[Openswan Users] openswan configuration needs help
Jean Marc Le Fevre
jm.lefevre at etatcritik.dyndns.org
Thu Apr 19 17:28:43 EDT 2007
Hello,
I've installed the 2.4.7 version and still the same problem.
I guess the main error is:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: ASSERTION FAILED at
kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
my kernel is kernel-default-2.6.18 rpm package from a opensuse 10.2
thanks
here are the new logs:
Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
received Vendor ID payload [RFC 3947] method set to=110
Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=109, but
already using method 110
Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
but already using method 110
Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 110
Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: responding to Main
Mode
Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R1: sent
MR1, expecting MI2
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: ignoring Vendor ID
payload [KAME/racoon]
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): i am NATed
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R2: sent
MR2, expecting MI3
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: Main mode peer ID
is ID_IPV4_ADDR: '82.XX.XX.XX'
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: I did not send a
certificate because I do not have one.
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 19 23:17:03 Zpro pluto[23031]: | NAT-T: new mapping 82.XX.XX.XX:
500/4500)
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: received and
ignored informational message
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: NAT-Traversal:
received 2 NAT-OA. ignored because peer is not NATed
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: responding to Quick
Mode {msgid:c15eebb0}
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: ASSERTION FAILED at
kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface lo/lo
127.0.0.1
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface lo/lo
127.0.0.1
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface eth0/eth0
10.91.130.61
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface eth0/eth0
10.91.130.61
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: %myid = (none)
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: debug none
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,
keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,
keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth
attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth
attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth
attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth
attr: id=251, name=(null), keysizemin=0, keysizemax=0
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE
encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE
encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE hash:
id=1, name=OAKLEY_MD5, hashsize=16
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE hash:
id=2, name=OAKLEY_SHA1, hashsize=20
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: stats db_ops.c:
{curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs=
{0,0,0}
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
10.91.130.0/24===10.91.130.61:17/%any---10.91.130.2...82.XX.XX.XX:
17/49178; unrouted; eroute owner: #0
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 3
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,24; interface: eth0;
encap: esp;
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
newest ISAKMP SA: #1; newest IPsec SA: #0;
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK": IKE
algorithm newest: 3DES_CBC_192-SHA1-MODP1024
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: #2: "L2TP-PSK":4500
STATE_QUICK_R0 (expecting QI1); EVENT_SO_DISCARD in 0s; nodpd
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: #1: "L2TP-PSK":4500
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in
3599s; newest ISAKMP; nodpd
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 237: 23031 Aborted (core dumped) /usr/local/
libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --
ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --
nhelpers 0
Apr 19 23:17:04 Zpro ipsec__plutorun: !pluto failure!: exited with
error status 134 (signal 6)
Le 18 avr. 07 à 20:36, Paul Wouters a écrit :
> On Wed, 18 Apr 2007, Jean Marc Le Fevre wrote:
>
>> dumpdir=/tmp
>
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R1:
>> sent MR1,
>> expecting MI2
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: ignoring Vendor
>> ID payload
>> [KAME/racoon]
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: NAT-Traversal:
>> Result using
>> 3: i am NATed
>
> So NAT'ed....
>
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from
>> state
>> STATE_MAIN_R1 to state STATE_MAIN_R2
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R2:
>> sent MR2,
>> expecting MI3
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: Main mode peer
>> ID is
>> ID_IPV4_ADDR: 'IPFIXE'
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: I did not send a
>> certificate
>> because I do not have one.
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from
>> state
>> STATE_MAIN_R2 to state STATE_MAIN_R3
>> Apr 18 18:04:16 Zpro pluto[11600]: | NAT-T: new mapping IPFIXE:
>> 500/4500)
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R3:
>> sent MR3,
>> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=oakley_3des_cbc_192
>> prf=oakley_sha group=modp1024}
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: NAT-Traversal:
>> received 2
>> NAT-OA. ignored because peer is not NATed
>
> Not NAT'ed??
>
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: responding to
>> Quick Mode
>> {msgid:99321c1d}
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: ASSERTION FAILED at
>> kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
>
> Run gdb on the core in /tmp, and please give us some more information.
>
> Which version of openswan is this? If it is pre 2.4.7, please
> upgrade and try
> again.
>
>> newest ISAKMP; nodpd
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
>> Apr 18 18:04:17 Zpro ipsec__plutorun: /usr/lib/ipsec/_plutorun:
>> line 217:
>> 11600 Aborted (core dumped) /usr/lib/ipsec/pluto --
>> nofork
>> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto
>> --uniqueids --nat_traversal --nhelpers 0
>> Apr 18 18:04:17 Zpro ipsec__plutorun: !pluto failure!: exited
>> with error
>> status 134 (signal 6)
>> Apr 18 18:04:17 Zpro ipsec__plutorun: restarting IPsec after pause...
>
> Same for this one.
>
> you might also want to try not using rightprotoport=17/%any, but
> 17/1701 and
> do a test with Windows XP (not OSX)
>
> Paul
> -
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?
> n=283155
>
>
>
>
>
!DSPAM:4627df1050706707317446!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070419/6ce267ae/attachment-0001.html
More information about the Users
mailing list