[Openswan Users] cert problem with new 2.6.21 version
Jorge Santos
jorge.santos at idw.pt
Tue Apr 7 12:56:53 EDT 2009
users-request at openswan.org wrote:
> Send Users mailing list submissions to
> users at openswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.openswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at openswan.org
>
> You can reach the person managing the list at
> users-owner at openswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Routing problem and pluto crash (Gwyn Connor)
> 2. cert problem with new 2.6.21 version (weirauch at checkmobile.de)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 07 Apr 2009 14:14:39 +0200
> From: Gwyn Connor <gwyn.connor at googlemail.com>
> Subject: Re: [Openswan Users] Routing problem and pluto crash
> To: Paul Wouters <paul at xelerance.com>
> Cc: users at openswan.org
> Message-ID: <49DB43AF.3080803 at googlemail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Thanks, I upgraded both systems to the latest Openswan version (2.6.21
> and 2.4.14) as suggested. Pluto always crashs with the same assertion
> failure when I try to establish a connection. It make no difference
> anymore if I use right=%any or right=IP in the conf.
>
> Should I file a bug report?
>
> Gwyn
>
>
> HOST1:
>
> Apr 7 13:01:29 backup kernel: NET: Registered protocol family 15
> Apr 7 13:01:29 backup ipsec_setup: Starting Openswan IPsec
> U2.6.21/K2.6.27.7-9-default...
> Apr 7 13:01:29 backup ipsec_setup: Using NETKEY(XFRM) stack
> Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_del_protocol
> Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_add_protocol
> Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol icmpv6_send
> Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_register
> Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol xfrm6_rcv_spi
> Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_deregister
> Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol xfrm6_rcv
> Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol
> xfrm6_tunnel_alloc_spi
> Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol inet6_del_protocol
> Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol xfrm6_find_1stfragopt
> Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol
> xfrm6_tunnel_spi_lookup
> Apr 7 13:01:29 backup kernel: ipcomp6: Unknown symbol inet6_add_protocol
> Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_del_protocol
> Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_add_protocol
> Apr 7 13:01:29 backup kernel: tunnel6: Unknown symbol icmpv6_send
> Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_register
> Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol xfrm6_rcv_spi
> Apr 7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_deregister
> Apr 7 13:01:29 backup kernel: xfrm6_mode_tunnel: Unknown symbol
> xfrm6_prepare_output
> Apr 7 13:01:29 backup kernel: xfrm6_mode_beet: Unknown symbol
> xfrm6_prepare_output
> Apr 7 13:01:29 backup kernel: esp6: Unknown symbol xfrm6_rcv
> Apr 7 13:01:29 backup kernel: esp6: Unknown symbol inet6_del_protocol
> Apr 7 13:01:29 backup kernel: esp6: Unknown symbol xfrm6_find_1stfragopt
> Apr 7 13:01:29 backup ipsec_setup: multiple ip addresses, using
> 141.3.151.44 on eth0
> Apr 7 13:01:30 backup ipsec__plutorun: Starting Pluto subsystem...
