[Openswan Users] pluto dying

Albert Siersema appie at friendly.net
Thu Nov 3 10:31:31 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hi there,

I've come across a serious problem with a site running Linux kernel 2.4.31 and OpenS/WAN 2.3.1.
It's not entirely clear what causes pluto to crash but it does.
This site has openswan<->openswan tunnels as well as tunnels with a symantec appliance and a cisco 837.
All tunnels are running
 auth=esp
 pfs=yes
with either shared secrets or rsasig's (no x509).

At some point in time an ASSERT is logged, pluto keeps running for a while after that
but logs a lot more and with apparently double tunnel names, i.e.
"CSITE-REMOTE1" #5365: "CSITE-REMOTE3"
instead of only CSITE-REMOTE1: ...

Is this a known issue ?
Does the "KE has 127 byte DH public value; 128 required" indicate something going awry ?
Upgrading to the latest stable openswan means quite some time patching & compiling
stuff, testing, testing, testing and upgrading plus extra downtime. Crashing pluto's
ain't nice either, but it would be nice to know for sure it has been fixed in later
versions of openswan/pluto.

========= log excerpts follow ===========

Nov  2 20:04:51 ribox pluto[20588]: packet from 111.2.3.4:500: ignoring nknown Vendor ID payload [526170746f7220506f77657256706e20536572766572205b56372e305d]
Nov  2 20:04:51 ribox pluto[20588]: "CSITE-REMOTE1" #5365: responding to Main Mode
Nov  2 20:04:51 ribox pluto[20588]: "CSITE-REMOTE1" #5365: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  2 20:04:51 ribox pluto[20588]: "CSITE-REMOTE1" #5365: KE has 127 byte DH public value; 128 required
Nov  2 20:04:51 ribox pluto[20588]: "CSITE-REMOTE1" #5365: sending notification INVALID_KEY_INFORMATION to 111.2.3.4:500
Nov  2 20:04:51 ribox pluto[20588]: "CSITE-REMOTE1" #5365: failed to build notification for spisize=0
Nov  2 20:04:56 ribox pluto[20588]: "CSITE-REMOTE1" #5365: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R1
Nov  2 20:05:03 ribox pluto[20588]: "CSITE-REMOTE1" #5365: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R1
Nov  2 20:05:12 ribox pluto[20588]: "CSITE-REMOTE2" #5362: received Delete SA payload: deleting ISAKMP State #5362
Nov  2 20:05:12 ribox pluto[20588]: packet from 555.6.7.8:500: received and ignored informational message
Nov  2 20:05:21 ribox pluto[20588]: "CSITE-REMOTE1" #5365: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R1
Nov  2 20:05:44 ribox last message repeated 2 times

- -----

Nov  2 20:05:52 ribox pluto[20588]: "CSITE-REMOTE2" #5367: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #5363 {using isakmp#5366}
Nov  2 20:05:52 ribox pluto[20588]: "CSITE-REMOTE2" #5368: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#5366}
Nov  2 20:05:52 ribox pluto[20588]: "CSITE-REMOTE2" #5366: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Nov  2 20:05:52 ribox pluto[20588]: "CSITE-REMOTE2" #5366: received and ignored informational message
Nov  2 20:05:52 ribox pluto[20588]: "CSITE-REMOTE2" #5366: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Nov  2 20:05:52 ribox pluto[20588]: "CSITE-REMOTE2" #5366: received and ignored informational message
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: max number of retransmissions (2) reached STATE_MAIN_R1
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: ASSERTION FAILED at state.c:316: st->st_suspended_md->st == st
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: interface ipsec0/eth1 123.4.5.6
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: %myid = (none)
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: debug none
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365:
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365:
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365:
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,60,36} trans={0,60,72} attrs={0,60,48}
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365:
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: "CSITE-REMOTE3": 10.10.0.0/16===123.4.5.6[@CSITE,S-C]...124.5.6.7[@REMOTE3]===10.11.0.0/16; erouted; eroute owner: #4682
Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: "CSITE-REMOTE3":     srcip=unset; dstip=unset
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDadjyKltZixSsH2QRAwnnAKCFLaVZmx3eWpA3ydKwbCqwTHzA1wCeMig5
7De6M8zap3vy2VKGSVZvlF4=
=wSpX
-----END PGP SIGNATURE-----

More information about the Users mailing list