[Openswan Users] Routing problem and pluto crash

Paul Wouters paul at xelerance.com
Wed Apr 8 13:38:32 EDT 2009


On Tue, 7 Apr 2009, Gwyn Connor wrote:

> Thanks, I upgraded both systems to the latest Openswan version (2.6.21
> and 2.4.14) as suggested. Pluto always crashs with the same assertion
> failure when I try to establish a connection. It make no difference
> anymore if I use right=%any or right=IP in the conf.
>
> Should I file a bug report?

> Apr  7 13:01:29 backup ipsec_setup: Using NETKEY(XFRM) stack
> Apr  7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_del_protocol
> Apr  7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_add_protocol
> Apr  7 13:01:29 backup kernel: tunnel6: Unknown symbol icmpv6_send
> Apr  7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_register
> Apr  7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol xfrm6_rcv_spi
> Apr  7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_deregister
> Apr  7 13:01:29 backup kernel: ipcomp6: Unknown symbol xfrm6_rcv
> Apr  7 13:01:29 backup kernel: ipcomp6: Unknown symbol
> xfrm6_tunnel_alloc_spi

This looks like your kernel build is very broken. Try with a distro
kernel before filing a bug report, it is likely a specific issue to your
kernel.

Paul

> Apr  7 13:01:29 backup kernel: ipcomp6: Unknown symbol xfrm6_find_1stfragopt
> Apr  7 13:01:29 backup kernel: ipcomp6: Unknown symbol
> xfrm6_tunnel_spi_lookup
> Apr  7 13:01:29 backup kernel: ipcomp6: Unknown symbol inet6_add_protocol
> Apr  7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_del_protocol
> Apr  7 13:01:29 backup kernel: tunnel6: Unknown symbol inet6_add_protocol
> Apr  7 13:01:29 backup kernel: tunnel6: Unknown symbol icmpv6_send
> Apr  7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_register
> Apr  7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol xfrm6_rcv_spi
> Apr  7 13:01:29 backup kernel: xfrm6_tunnel: Unknown symbol
> xfrm6_tunnel_deregister
> Apr  7 13:01:29 backup kernel: xfrm6_mode_tunnel: Unknown symbol
> xfrm6_prepare_output
> Apr  7 13:01:29 backup kernel: xfrm6_mode_beet: Unknown symbol
> xfrm6_prepare_output
> Apr  7 13:01:29 backup kernel: esp6: Unknown symbol xfrm6_rcv
> Apr  7 13:01:29 backup kernel: esp6: Unknown symbol inet6_del_protocol
> Apr  7 13:01:29 backup kernel: esp6: Unknown symbol xfrm6_find_1stfragopt
> Apr  7 13:01:29 backup ipsec_setup: multiple ip addresses, using
> 141.3.151.44 on eth0
> Apr  7 13:01:30 backup ipsec__plutorun: Starting Pluto subsystem...
> Apr  7 13:01:30 backup kernel: esp6: Unknown symbol inet6_add_protocol
> Apr  7 13:01:30 backup kernel: ah6: Unknown symbol xfrm6_rcv
> Apr  7 13:01:30 backup kernel: ah6: Unknown symbol inet6_del_protocol
> Apr  7 13:01:30 backup kernel: ah6: Unknown symbol xfrm6_find_1stfragopt
> Apr  7 13:01:30 backup kernel: ah6: Unknown symbol inet6_add_protocol
> Apr  7 13:01:30 backup kernel: Initializing XFRM netlink socket
> Apr  7 13:01:30 backup ipsec_setup: ...Openswan IPsec started
> Apr  7 13:01:30 backup ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> Apr  7 13:01:30 backup pluto: adjusting ipsec.d to /etc/ipsec.d
> Apr  7 13:01:30 backup pluto[6560]: Starting Pluto (Openswan Version
> 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:6560
> Apr  7 13:01:30 backup pluto[6560]: Setting NAT-Traversal port-4500
> floating to on
> Apr  7 13:01:30 backup pluto[6560]:    port floating activation criteria
> nat_t=1/port_float=1
> Apr  7 13:01:30 backup pluto[6560]:    including NAT-Traversal patch
> (Version 0.6c)
> Apr  7 13:01:30 backup pluto[6560]: using /dev/urandom as source of
> random entropy
> Apr  7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Apr  7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Apr  7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
> Apr  7 13:01:30 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_512: Ok (ret=0)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_256: Ok (ret=0)
> Apr  7 13:01:31 backup pluto[6560]: starting up 1 cryptographic helpers
> Apr  7 13:01:31 backup pluto[6560]: started helper pid=6567 (fd:7)
> Apr  7 13:01:31 backup pluto[6560]: Using Linux 2.6 IPsec interface code
> on 2.6.27.7-9-default (experimental code)
> Apr  7 13:01:31 backup pluto[6567]: using /dev/urandom as source of
> random entropy
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: Ok (ret=0)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_add(): ERROR: Algorithm
> already exists
> Apr  7 13:01:31 backup pluto[6560]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Apr  7 13:01:32 backup pluto[6560]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Apr  7 13:01:32 backup pluto[6560]:   loaded CA cert file 'cacert.pem'
> (1257 bytes)
> Apr  7 13:01:32 backup pluto[6560]: Changed path to directory
> '/etc/ipsec.d/aacerts'
> Apr  7 13:01:32 backup pluto[6560]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'
> Apr  7 13:01:32 backup pluto[6560]: Changing to directory
> '/etc/ipsec.d/crls'
> Apr  7 13:01:32 backup pluto[6560]:   Warning: empty directory
> Apr  7 13:01:32 backup pluto[6560]: loading certificate from
> /etc/ipsec.d/certs/testvpn.crt
> Apr  7 13:01:32 backup pluto[6560]:   loaded host cert file
> '/etc/ipsec.d/certs/testvpn.crt' (1066 bytes)
> Apr  7 13:01:32 backup pluto[6560]: added connection description "testvpn"
> Apr  7 13:01:32 backup ipsec__plutorun: 002 loading certificate from
> /etc/ipsec.d/certs/testvpn.crt
