[Openswan Users] Still server crash
Dennis van der Meer
dennisvandermeer at greenchem-adblue.com
Fri Apr 2 10:37:40 EDT 2010
Hi David,
Great, because I am stuck again :-)
I have the following configuration:
VMWare server with 2 network interfaces
eth0: 192.168.2.63 /255.255.255.0
eth1: 10.0.15.1 / 255.255.255.0
My internal lan is 192.168.2.63. I am trying to create a vpn connection
with my XP client
(which runs the VMWare server). My client has ip 192.168.2.60. I use a
PSK to make the
Connection between the XP client and the ipsec vpn server. Right now I
don't have l2tp
setup but I will do that as soon as I have the ipsec connection working.
I know the vpn
connection will not work without l2tp but I should at least get ipsec
going but
according to /var/log/secure it is not working. It is probably a simple
configuration
problem but I have no idea what is wrong.
Roadwarriors can work with PSK, right?
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.2.0 * 255.255.255.0 U 0 0 0
eth0
192.168.2.0 * 255.255.255.0 U 0 0 0
ipsec0
10.0.15.0 * 255.255.255.0 U 0 0 0
eth1
loopback * 255.0.0.0 U 0 0 0
lo
default 192.168.2.63 0.0.0.0 UG 1 0 0
eth0
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
uniqueids=yes
nat_traversal=no
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
protostack=klips
plutodebug="none"
klipsdebug="none"
conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret
dpddelay=60
dpdtimeout=120
dpdaction=clear
conn RoadWarrior
auto=add
left=192.168.2.63
leftsourceip=10.0.15.1
leftsubnet=10.0.15.0/24
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
pfs=no
authby=secret
type=tunnel
keyingtries=5
keyexchange=ike
ipsec.secrets:
%any %any : PSK
"716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"
#192.168.2.63 %any : PSK
"716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"
/var/log/secure:
Apr 2 16:28:24 telemetry ipsec__plutorun: Starting Pluto subsystem...
Apr 2 16:28:24 telemetry pluto[3192]: Starting Pluto (Openswan Version
2.6.25; Vendor ID OEC`nT{wo^XH) pid:3192
Apr 2 16:28:24 telemetry pluto[3192]: Setting NAT-Traversal port-4500
floating to off
Apr 2 16:28:24 telemetry pluto[3192]: port floating activation
criteria nat_t=0/port_float=1
Apr 2 16:28:24 telemetry pluto[3192]: NAT-Traversal support
[disabled]
Apr 2 16:28:24 telemetry pluto[3192]: using /dev/urandom as source of
random entropy
Apr 2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 2 16:28:24 telemetry pluto[3192]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 2 16:28:24 telemetry pluto[3192]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 2 16:28:24 telemetry pluto[3192]: starting up 1 cryptographic
helpers
Apr 2 16:28:24 telemetry pluto[3192]: started helper pid=3194 (fd:7)
Apr 2 16:28:24 telemetry pluto[3192]: Using KLIPS IPsec interface code
on 2.6.33-smp
Apr 2 16:28:24 telemetry pluto[3192]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr 2 16:28:24 telemetry pluto[3192]: Changed path to directory
'/etc/ipsec.d/aacerts'
Apr 2 16:28:24 telemetry pluto[3192]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Apr 2 16:28:24 telemetry pluto[3192]: Changing to directory
'/etc/ipsec.d/crls'
Apr 2 16:28:24 telemetry pluto[3192]: Warning: empty directory
Apr 2 16:28:24 telemetry pluto[3194]: using /dev/urandom as source of
random entropy
Apr 2 16:28:24 telemetry pluto[3192]: added connection description
"RoadWarrior"
Apr 2 16:28:24 telemetry pluto[3192]: listening for IKE messages
Apr 2 16:28:24 telemetry pluto[3192]: adding interface ipsec0/eth0
192.168.2.63:500
Apr 2 16:28:24 telemetry pluto[3192]: loading secrets from
"/etc/ipsec.secrets"
Apr 2 16:28:24 telemetry pluto[3192]: loaded private key for keyid:
PPK_RSA:AQOeDYPHf
