[Openswan Users] Pluto dumps core with natted client

Paul Wouters paul at xelerance.com
Tue May 9 19:03:07 CEST 2006

On Tue, 9 May 2006, Stefan Denker wrote:

> So, here is the local connection definition:
> conn conntest
>         left=%any
>         leftsubnet=vhost:%no,%priv
>         right=%defaultroute

You cannot use both %any and %defaultroute. If this is the client side
behind nat, use its local IP for left. If this is the server side,
then use left=itspublicIP

> from /var/log/auth.log:
> pluto[20056]: "conntest"[1] $remote_public_ip #1: transition from state (null) to state STATE_MAIN_R1
> pluto[20056]: "conntest"[1] $remote_public_ip #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> pluto[20056]: "conntest"[1] $remote_public_ip #1: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1536 took 220392 usec

Wow, this machine has some serious hardware issues. What is it? :)

> pluto[20056]: "conntest"[2] $remote_public_ip:4500 #2: ASSERTION FAILED at kernel.c:2037: st->st_esp.keymat_len == (key_len + ei->authkeylen)

openswan-2.2.x has known crashers. Please upgrade.

> * Are there any known incompabilities to the grsecurity-Kernel-patch?
>   Would it make sense to try again without it?

Not for this. This is a userland problem, not a kernel issue.

> * Are there known issues when connecting different versions of
>   openswan?

openswan 2.2.x has known issues. upgrade to 2.4.5.

> * Anything i could do to dignose this problem any further? Or should I
>   just update Openswan and try again?


Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list