[Openswan Users] Pluto dumps core with natted client
Paul Wouters
paul at xelerance.com
Tue May 9 19:03:07 CEST 2006
On Tue, 9 May 2006, Stefan Denker wrote:
> So, here is the local connection definition:
> conn conntest
> left=%any
> leftsubnet=vhost:%no,%priv
> right=%defaultroute
You cannot use both %any and %defaultroute. If this is the client side
behind nat, use its local IP for left. If this is the server side,
then use left=itspublicIP
>
> from /var/log/auth.log:
>
> pluto[20056]: "conntest"[1] $remote_public_ip #1: transition from state (null) to state STATE_MAIN_R1
> pluto[20056]: "conntest"[1] $remote_public_ip #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> pluto[20056]: "conntest"[1] $remote_public_ip #1: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1536 took 220392 usec
Wow, this machine has some serious hardware issues. What is it? :)
> pluto[20056]: "conntest"[2] $remote_public_ip:4500 #2: ASSERTION FAILED at kernel.c:2037: st->st_esp.keymat_len == (key_len + ei->authkeylen)
openswan-2.2.x has known crashers. Please upgrade.
> * Are there any known incompabilities to the grsecurity-Kernel-patch?
> Would it make sense to try again without it?
Not for this. This is a userland problem, not a kernel issue.
> * Are there known issues when connecting different versions of
> openswan?
openswan 2.2.x has known issues. upgrade to 2.4.5.
> * Anything i could do to dignose this problem any further? Or should I
> just update Openswan and try again?
yes
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list