Apr 2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Apr 2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 2 16:28:37 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
responding to Main Mode from unknown peer 192.168.2.60
Apr 2 16:28:37 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 2 16:28:37 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
Main mode peer ID is ID_IPV4_ADDR: '192.168.2.60'
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr 2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr 2 16:28:39 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr 2 16:28:39 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr 2 16:28:39 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr 2 16:28:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr 2 16:28:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr 2 16:28:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr 2 16:28:45 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr 2 16:28:45 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr 2 16:28:45 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr 2 16:28:53 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr 2 16:28:53 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr 2 16:28:53 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr 2 16:29:09 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr 2 16:29:09 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr 2 16:29:09 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr 2 16:29:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
received Delete SA payload: deleting ISAKMP State #1
Apr 2 16:29:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60:
deleting connection "RoadWarrior" instance with peer 192.168.2.60
{isakmp=#0/ipsec=#0}
Apr 2 16:29:41 telemetry pluto[3192]: packet from 192.168.2.60:500:
received and ignored informational message
-----Original Message-----
From: David McCullough [mailto:david_mccullough at mcafee.com]
Sent: vrijdag 2 april 2010 14:25
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Still server crash
Jivin Dennis van der Meer lays it down ...
> Hi David,
>
> It seems that your suggestion did the trick. I needed a few days to
> build a new kernel.
> For some reason I had a lot of problems with it but it had nothing to
do
> with openswan.
> Now I need to get my roadwarrior setup working, together with l2tp but
I
> am sure it will
> work eventually.
> Thanks for all the help.
Great, we let us know if you hit problems,
Cheers,
Davidm
> -----Original Message-----
> From: David McCullough [mailto:david_mccullough at mcafee.com]
> Sent: dinsdag 30 maart 2010 6:27
> To: Dennis van der Meer
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
>
>
> Jivin Dennis van der Meer lays it down ...
> > Hi,
> >
> > Last week I have been trying to see if I can get a stable version of
> KLIPS working but I seem to crash my entire server
> >
> > whenever I try this. I??ve been able to crash my VMWare test system
> but also a production server that is not using VMWare.
> >
> > As soon as I try to make a connection using ipsec from another
> location the whole system crashes. I was able to change
> >
> > the number of screen lines to 60 so I could see a little bit more
(see
> partial info below). Maybe someone can help me track
> >
> > down the problem. So far I have tried a recent GIT build, 2
different
> kernel versions and the latest official openswan version;
> >
> > all have the same problems with the crash.
>
>
> We have been seeing problems with the builtin crypto for openswan. I
> haven't had a chance to look at it yet but the workaround is fairly
> simple.
> We just switch to using the kernel crypto API and not the openswan
> included
> versions of des etc.
