[Openswan Users] openswan configuration needs help

Jean Marc Le Fevre jm.lefevre at etatcritik.dyndns.org
Thu Apr 19 17:28:43 EDT 2007


Hello,

I've installed the 2.4.7 version and still the same problem.

I guess the main error is:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: ASSERTION FAILED at  
kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE

my kernel is kernel-default-2.6.18 rpm package from a opensuse 10.2

thanks

here are the new logs:

Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:  
received Vendor ID payload [RFC 3947] method set to=110
Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=109, but  
already using method 110
Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,  
but already using method 110
Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
meth=106, but already using method 110
Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: responding to Main  
Mode
Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: transition from  
state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R1: sent  
MR1, expecting MI2
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: ignoring Vendor ID  
payload [KAME/racoon]
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: NAT-Traversal:  
Result using RFC 3947 (NAT-Traversal): i am NATed
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: transition from  
state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R2: sent  
MR2, expecting MI3
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: Main mode peer ID  
is ID_IPV4_ADDR: '82.XX.XX.XX'
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: I did not send a  
certificate because I do not have one.
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: transition from  
state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 19 23:17:03 Zpro pluto[23031]: | NAT-T: new mapping 82.XX.XX.XX: 
500/4500)
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R3: sent  
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY  
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: ignoring  
informational payload, type IPSEC_INITIAL_CONTACT
Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: received and  
ignored informational message
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: NAT-Traversal:  
received 2 NAT-OA. ignored because peer is not NATed
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: responding to Quick  
Mode {msgid:c15eebb0}
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: ASSERTION FAILED at  
kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface lo/lo  
127.0.0.1
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface lo/lo  
127.0.0.1
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface eth0/eth0  
10.91.130.61
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface eth0/eth0  
10.91.130.61
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: %myid = (none)
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: debug none
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,  
keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,  
keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,  
keysizemax=160
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,  
keysizemax=256
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=251, name=(null), keysizemin=0, keysizemax=0
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE  
encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE  
encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE hash:  
id=1, name=OAKLEY_MD5, hashsize=16
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE hash:  
id=2, name=OAKLEY_SHA1, hashsize=20
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: stats db_ops.c:  
{curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs= 
{0,0,0}
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":  
10.91.130.0/24===10.91.130.61:17/%any---10.91.130.2...82.XX.XX.XX: 
17/49178; unrouted; eroute owner: #0
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":      
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":    
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:  
100%; keyingtries: 3
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":    
policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,24; interface: eth0;  
encap: esp;
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":    
newest ISAKMP SA: #1; newest IPsec SA: #0;
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":   IKE  
algorithm newest: 3DES_CBC_192-SHA1-MODP1024
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: #2: "L2TP-PSK":4500  
STATE_QUICK_R0 (expecting QI1); EVENT_SO_DISCARD in 0s; nodpd
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: #1: "L2TP-PSK":4500  
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in  
3599s; newest ISAKMP; nodpd
Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
Apr 19 23:17:04 Zpro ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:  
line 237: 23031 Aborted                 (core dumped) /usr/local/ 
libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets -- 
ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal -- 
nhelpers 0
Apr 19 23:17:04 Zpro ipsec__plutorun: !pluto failure!:  exited with  
error status 134 (signal 6)



Le 18 avr. 07 à 20:36, Paul Wouters a écrit :

> On Wed, 18 Apr 2007, Jean Marc Le Fevre wrote:
>
>>        dumpdir=/tmp
>
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R1:  
>> sent MR1,
>> expecting MI2
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: ignoring Vendor  
>> ID payload
>> [KAME/racoon]
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: NAT-Traversal:  
>> Result using
>> 3: i am NATed
>
> So NAT'ed....
>
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from  
>> state
>> STATE_MAIN_R1 to state STATE_MAIN_R2
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R2:  
>> sent MR2,
>> expecting MI3
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: Main mode peer  
>> ID is
>> ID_IPV4_ADDR: 'IPFIXE'
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: I did not send a  
>> certificate
>> because I do not have one.
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from  
>> state
>> STATE_MAIN_R2 to state STATE_MAIN_R3
>> Apr 18 18:04:16 Zpro pluto[11600]: | NAT-T: new mapping IPFIXE: 
>> 500/4500)
>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R3:  
>> sent MR3,
>> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY  
>> cipher=oakley_3des_cbc_192
>> prf=oakley_sha group=modp1024}
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: NAT-Traversal:  
>> received 2
>> NAT-OA. ignored because peer is not NATed
>
> Not NAT'ed??
>
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: responding to  
>> Quick Mode
>> {msgid:99321c1d}
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: ASSERTION FAILED at
>> kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
>
> Run gdb on the core in /tmp, and please give us some more information.
>
> Which version of openswan is this? If it is pre 2.4.7, please  
> upgrade and try
> again.
>
>> newest ISAKMP; nodpd
>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
>> Apr 18 18:04:17 Zpro ipsec__plutorun: /usr/lib/ipsec/_plutorun:  
>> line 217:
>> 11600 Aborted                 (core dumped) /usr/lib/ipsec/pluto -- 
>> nofork
>> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto
>> --uniqueids --nat_traversal --nhelpers 0
>> Apr 18 18:04:17 Zpro ipsec__plutorun: !pluto failure!:  exited  
>> with error
>> status 134 (signal 6)
>> Apr 18 18:04:17 Zpro ipsec__plutorun: restarting IPsec after pause...
>
> Same for this one.
>
> you might also want to try not using rightprotoport=17/%any, but  
> 17/1701 and
> do a test with Windows XP (not OSX)
>
> Paul
> -
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327? 
> n=283155
>
> 
>
>
>



!DSPAM:4627df1050706707317446!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070419/6ce267ae/attachment-0001.html 


More information about the Users mailing list