> Apr 7 13:01:30 backup kernel: esp6: Unknown symbol inet6_add_protocol
> Apr 7 13:01:30 backup kernel: ah6: Unknown symbol xfrm6_rcv
> Apr 7 13:01:30 backup kernel: ah6: Unknown symbol inet6_del_protocol
> Apr 7 13:01:30 backup kernel: ah6: Unknown symbol xfrm6_find_1stfragopt
> Apr 7 13:01:30 backup kernel: ah6: Unknown symbol inet6_add_protocol
> Apr 7 13:01:30 backup kernel: Initializing XFRM netlink socket
> Apr 7 13:01:30 backup ipsec_setup: ...Openswan IPsec started
> Apr 7 13:01:30 backup ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> Apr 7 13:01:30 backup pluto: adjusting ipsec.d to /etc/ipsec.d
> Apr 7 13:01:30 backup pluto[6560]: Starting Pluto (Openswan Version
> 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:6560
> Apr 7 13:01:30 backup pluto[6560]: Setting NAT-Traversal port-4500
> floating to on
> Apr 7 13:01:30 backup pluto[6560]: port floating activation criteria
> nat_t=1/port_float=1
> Apr 7 13:01:30 backup pluto[6560]: including NAT-Traversal patch
> (Version 0.6c)
> Apr 7 13:01:30 backup pluto[6560]: using /dev/urandom as source of
> random entropy
> Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
> Apr 7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_512: Ok (ret=0)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_256: Ok (ret=0)
> Apr 7 13:01:31 backup pluto[6560]: starting up 1 cryptographic helpers
> Apr 7 13:01:31 backup pluto[6560]: started helper pid=6567 (fd:7)
> Apr 7 13:01:31 backup pluto[6560]: Using Linux 2.6 IPsec interface code
> on 2.6.27.7-9-default (experimental code)
> Apr 7 13:01:31 backup pluto[6567]: using /dev/urandom as source of
> random entropy
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: Ok (ret=0)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr 7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr 7 13:01:32 backup pluto[6560]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Apr 7 13:01:32 backup pluto[6560]: loaded CA cert file 'cacert.pem'
> (1257 bytes)
> Apr 7 13:01:32 backup pluto[6560]: Changed path to directory
> '/etc/ipsec.d/aacerts'
> Apr 7 13:01:32 backup pluto[6560]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'
> Apr 7 13:01:32 backup pluto[6560]: Changing to directory
> '/etc/ipsec.d/crls'
> Apr 7 13:01:32 backup pluto[6560]: Warning: empty directory
> Apr 7 13:01:32 backup pluto[6560]: loading certificate from
> /etc/ipsec.d/certs/testvpn.crt
> Apr 7 13:01:32 backup pluto[6560]: loaded host cert file
> '/etc/ipsec.d/certs/testvpn.crt' (1066 bytes)
> Apr 7 13:01:32 backup pluto[6560]: added connection description "testvpn"
> Apr 7 13:01:32 backup ipsec__plutorun: 002 loading certificate from
> /etc/ipsec.d/certs/testvpn.crt
> Apr 7 13:01:32 backup ipsec__plutorun: 002 loaded host cert file
> '/etc/ipsec.d/certs/testvpn.crt' (1066 bytes)
> Apr 7 13:01:32 backup ipsec__plutorun: 002 added connection description
> "testvpn"
> Apr 7 13:01:32 backup pluto[6560]: listening for IKE messages
> Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0 10.0.1.1:500
> Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0 10.0.1.1:4500
> Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0
> 141.3.151.44:500
> Apr 7 13:01:32 backup pluto[6560]: adding interface eth0/eth0
> 141.3.151.44:4500
> Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.2:500
> Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.2:4500
> Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.1:500
> Apr 7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.1:4500
> Apr 7 13:01:32 backup pluto[6560]: loading secrets from
> "/etc/ipsec.secrets"
> Apr 7 13:01:32 backup pluto[6560]: loaded private key file
> '/etc/ipsec.d/private/testvpn.key' (963 bytes)
> Apr 7 13:01:32 backup pluto[6560]: loaded private key for keyid:
> PPK_RSA:AwEAAa9+Q
> Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> ignoring unknown Vendor ID payload [4f455a526b5f4c686e534e63]
> Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [Dead Peer Detection]
> Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 109
> Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 109
> Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 109
> Apr 7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: responding to Main Mode
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R1: sent
> MR1, expecting MI2
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R2: sent
> MR2, expecting MI3
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=DE, ST=BW, O=test, CN=Server test, E=vpn at example.org'
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: no crl from issuer
> "C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org" found
> (strict=no)
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: I am sending my cert
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #1: the peer proposed:
> 10.0.1.0/24:0/0 -> 10.0.2.0/24:0/0
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: responding to Quick
> Mode proposal {msgid:47a43346}
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: us:
> 10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test, CN=test VPN,
> E=vpn at example.org,+S=C]
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: them:
> 129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test, CN=Server test,
> E=vpn at example.org,+S=C]===10.0.2.0/24
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: ASSERTION FAILED at
> /root/vpn/openswan-2.6.21/programs/pluto/kernel.c:2177: c->kind ==
> CK_PERMANENT || c->kind == CK_INSTANCE
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: using kernel
> interface: netkey
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.1
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.1
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.2
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.2
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 141.3.151.44
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 141.3.151.44
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 10.0.1.1
> Apr 7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 10.0.1.1
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: %myid = (none)
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: debug none
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2:
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: virtual_private (%priv):
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: - allowed 0 subnets:
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: - disallowed 0 subnets:
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: WARNING: Either
> virtual_private= was not specified, or there was a syntax
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: error in that
> line. 'left/rightsubnet=%priv' will not work!
