[Openswan Users] Pluto segfault on openswan-2.6.23

Giovani Moda giovani at mrinformatica.com.br
Fri Oct 2 15:40:31 EDT 2009 

Hello again,

 

After kernel crashes with kernel-2.6.18 (CentOS) and 2.6.23 (FC7) with
openswan-2.6.23 KLIPS, I decided to give fedora9 with kernel 2.6.27.25 a
try. I can compile and install openswan-2.6.23 and KLIPS module, but
when connecting a L2TP/IPSEC client (vista) I get:

 

/var/log/messages:

Oct  2 12:34:26 inet ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 232:  2286 Segmentation fault      /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--use-klips --uniqueids --nat_traversal --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!192.168.0.0/24,%v4:172.16.0.0/12

Oct  2 12:34:26 inet ipsec__plutorun: !pluto failure!:  exited with
error status 139 (signal 11)

 

/var/log/secure:

Oct  2 12:34:26 inet pluto[2286]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]

Oct  2 12:34:26 inet pluto[2286]: packet from 192.168.1.5:500: received
Vendor ID payload [RFC 3947] method set to=109

Oct  2 12:34:26 inet pluto[2286]: packet from 192.168.1.5:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109

Oct  2 12:34:26 inet pluto[2286]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [FRAGMENTATION]

Oct  2 12:34:26 inet pluto[2286]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [MS-Negotiation Discovery Capable]

Oct  2 12:34:26 inet pluto[2286]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [Vid-Initial-Contact]

Oct  2 12:34:26 inet pluto[2286]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [IKE CGA version 1]

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
responding to Main Mode from unknown peer 192.168.1.5

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
STATE_MAIN_R1: sent MR1, expecting MI2

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
STATE_MAIN_R2: sent MR2, expecting MI3

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=BR, ST=Sao Paulo, L=Piracicaba,
O=Teste, CN=mr.testdomain.com.br'

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1: I am
sending my cert

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1: new
NAT mapping for #1, was 192.168.1.5:500, now 192.168.1.5:4500

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1: the
peer proposed: 192.168.1.2/32:17/1701 -> 192.168.2.10/32:17/1701

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #1:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #2:
responding to Quick Mode proposal {msgid:01000000}

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #2:
us: 192.168.1.2<192.168.1.2>[+S=C]:17/1701

Oct  2 12:34:26 inet pluto[2286]: "MR-Empresa"[1] 192.168.1.5 #2:
them: 192.168.1.5[C=BR, ST=Sao Paulo, L=Piracicaba, O=Teste,
CN=mr.testdomain.com.br,+S=C]:17/1701===192.168.2.10/32

Oct  2 12:34:26 inet pluto[2289]: pluto_crypto_helper: helper (0) is
normal exiting

Oct  2 12:34:37 inet ipsec__plutorun: Restarting Pluto subsystem...

 

I've tried kernel 2.6.27.28, 2.6.27.35 and 2.6.27.35 vanilla. The
behavior is always the same. I've searched for this problem and found
similar problems with people using openswan 2.6.20 and 2.6.21 and the
recommendation is always to upgrade to 2.6.22. Unfortunately it's also
happening with openswan-2.6.23. 

 

Any ideas? Anything I can do to provide you guys with information about
this?

 

I'm installing FC11 on another box now to test with a newer kernel. I'll
post the results later on.

 

Thanks,

 

Giovani

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091002/99fb6bb9/attachment.html

More information about the Users mailing list