[Openswan Users] Routing problem and pluto crash
Gwyn Connor
gwyn.connor at googlemail.com
Tue Apr 7 08:14:39 EDT 2009
Thanks, I upgraded both systems to the latest Openswan version (2.6.21
and 2.4.14) as suggested. Pluto always crashs with the same assertion
failure when I try to establish a connection. It make no difference
anymore if I use right=%any or right=IP in the conf.
Should I file a bug report?
Gwyn
HOST1:
Apr 7 13:01:29 backup kernel: NET: Registered protocol family 15
Apr 7 13:01:29 backup ipsec_setup: Starting Openswan IPsec
U2.6.21/K2.6.27.7-9-default...
Apr 7 13:01:29 backup ipsec_setup: Using NETKEY(XFRM) stack
Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_del_protocol
Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_add_protocol
Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol icmpv6_send
Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
xfrm6_tunnel_register
Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol xfrm6_rcv_spi
Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
xfrm6_tunnel_deregister
Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol xfrm6_rcv
Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol
xfrm6_tunnel_alloc_spi
Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol inet6_del_protocol
Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol xfrm6_find_1stfragopt
Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol
xfrm6_tunnel_spi_lookup
Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol inet6_add_protocol
Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_del_protocol
Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_add_protocol
Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol icmpv6_send
Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
xfrm6_tunnel_register
Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol xfrm6_rcv_spi
Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
xfrm6_tunnel_deregister
Apr 7 13:01:29 backup kernel: xfrm6_mode_tunnel: Unknown symbol
xfrm6_prepare_output
Apr 7 13:01:29 backup kernel: xfrm6_mode_beet: Unknown symbol
xfrm6_prepare_output
Apr 7 13:01:29 backup kernel: esp6: Unknown symbol xfrm6_rcv
Apr 7 13:01:29 backup kernel: esp6: Unknown symbol inet6_del_protocol
Apr 7 13:01:29 backup kernel: esp6: Unknown symbol xfrm6_find_1stfragopt
Apr 7 13:01:29 backup ipsec_setup: multiple ip addresses, using
141.3.151.44 on eth0
Apr 7 13:01:30 backup ipsec__plutorun: Starting Pluto subsystem...
Apr 7 13:01:30 backup kernel: esp6: Unknown symbol inet6_add_protocol
Apr 7 13:01:30 backup kernel: ah6: Unknown symbol xfrm6_rcv
Apr 7 13:01:30 backup kernel: ah6: Unknown symbol inet6_del_protocol
Apr 7 13:01:30 backup kernel: ah6: Unknown symbol xfrm6_find_1stfragopt
Apr 7 13:01:30 backup kernel: ah6: Unknown symbol inet6_add_protocol
Apr 7 13:01:30 backup kernel: Initializing XFRM netlink socket
Apr 7 13:01:30 backup ipsec_setup: ...Openswan IPsec started
Apr 7 13:01:30 backup ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Apr 7 13:01:30 backup pluto: adjusting ipsec.d to /etc/ipsec.d
Apr 7 13:01:30 backup pluto[6560]: Starting Pluto (Openswan Version
2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:6560
Apr 7 13:01:30 backup pluto[6560]: Setting NAT-Traversal port-4500
floating to on
Apr 7 13:01:30 backup pluto[6560]: port floating activation criteria
nat_t=1/port_float=1
Apr 7 13:01:30 backup pluto[6560]: including NAT-Traversal patch
(Version 0.6c)
Apr 7 13:01:30 backup pluto[6560]: using /dev/urandom as source of
random entropy
Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Apr 7 13:01:31 backup pluto[6560]: starting up 1 cryptographic helpers
Apr 7 13:01:31 backup pluto[6560]: started helper pid=6567 (fd:7)
Apr 7 13:01:31 backup pluto[6560]: Using Linux 2.6 IPsec interface code
on 2.6.27.7-9-default (experimental code)
Apr 7 13:01:31 backup pluto[6567]: using /dev/urandom as source of
random entropy
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 7 13:01:32 backup pluto[6560]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr 7 13:01:32 backup pluto[6560]: loaded CA cert file 'cacert.pem'
(1257 bytes)
Apr 7 13:01:32 backup pluto[6560]: Changed path to directory
'/etc/ipsec.d/aacerts'
Apr 7 13:01:32 backup pluto[6560]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Apr 7 13:01:32 backup pluto[6560]: Changing to directory
'/etc/ipsec.d/crls'
