[Openswan Users] pluto dying

Paul Wouters paul at xelerance.com
Fri Nov 4 02:37:21 CET 2005


On Thu, 3 Nov 2005, Albert Siersema wrote:

> I've come across a serious problem with a site running Linux kernel 2.4.31 and OpenS/WAN 2.3.1.
> It's not entirely clear what causes pluto to crash but it does.
> This site has openswan<->openswan tunnels as well as tunnels with a symantec appliance and a cisco 837.
> All tunnels are running
>  auth=esp
>  pfs=yes
> with either shared secrets or rsasig's (no x509).
>
> At some point in time an ASSERT is logged, pluto keeps running for a while after that
> but logs a lot more and with apparently double tunnel names, i.e.

Pluto restarts after encountering an assertion failure. It does not keep
running.

> "CSITE-REMOTE1" #5365: "CSITE-REMOTE3"
> instead of only CSITE-REMOTE1: ...

If those connections are similar (eg the same phase 1 but different phase 2)
then pluto can pick the 'wrong' name, since it cannot distinguish the
incoming connection until phase 2 starts. It then 'switches' name to the
right one. So this is normal behaviour.

> Does the "KE has 127 byte DH public value; 128 required" indicate something going awry ?

I guess. Could you find out which connection/device this is happening to,
and see what the connection paramters for that connection was?

>From the code:

 * Check and accept DH public value (Gi or Gr) from peer's message.
 * According to RFC2409 "The Internet key exchange (IKE)" 5:
 *  The Diffie-Hellman public value passed in a KE payload, in either
 *  a phase 1 or phase 2 exchange, MUST be the length of the negotiated
 *  Diffie-Hellman group enforced, if necessary, by pre-pending the
 *  value with zeros.

Apparently, your device is not doing this correctly.

Maybe a possible workaround for this is to specify a different DH group, eg:

        ike=3des-sha1-modp1024,3des-sha1-modp1536

But I guess it won't make a difference.

>
> Nov  2 20:04:51 ribox pluto[20588]: packet from 111.2.3.4:500: ignoring nknown Vendor ID payload [526170746f7220506f77657256706e20536572766572205b56372e305d]

I would be interested to know what vendorid that device is sending us. Could
you perhaps uncover that from the device's logs? And what kind of device is
this? Do you have a brand, type and firmware version?

> Nov  2 20:06:01 ribox pluto[20588]: "CSITE-REMOTE1" #5365: ASSERTION FAILED at state.c:316: st->st_suspended_md->st == st

This one has been fixed in the upcoming 2.4.2. Please try 2.4.2rc1

Paul


More information about the Users mailing list