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2:
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
> keysizemax=256
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
> Apr 7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=251, name=(null), keysizemin=0, keysizemax=0
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=0, name=(null), blocksize=16, keydeflen=131
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=1, name=OAKLEY_MD5, hashsize=16
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=2, name=OAKLEY_SHA1, hashsize=20
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=4, name=OAKLEY_SHA2_256, hashsize=32
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=6, name=OAKLEY_SHA2_512, hashsize=64
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: stats db_ops:
> {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":
> 10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test, CN=test VPN,
> E=vpn at example.org,+S=C]...129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test,
> CN=Server test, E=vpn at example.org,+S=C]===10.0.2.0/24; unrouted; eroute
> owner: #0
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":
> myip=10.0.1.1; hisip=10.0.2.1; mycert=/etc/ipsec.d/certs/testvpn.crt;
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": CAs:
> 'C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org'...'%any'
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": ike_life:
> 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
> keyingtries: 0
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": policy:
> RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW; prio: 24,24; interface: eth0;
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": newest
> ISAKMP SA: #1; newest IPsec SA: #0;
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn": IKE
> algorithm newest: 3DES_CBC_192-MD5-MODP1536
> Apr 7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: #2: "testvpn":500
> STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 296s;
> lastdpd=-1s(seq in:0 out:0); idle; import:not set
> Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: #1: "testvpn":500
> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
> 3326s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
> Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2:
> Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: ABORT at
> /root/vpn/openswan-2.6.21/programs/pluto/log.c:632
> Apr 7 13:01:39 backup pluto[6560]: "testvpn" #2: ABORT at
> /root/vpn/openswan-2.6.21/programs/pluto/log.c:632
> Apr 7 13:01:39 backup ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
> line 232: 6560 Aborted /usr/local/libexec/ipsec/pluto
> --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
> --use-netkey --uniqueids --nat_traversal
> Apr 7 13:01:39 backup ipsec__plutorun: !pluto failure!: exited with
> error status 134 (signal 6)
> Apr 7 13:01:39 backup ipsec__plutorun: restarting IPsec after pause...
> Apr 7 13:01:49 backup ipsec_setup: Stopping Openswan IPsec...
> Apr 7 13:01:49 backup ipsec_setup: Removing orphaned
> /var/run/pluto/pluto.pid:
> Apr 7 13:01:49 backup kernel: NET: Unregistered protocol family 15
> Apr 7 13:01:49 backup ipsec_setup: ...Openswan IPsec stopped
>
>
> HOST2:
>
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: initiating Main Mode
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: ignoring unknown
> Vendor ID payload [4f457e717f6b5a4e727d576b]
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
> payload [Dead Peer Detection]
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
> payload [RFC 3947] method set to=109
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: enabling possible
> NAT-traversal with method RFC 3947 (NAT-Traversal)
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: I am sending my cert
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: I am sending a
> certificate request
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: IKEv2 Vendor ID
> payload received but not supported in this version
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
> payload [CAN-IKEv2]
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=DE, ST=BW, O=test, CN=test VPN, E=vpn at example.org'
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: no crl from issuer
> "C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org" found
> (strict=no)
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I4: ISAKMP
> SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1536}
> Apr 7 13:01:35 test2 pluto[30427]: "testvpn" #2: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
>
>
>> On Mon, 6 Apr 2009, Gwyn Connor wrote:
>>
>>> Subject: [Openswan Users] Routing problem and pluto crash
>>> HOST1 (Openswan 2.6.16 with NETKEY, Kernel 2.6.27.7):
>> Upgrade to 2.6.21.
>>
>>> HOST2 (Openswan 2.4.7 with NETKEY, Kernel 2.6.27.19):
>> Upgrade to 2.4.14.
>>
>>> Could all this be related to right=%any in my configuration on HOST1?
>> That's fine as long as HOST2 initiates the connection and you have
>> rekey=no
>> on HOST1.