> Apr  7 13:01:32 backup ipsec__plutorun: 002   loaded host cert file
> '/etc/ipsec.d/certs/testvpn.crt' (1066 bytes)
> Apr  7 13:01:32 backup ipsec__plutorun: 002 added connection description
> "testvpn"
> Apr  7 13:01:32 backup pluto[6560]: listening for IKE messages
> Apr  7 13:01:32 backup pluto[6560]: adding interface eth0/eth0 10.0.1.1:500
> Apr  7 13:01:32 backup pluto[6560]: adding interface eth0/eth0 10.0.1.1:4500
> Apr  7 13:01:32 backup pluto[6560]: adding interface eth0/eth0
> 141.3.151.44:500
> Apr  7 13:01:32 backup pluto[6560]: adding interface eth0/eth0
> 141.3.151.44:4500
> Apr  7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.2:500
> Apr  7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.2:4500
> Apr  7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.1:500
> Apr  7 13:01:32 backup pluto[6560]: adding interface lo/lo 127.0.0.1:4500
> Apr  7 13:01:32 backup pluto[6560]: loading secrets from
> "/etc/ipsec.secrets"
> Apr  7 13:01:32 backup pluto[6560]:   loaded private key file
> '/etc/ipsec.d/private/testvpn.key' (963 bytes)
> Apr  7 13:01:32 backup pluto[6560]: loaded private key for keyid:
> PPK_RSA:AwEAAa9+Q
> Apr  7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> ignoring unknown Vendor ID payload [4f455a526b5f4c686e534e63]
> Apr  7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [Dead Peer Detection]
> Apr  7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Apr  7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 109
> Apr  7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 109
> Apr  7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 109
> Apr  7 13:01:35 backup pluto[6560]: packet from 129.13.72.2:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: responding to Main Mode
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R1: sent
> MR1, expecting MI2
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R2: sent
> MR2, expecting MI3
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=DE, ST=BW, O=test, CN=Server test, E=vpn at example.org'
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: no crl from issuer
> "C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org" found
> (strict=no)
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: I am sending my cert
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #1: the peer proposed:
> 10.0.1.0/24:0/0 -> 10.0.2.0/24:0/0
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: responding to Quick
> Mode proposal {msgid:47a43346}
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2:     us:
> 10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test, CN=test VPN,
> E=vpn at example.org,+S=C]
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2:   them:
> 129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test, CN=Server test,
> E=vpn at example.org,+S=C]===10.0.2.0/24
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: ASSERTION FAILED at
> /root/vpn/openswan-2.6.21/programs/pluto/kernel.c:2177: c->kind ==
> CK_PERMANENT || c->kind == CK_INSTANCE
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: using kernel
> interface: netkey
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.1
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.1
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.2
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface lo/lo 127.0.0.2
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 141.3.151.44
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 141.3.151.44
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 10.0.1.1
> Apr  7 13:01:35 backup pluto[6560]: "testvpn" #2: interface eth0/eth0
> 10.0.1.1
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: %myid = (none)
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: debug none
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2:
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: virtual_private (%priv):
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: - allowed 0 subnets:
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: - disallowed 0 subnets:
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: WARNING: Either
> virtual_private= was not specified, or there was a syntax
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2:          error in that
> line. 'left/rightsubnet=%priv' will not work!
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2:
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:36 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP encrypt:
> id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
> keysizemax=256
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
> Apr  7 13:01:37 backup pluto[6560]: "testvpn" #2: algorithm ESP auth
> attr: id=251, name=(null), keysizemin=0, keysizemax=0
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=0, name=(null), blocksize=16, keydeflen=131
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE encrypt:
> id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=1, name=OAKLEY_MD5, hashsize=16
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=2, name=OAKLEY_SHA1, hashsize=20
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=4, name=OAKLEY_SHA2_256, hashsize=32
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE hash:
> id=6, name=OAKLEY_SHA2_512, hashsize=64
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: algorithm IKE dh
> group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: stats db_ops:
> {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":
> 10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test, CN=test VPN,
> E=vpn at example.org,+S=C]...129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test,
> CN=Server test, E=vpn at example.org,+S=C]===10.0.2.0/24; unrouted; eroute
> owner: #0
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":
> myip=10.0.1.1; hisip=10.0.2.1; mycert=/etc/ipsec.d/certs/testvpn.crt;
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":   CAs:
> 'C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org'...'%any'
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":   ike_life:
> 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
> keyingtries: 0
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":   policy:
> RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW; prio: 24,24; interface: eth0;
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":   newest
> ISAKMP SA: #1; newest IPsec SA: #0;
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2: "testvpn":   IKE
> algorithm newest: 3DES_CBC_192-MD5-MODP1536
> Apr  7 13:01:38 backup pluto[6560]: "testvpn" #2:
> Apr  7 13:01:39 backup pluto[6560]: "testvpn" #2: #2: "testvpn":500
> STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 296s;
> lastdpd=-1s(seq in:0 out:0); idle; import:not set
> Apr  7 13:01:39 backup pluto[6560]: "testvpn" #2: #1: "testvpn":500
> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
> 3326s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
> Apr  7 13:01:39 backup pluto[6560]: "testvpn" #2:
> Apr  7 13:01:39 backup pluto[6560]: "testvpn" #2: ABORT at
> /root/vpn/openswan-2.6.21/programs/pluto/log.c:632
> Apr  7 13:01:39 backup pluto[6560]: "testvpn" #2: ABORT at
> /root/vpn/openswan-2.6.21/programs/pluto/log.c:632
> Apr  7 13:01:39 backup ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
> line 232:  6560 Aborted                 /usr/local/libexec/ipsec/pluto
> --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
> --use-netkey --uniqueids --nat_traversal
> Apr  7 13:01:39 backup ipsec__plutorun: !pluto failure!:  exited with
> error status 134 (signal 6)
> Apr  7 13:01:39 backup ipsec__plutorun: restarting IPsec after pause...
> Apr  7 13:01:49 backup ipsec_setup: Stopping Openswan IPsec...
> Apr  7 13:01:49 backup ipsec_setup: Removing orphaned
> /var/run/pluto/pluto.pid:
> Apr  7 13:01:49 backup kernel: NET: Unregistered protocol family 15
> Apr  7 13:01:49 backup ipsec_setup: ...Openswan IPsec stopped
>
>
> HOST2:
>
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: initiating Main Mode
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: ignoring unknown
> Vendor ID payload [4f457e717f6b5a4e727d576b]
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
> payload [Dead Peer Detection]
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
> payload [RFC 3947] method set to=109
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: enabling possible
> NAT-traversal with method RFC 3947 (NAT-Traversal)
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: NAT-Traversal: Result
> using RFC 3947 (NAT-Traversal): no NAT detected
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: I am sending my cert
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: I am sending a
> certificate request
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: IKEv2 Vendor ID
> payload received but not supported in this version
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: received Vendor ID
> payload [CAN-IKEv2]
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=DE, ST=BW, O=test, CN=test VPN, E=vpn at example.org'
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: no crl from issuer
> "C=DE, ST=BW, L=KA, O=test, CN=test Root CA, E=certs at example.org" found
> (strict=no)
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #1: STATE_MAIN_I4: ISAKMP
> SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1536}
> Apr  7 13:01:35 test2 pluto[30427]: "testvpn" #2: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
>
>
>> On Mon, 6 Apr 2009, Gwyn Connor wrote:
>>
>>> Subject: [Openswan Users] Routing problem and pluto crash
>>
>>> HOST1 (Openswan 2.6.16 with NETKEY, Kernel 2.6.27.7):
>>
>> Upgrade to 2.6.21.
>>
>>> HOST2 (Openswan 2.4.7 with NETKEY, Kernel 2.6.27.19):
>>
>> Upgrade to 2.4.14.
>>
>>> Could all this be related to right=%any in my configuration on HOST1?
>>
>> That's fine as long as HOST2 initiates the connection and you have
>> rekey=no
>> on HOST1.
>>
>>> I also tried setting the actual IP address there, but this made pluto
>>> crash due to an ASSERTION failure:
>>>
>>> Apr  5 23:18:08 backup pluto[31127]: "testvpn" #2: responding to Quick
>>> Mode proposal {msgid:a949675c}
>>> Apr  5 23:18:08 backup pluto[31127]: "testvpn" #2:     us:
>>> 10.0.1.0/24===141.3.151.44[C=DE, ST=BW, O=test AG, CN=test VPN,
>>> E=vpn at example.org]
>>> Apr  5 23:18:08 backup pluto[31127]: "testvpn" #2:   them:
>>> 129.13.72.2<129.13.72.2>[C=DE, ST=BW, O=test, CN=Server test,
>>> E=vpn at example.org]===10.0.2.0/24
>>> Apr  5 23:18:09 backup pluto[31127]: "testvpn" #2: ASSERTION FAILED at
>>> /usr/src/packages/BUILD/openswan-2.6.16/programs/pluto/kernel.c:2157:
>>> c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
>>
>>> Any ideas how I can fix it to make the VPN work?
>>
>> Upgrade. Then let us know if you still have problems.
>>
>> Paul
>


More information about the Users mailing list