Apr 7 13:01:32 backup pluto[6560]: Warning: empty directory
Apr 7 13:01:32 backup pluto[6560]: loading certificate from
/etc/ipsec.d/certs/testvpn.crt
Apr 7 13:01:32 backup pluto[6560]: loaded host cert file
'/etc/ipsec.d/certs/testvpn.crt' (1066 bytes)
Apr 7 13:01:32 backup pluto[6560]: added connection description "testvpn"
Apr 7 13:01:32 backup ipsec__plutorun: 002 loading certificate from
/etc/ipsec.d/certs/testvpn.crt
Apr 7 13:01:32 backup ipsec__plutorun: 002 loaded host cert file
'/etc/ipsec.d/certs/testvpn.crt' (1066 bytes)
Apr 7 13:01:32 backup ipsec__plutorun: 002 added connection description
"testvpn"
Apr 7 13:01:32 backup pluto[6560]: listening for IKE messages
Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0 10.0.1.1:500
Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0 10.0.1.1:4500
Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0
141.3.151.44:500
Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0
141.3.151.44:4500
Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.2:500
Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.2:4500
Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.1:500
Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.1:4500
Apr 7 13:01:32 backup pluto[6560]: loading secrets from
"/etc/ipsec.secrets"
Apr 7 13:01:32 backup pluto[6560]: loaded private key file
'/etc/ipsec.d/private/testvpn.key' (963 bytes)
Apr 7 13:01:32 backup pluto[6560]: loaded private key for keyid:
PPK_RSA:AwEAAa9+Q
Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
ignoring unknown Vendor ID payload [4f455a526b5f4c686e534e63]
Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
received Vendor ID payload [Dead Peer Detection]
Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
received Vendor ID payload [RFC 3947] method set to=109
Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: responding to Main Mode
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R1: sent
MR1, expecting MI2
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R2: sent
MR2, expecting MI3
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=DE, ST=BW, O=test, CN=Server test, E=vpn at example.org'
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: no crl from issuer
"C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org" found
(strict=no)
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: I am sending my cert
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: the peer proposed:
10.0.1.0/24:0/0 -> 10.0.2.0/24:0/0
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: responding to Quick
Mode proposal {msgid:47a43346}
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: us:
10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test, CN=test VPN,
E=vpn at example.org,+S=C]
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: them:
129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test, CN=Server test,
E=vpn at example.org,+S=C]===10.0.2.0/24
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: ASSERTION FAILED at
/root/vpn/openswan-2.6.21/programs/pluto/kernel.c:2177: c->kind ==
CK_PERMANENT || c->kind == CK_INSTANCE
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: using kernel
interface: netkey
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.1
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.1
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.2
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.2
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
141.3.151.44
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
141.3.151.44
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
10.0.1.1
Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
10.0.1.1
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: %myid = (none)
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: debug none
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2:
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: virtual_private (%priv):
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: - allowed 0 subnets:
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: - disallowed 0 subnets:
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: WARNING: Either
virtual_private= was not specified, or there was a syntax
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: error in that
line. 'left/rightsubnet=%priv' will not work!
