[Openswan Users] Openswan and Nortel Interop Problem

Peter McGill petermcgill at goco.net
Thu Sep 28 14:07:31 EDT 2006



>> /var/log/syslog:Sep 24 19:27:16 sheridan ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 1:  1686 Segmentation fault
>> /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
>> /var/log/syslog:Sep 24 19:27:16 sheridan ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
>> /var/log/syslog:Sep 24 19:27:16 sheridan ipsec__plutorun: restarting IPsec after pause...
>
> Can you enable dumpdir=/tmp and get us a gdb trace of the core file generated in /tmp/ after the crash?

I've set dumpdir=/tmp in the conf, I'll get a trace on the next crash.

>> /var/log/secure:Sep 28 06:15:46 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1199: STATE_QUICK_I2: sent QI2,
>> IPsec SA established {ESP=>0x0003121c <0x9c70c33b xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
>>
>> /var/log/secure:Sep 28 06:15:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1196: max number of 
>> retransmissions
>> (2) reached STATE_QUICK_I1
>
> It looks like multiple rekeys are happening at the same time. Perhaps both ends are rekeying, and the initiator/responder
> swap places, and one configuration is more strict then the other in what it accepts?
>
>> /var/log/secure:Sep 28 06:26:21 sheridan pluto[28014]: "sunoco-172-16-19-net-to-london-office-net" #1201: IPsec Transform 
>> [ESP_AES
>> (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
>
> Did you specify something with md5 on the ike= or esp= line? Perhaps leave that out?

Yes, the settings we've aggreed on were 3des-md5-modp1024, however it seems obvious that the nortel switch has more enabled.
Some of the other options were not working for us, so we aggreed to disable everything but 3des-md5-modp1024, but it seems that
some of them have been turned on again on the nortel. I get these errors when the nortel tries to renew, but when openswan renews
it's ok. I've sent a message to the admin of the nortel switch, so that we can get our conf's in sync again.

>> /var/log/secure:Sep 28 06:27:28 sheridan pluto[28014]: packet from 199.212.129.226:500: received and ignored informational 
>> message
>>
>> /var/log/secure:Sep 28 06:27:34 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1202: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+PFS+UP to replace #1200 {using isakmp#1144}
>>
>> /var/log/syslog:Sep 28 06:27:34 sheridan ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 1: 28014 Segmentation fault
>> /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
>> /var/log/syslog:Sep 28 06:27:34 sheridan ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
>> /var/log/syslog:Sep 28 06:27:34 sheridan ipsec__plutorun: restarting IPsec after pause...
>
> Of course, we shouldnt crash on that.
>
> Paul

Thanks.

Peter 



More information about the Users mailing list