[Openswan Users] openswan configuration needs help
Jean Marc Le Fevre
jm.lefevre at etatcritik.dyndns.org
Fri Apr 20 06:42:57 EDT 2007
Hello all,
I made a lot of tests this morning, and I found if I change the
connection parameters right=FIXED-IP to right=%any and change the
ipsec.secrets file well I d'ont have anymore pluto crash. I can't
understand why but the fact is here.
I still have the core dump file, and if anyone need to investigate,
please contact me.
Now I have to set up the authentification and read a lot of docs
about it :)
thanks to everyone
Le 19 avr. 07 à 23:28, Jean Marc Le Fevre a écrit :
> Hello,
>
> I've installed the 2.4.7 version and still the same problem.
>
> I guess the main error is:
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: ASSERTION FAILED
> at kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
>
> my kernel is kernel-default-2.6.18 rpm package from a opensuse 10.2
>
> thanks
>
> here are the new logs:
>
> Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
> received Vendor ID payload [RFC 3947] method set to=110
> Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=109,
> but already using method 110
> Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> meth=107, but already using method 110
> Apr 19 23:17:02 Zpro pluto[23031]: packet from 82.XX.XX.XX:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> meth=106, but already using method 110
> Apr 19 23:17:02 Zpro pluto[2303 1]: "L2TP-PSK" #1: responding to
> Main Mode
> Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: transition from
> state STATE_MAIN_R0 to state STATE_MAIN_R1
> Apr 19 23:17:02 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R1:
> sent MR1, expecting MI2
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: ignoring Vendor
> ID payload [KAME/racoon]
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: NAT-Traversal:
> Result using RFC 3947 (NAT-Traversal): i am NATed
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R2:
> sent MR2, expecting MI3
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: Main mode peer ID
> is ID_IPV4_ADDR: '82.XX.XX.XX'
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: I did not send a
> certificate because I do not have one.
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr 19 23:17:03 Zpro pluto[23031]: | NAT-T: new mapping 82.XX.XX.XX:
> 500/4500)
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: ignoring
> informational payload, type IPSEC_INITIAL_CONTACT
> Apr 19 23:17:03 Zpro pluto[23031]: "L2TP-PSK" #1: received and
> ignored informational message
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: NAT-Traversal:
> received 2 NAT-OA. ignored because peer is not NATed
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: responding to
> Quick Mode {msgid:c15eebb0}
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: ASSERTION FAILED
> at kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
> Apr 19 23:17:04 Zpro pluto[23031]: " L2TP-PSK" #2: interface lo/lo
> 127.0.0.1
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface lo/lo
> 127.0.0.1
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface eth0/
> eth0 10.91.130.61
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: interface eth0/
> eth0 10.91.130.61
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: %myid = (none)
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: debug none
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
> keysizemax=448
> Apr 19 23:17:04 Zpro pluto[ 23031]: "L2TP-PSK" #2: algorithm ESP
> encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,
> keysizemax=256
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,
> keysizemax=256
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
> keysizemax=128
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
> keysizemax=160
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=2
> 56, keysizemax=256
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm ESP
> auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE
> encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE
> encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE
> hash: id=1, name=OAKLEY_MD5, hashsize=16
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE
> hash: id=2, name=OAKLEY_SHA1, hashsize=20
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
> group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
> group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> Ap r 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
> group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
> group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
> group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
> group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: algorithm IKE dh
> group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: stats db_ops.c:
> {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs=
> {0,0,0}
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
> 10.91.130 .0/24===10.91.130.61:17/%any---10.91.130.2...82.XX.XX.XX:
> 17/49178; unrouted; eroute owner: #0
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
> srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
> ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
> policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,24; interface: eth0;
> encap: esp;
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK":
> newest ISAKMP SA: #1; newest IPsec SA: #0;
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: "L2TP-PSK": IKE
> algorithm newest: 3DES_CBC_192-SHA1-MODP1024
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: #2: "L2TP-PSK":
> 4500 STATE_QUICK_R0 (expecting QI1); EVENT_SO_DISCARD i n 0s; nodpd
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2: #1: "L2TP-PSK":
> 4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_EXPIRE in 3599s; newest ISAKMP; nodpd
> Apr 19 23:17:04 Zpro pluto[23031]: "L2TP-PSK" #2:
> Apr 19 23:17:04 Zpro ipsec__plutorun: /usr/local/lib/ipsec/
> _plutorun: line 237: 23031 Aborted (core dumped) /
> usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/
> ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --
> nat_traversal --nhelpers 0
> Apr 19 23:17:04 Zpro ipsec__plutorun: !pluto failure!: exited with
> error status 134 (signal 6)
>
>
>
> Le 18 avr. 07 à 20:36, Paul Wouters a écrit :
>
>> On Wed, 18 Apr 2007, Jean Marc Le Fe vre wrote:
>>
>>> dumpdir=/tmp
>>
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R1:
>>> sent MR1,
>>> expecting MI2
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: ignoring Vendor
>>> ID payload
>>> [KAME/racoon]
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: NAT-Traversal:
>>> Result using
>>> 3: i am NATed
>>
>> So NAT'ed....
>>
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from
>>> state
>>> STATE_MAIN_R1 to state STATE_MAIN_R2
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R2:
>>> sent MR2,
>>> expecting MI3
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: Main mode peer
>>> ID is
>>> ID_IPV4_ADDR: 'IPFIXE'
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: I did not send
>>> a certificate
>>> because I do not have one.
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from
>>> state
>>> STATE_MAIN_R2 to state STATE_MAIN_R3
>>> Apr 18 18:04:16 Zpro pluto[11600]: | NAT-T: new mapping IPFIXE:
>>> 500/4500)
>>> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R3:
>>> sent MR3,
>>> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>>> cipher=oakley_3des_cbc_192
>>> prf=oakley_sha group=modp1024}
>>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: NAT-Traversal:
>>> received 2
>>> NAT-OA. ignored because peer is not NATed
>>
>> Not NAT'ed??
>>
>>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: responding to
>>> Quick Mode
>>> {msgid:99321c1d}
>>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: ASSERTION
>>> FAILED at
>>> kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
>>
>> Run gdb on the core in /tmp, and please give us some more
>> information.
>>
>> Which version of openswan is this? If it is pre 2.4.7, please
>> upgrade and try
>> again.
>>
>>> newest ISAKMP; nodpd
>>> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
>>> Apr 18 18:04:17 Zpro ipsec__plutorun: /usr/lib/ipsec/_plutorun:
>>> line 217:
>>> 11600 Aborted (core dumped) /usr/lib/ipsec/pluto
>>> --nofork
>>> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto
>>> --uniqueids --nat_traversal --nhelpers 0
>>> Apr 18 18:04:17 Zpro ipsec__plutorun: !pluto failure!: exited
>>> with error
>>> status 134 (signal 6)
>>> Apr 18 18:04:17 Zpro ipsec__plutorun: restarting IPsec after
>>> pause...
>>
>> Same for this one.
>>
>> you might also want to try not using rightprotoport=17/%any, but
>> 17/1701 and
>> do a test with Windows XP (not OSX)
>>
>> Paul
>> -
>> Building and integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?
>> n=283155
>>
>>
>>
>>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?
> n=283155
>
>
> !DSPAM:4627df2c50705327860300!
!DSPAM:4628993750709355615486!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070420/3d4383ff/attachment-0001.html
More information about the Users
mailing list