>>
>>> I also tried setting the actual IP address there, but this made pluto
>>> crash due to an ASSERTION failure:
>>>
>>> Apr 5 23:18:08 backup pluto[31127]: "testvpn" #2: responding to Quick
>>> Mode proposal {msgid:a949675c}
>>> Apr 5 23:18:08 backup pluto[31127]: "testvpn" #2: us:
>>> 10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test AG, CN=test VPN,
>>> E=vpn at example.org]
>>> Apr 5 23:18:08 backup pluto[31127]: "testvpn" #2: them:
>>> 129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test, CN=Server test,
>>> E=vpn at example.org]===10.0.2.0/24
>>> Apr 5 23:18:09 backup pluto[31127]: "testvpn" #2: ASSERTION FAILED at
>>> /usr/src/packages/BUILD/openswan-2.6.16/programs/pluto/kernel.c:2157:
>>> c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
>>> Any ideas how I can fix it to make the VPN work?
>> Upgrade. Then let us know if you still have problems.
>>
>> Paul
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 7 Apr 2009 16:05:15 +0200
> From: weirauch at checkmobile.de
> Subject: [Openswan Users] cert problem with new 2.6.21 version
> To: Users at openswan.org
> Message-ID:
> <OFA7A80789.9ECFF5D6-ONC1257591.004C64AF-C1257591.004D6293 at checkmobile.de>
>
> Content-Type: text/plain; charset="US-ASCII"
>
> hi all,
> i am not getting a CERT connection from my mac to my openswan linux box
> (trying since 3 months, various connection variants every once in a while
> - even read the great book from paul wouters and ken bantoft - but still
> not getting it to work :-(((
> so every hint / help is warmly and greatly welcomed...
>
> Openswan IPsec U2.6.21/K2.6.25.20-0.1
>
> from the same mac book i have no problem to connect to my netgear router -
> so what is wrong on my openswan side??
>
> /var/log/messages:
> ===============
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> responding to Main Mode from unknown peer 85.XXX.XXX.146
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: Main
> mode peer ID is ID_DER_ASN1_DN: 'C=XX, ST=XXX, O=XXXX, OU=Head, CN=abc'
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: I am
> sending my cert
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> unable to locate my private key for RSA Signature
It doesn't seem to find the private key file, which should be in
/etc/ipsec.d/private/. That's the file you should mention in
/etc/ipsec.secrets
> Apr 7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> sending encrypted notification AUTHENTICATION_FAILED to 85.XXX.XXX.146:500
>
>
> ipsec.conf:
> ========
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> plutodebug="none"
> nat_traversal=yes
> forwardcontrol=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.229.0/24
> # dpdaction=hold
> conn l2tp-X.509
> #
> # Configuration for one user with any type of IPsec/L2TP client
> # including the updated Windows 2000/XP (MS KB Q818043), but
> # excluding the non-updated Windows 2000/XP.
> #
> #
> # Use a certificate. Disable Perfect Forward Secrecy.
> #
> authby=rsasig
> pfs=no
> auto=add
> rekey=no
> ikelifetime=8h
> keylife=1h
> type=transport
> # ourselve
> left=87.XXX.XXX.140
> leftsubnet=192.168.229.0/24
> #leftrsasigkey=%cert
> leftcert=/etc/ipsec.d/certs/vpncm_mcert.pem
> leftprotoport=17/1701
> # right gateway
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%no,%priv
> rightcert=/etc/ipsec.d/certs/macpwneu.pem
> forceencaps=yes
>
> content of /etc/ipsec.d/certs
>
> -rw-r--r-- 1 root root 1094 Apr 7 15:21 macpwneu.pem
> -rw-r--r-- 1 root root 1139 Mar 5 09:50 vpncm_mcert.pem
>
> and in /etc/ipsec.d/cacerts
> is the ca key with which those two keys were signed.
> all help is wellcome.
> thanks a lot
>
> Philipp
>
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> End of Users Digest, Vol 65, Issue 12
> *************************************
--
-----------------------------------------------------------------------
Jorge Santos
Senior Security Consultant - Information Systems Security Business Unit
-----------------------------------------------------------------------
*IDW* - Integration, Development & Warehousing
Av. 5 de Outubro, 293 - 2º Piso
1600-035 Lisboa
Portugal
Tel: +351 21 094 52 00
Fax: +351 21 094 52 01
jorge.santos at idw.pt
http://www.idw.pt/
-----------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5518 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20090407/db5bb1c7/attachment-0001.bin
More information about the Users
mailing list