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2:
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
attr: id=251, name=(null), keysizemin=0, keysizemax=0
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
id=0, name=(null), blocksize=16, keydeflen=131
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
id=1, name=OAKLEY_MD5, hashsize=16
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
id=2, name=OAKLEY_SHA1, hashsize=20
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
id=4, name=OAKLEY_SHA2_256, hashsize=32
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
id=6, name=OAKLEY_SHA2_512, hashsize=64
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: stats db_ops:
{curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":
10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test, CN=test VPN,
E=vpn at example.org,+S=C]...129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test,
CN=Server test, E=vpn at example.org,+S=C]===10.0.2.0/24; unrouted; eroute
owner: #0
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":
myip=10.0.1.1; hisip=10.0.2.1; mycert=/etc/ipsec.d/certs/testvpn.crt;
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": CAs:
'C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org'...'%any'
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": ike_life:
3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW; prio: 24,24; interface: eth0;
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": newest
ISAKMP SA: #1; newest IPsec SA: #0;
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": IKE
algorithm newest: 3DES_CBC_192-MD5-MODP1536
Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: #2: "testvpn":500
STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 296s;
lastdpd=-1s(seq in:0 out:0); idle; import:not set
Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: #1: "testvpn":500
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3326s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2:
Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: ABORT at
/root/vpn/openswan-2.6.21/programs/pluto/log.c:632
Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: ABORT at
/root/vpn/openswan-2.6.21/programs/pluto/log.c:632
Apr 7 13:01:39 backup ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 232: 6560 Aborted /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--use-netkey --uniqueids --nat_traversal
Apr 7 13:01:39 backup ipsec__plutorun: !pluto failure!: exited with
error status 134 (signal 6)
Apr 7 13:01:39 backup ipsec__plutorun: restarting IPsec after pause...
Apr 7 13:01:49 backup ipsec_setup: Stopping Openswan IPsec...
Apr 7 13:01:49 backup ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:
Apr 7 13:01:49 backup kernel: NET: Unregistered protocol family 15
Apr 7 13:01:49 backup ipsec_setup: ...Openswan IPsec stopped
HOST2:
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: initiating Main Mode
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: ignoring unknown
Vendor ID payload [4f457e717f6b5a4e727d576b]
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
payload [Dead Peer Detection]
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
payload [RFC 3947] method set to=109
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: I am sending my cert
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: I am sending a
certificate request
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: IKEv2 Vendor ID
payload received but not supported in this version
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
payload [CAN-IKEv2]
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=DE, ST=BW, O=test, CN=test VPN, E=vpn at example.org'
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: no crl from issuer
"C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org" found
(strict=no)
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I4: ISAKMP
SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> On Mon, 6 Apr 2009, Gwyn Connor wrote:
>
>> Subject: [Openswan Users] Routing problem and pluto crash
>
>> HOST1 (Openswan 2.6.16 with NETKEY, Kernel 2.6.27.7):
>
> Upgrade to 2.6.21.
>
>> HOST2 (Openswan 2.4.7 with NETKEY, Kernel 2.6.27.19):
>
> Upgrade to 2.4.14.
>
>> Could all this be related to right=%any in my configuration on HOST1?
>
> That's fine as long as HOST2 initiates the connection and you have
> rekey=no
> on HOST1.
>
>> I also tried setting the actual IP address there, but this made pluto
>> crash due to an ASSERTION failure:
>>
>> Apr 5 23:18:08 backup pluto[31127]: "testvpn" #2: responding to Quick
>> Mode proposal {msgid:a949675c}
>> Apr 5 23:18:08 backup pluto[31127]: "testvpn" #2: us:
>> 10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test AG, CN=test VPN,
>> E=vpn at example.org]
>> Apr 5 23:18:08 backup pluto[31127]: "testvpn" #2: them:
>> 129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test, CN=Server test,
>> E=vpn at example.org]===10.0.2.0/24
>> Apr 5 23:18:09 backup pluto[31127]: "testvpn" #2: ASSERTION FAILED at
>> /usr/src/packages/BUILD/openswan-2.6.16/programs/pluto/kernel.c:2157:
>> c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
>
>> Any ideas how I can fix it to make the VPN work?
>
> Upgrade. Then let us know if you still have problems.
>
> Paul
More information about the Users
mailing list