: "bcnet-vpntestnet" #1: initiating
Main Mode
May 19 15:03:44 router02 pluto[11378]: "bcnet-vpntestnet" #1: received
Vendor ID payload [Openswan (this version) 2.3.1  X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
May 19 15:03:44 router02 pluto[11378]: "bcnet-vpntestnet" #1: received
Vendor ID payload [Dead Peer Detection]
May 19 15:03:44 router02 pluto[11378]: "bcnet-vpntestnet" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 19 15:03:44 router02 pluto[11378]: "bcnet-vpntestnet" #1: I did not send
a certificate because I do not have one.
May 19 15:03:44 router02 pluto[11378]: "bcnet-vpntestnet" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 19 15:03:45 router02 pluto[11378]: "bcnet-vpntestnet" #1: Main mode peer
ID is ID_FQDN: '@router.vpntest.local'
May 19 15:03:45 router02 pluto[11378]: "bcnet-vpntestnet" #1: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 19 15:03:45 router02 pluto[11378]: "bcnet-vpntestnet" #1: ISAKMP SA
established
May 19 15:03:45 router02 pluto[11378]: "bcnet-vpntestnet" #1: Dead Peer
Detection (RFC 3706): enabled
May 19 15:03:45 router02 pluto[11378]: "bc-vpntest" #2: initiating Quick
Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
May 19 15:03:45 router02 pluto[11378]: "neknet-vpntestnet" #3: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
May 19 15:03:45 router02 pluto[11378]: "bcnet-vpntestnet" #4: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
May 19 15:03:45 router02 pluto[11378]: "bcnet-vpntestnet" #4: can not start
crypto helper: failed to find any available worker
May 19 15:03:45 router02 pluto[11378]: "bc-vpntest" #2: Dead Peer Detection
(RFC 3706): enabled
May 19 15:03:45 router02 pluto[11378]: "bc-vpntest" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 19 15:03:45 router02 pluto[11378]: "bc-vpntest" #2: sent QI2, IPsec SA
established {ESP=>0x93d254df <0x325fe527 xfrm=AES_0-HMAC_SHA1 DPD}
May 19 15:03:45 router02 pluto[11378]: "neknet-vpntestnet" #3: Dead Peer
Detection (RFC 3706): enabled
May 19 15:03:45 router02 pluto[11378]: "neknet-vpntestnet" #3: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 19 15:03:45 router02 pluto[11378]: "neknet-vpntestnet" #3: sent QI2,
IPsec SA established {ESP=>0x03797434 <0xcd73d21f xfrm=AES_0-HMAC_SHA1 DPD}

More information about the Users mailing list