>
> Setup for kernel .config as follows (or similar depending on kernel
> version):
>
> CONFIG_KLIPS=y
> #
> # KLIPS options
> #
> CONFIG_KLIPS_ESP=y
> # CONFIG_KLIPS_AH is not set
> CONFIG_KLIPS_AUTH_HMAC_MD5=y
> CONFIG_KLIPS_AUTH_HMAC_SHA1=y
> CONFIG_KLIPS_ALG=y
> CONFIG_KLIPS_ENC_CRYPTOAPI=y
> # CONFIG_KLIPS_ENC_1DES is not set
> # CONFIG_KLIPS_ENC_3DES is not set
> # CONFIG_KLIPS_ENC_AES is not set
> CONFIG_KLIPS_IPCOMP=y
> # CONFIG_KLIPS_OCF is not set
> CONFIG_KLIPS_DEBUG=y
> CONFIG_KLIPS_IF_MAX=4
>
> CONFIG_CRYPTO=y
> #
> # Crypto core or helper
> #
> CONFIG_CRYPTO_ALGAPI=y
> CONFIG_CRYPTO_ALGAPI2=y
> CONFIG_CRYPTO_AEAD2=y
> CONFIG_CRYPTO_BLKCIPHER=y
> CONFIG_CRYPTO_BLKCIPHER2=y
> CONFIG_CRYPTO_HASH=y
> CONFIG_CRYPTO_HASH2=y
> CONFIG_CRYPTO_RNG2=y
> CONFIG_CRYPTO_PCOMP=y
> CONFIG_CRYPTO_MANAGER=y
> CONFIG_CRYPTO_MANAGER2=y
> CONFIG_CRYPTO_WORKQUEUE=y
> CONFIG_CRYPTO_CBC=y
> CONFIG_CRYPTO_ECB=y
> CONFIG_CRYPTO_HMAC=y
> CONFIG_CRYPTO_MD5=y
> CONFIG_CRYPTO_SHA1=y
> CONFIG_CRYPTO_SHA256=y
> CONFIG_CRYPTO_SHA512=y
> CONFIG_CRYPTO_AES=y
> CONFIG_CRYPTO_ARC4=y
> CONFIG_CRYPTO_DES=y
>
> That should see you working I think,
>
> Cheers,
> Davidm
>
>
> > Partial crash info:
> >
> >
> >
> > Code: 00 00 00 23 1f a3 e0 20 1f a3 e0 17 1f a3 e0 13 1f a3 e0 10 1f
> a3 e0 0d 1f
> >
> > a3 e0 04 1f a3 e0 55 53 56 57 8b 6c 24 1c 8b 5c 24 2c (8b) 33 8b 7b
> 04 57 56 57
> >
> > 56 89 e3 8b 74 24 24 8b 7c 24 28 8b 4c
> >
> > EIP: [(e0a31f9c)] .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec] SS:ESP
> 0068:de775af0
> >
> > CR2: 000000006a5a85a4
> >
> > ---[ end trace 33b374d09a6bcf21 ]---
> >
> > Kernel panic ?? not syncing: Fatal exception in interrupt
> >
> > Pid: 2043, comm.: sh Tainted: G D 2.6.33 #4
> >
> > Call Trace:
> >
> > [<c148fd84>] ? printk+0x18/0x1a
> >
> > [<c148fcb2>] panic+0x43/0xfd
> >
> > [<c100d3c3>] oops_end+0x83/0x90
> >
> > [<c101f4be>] no_context+0xbe/0x160
> >
> > [<c101f5af>] __bad_area_nosemaphone+0x4f/0x180
> >
> > [<c104efd2>] ? sched_clock_local+0xd2/0x170
> >
> > [<c1031423>] ? task_tick_fair+0x33/0x110
> >
> > [<c103108b>] ? scheduler_tick+0xeb/0x150
> >
> > [<c101f6f2>] bad_area_nosemaphone+0x12/0x20
> >
> > [<c101fadc>] do_page_fault+0x25c/0x300
> >
> > [<c10559e5>] ? tick_periodic+0x25/0x70
> >
> > [<c1055a49>] ? tick_handle_periodic+0x19/0x90
> >
> > [<c101f880>] ? do_page_fault+0x0/0x300
> >
> > [<c1492ace>] error_code+0x66/0x6c
> >
> > [<c101f880>] ? do_page_fault+0x0/0x300
> >
> > [<e0a31f9c>] ? .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec]
> >
> > [<e0a2f279>] ? _3des_cbc_encrypt+0x49/0x60 [ipsec]
> >
> > [<e0a2f15d>] ? ipsec_alg_esp_encrypt+0x5d/0x130 [ipsec]
> >
> > [<e0a2a5f5>] ? ipsec_rcv_esp_decrypt+0x75/0x110 [ipsec]
> >
> > [<e0a17cc5>] ? ipsec_rcv_decrypt+0x25/0x60 [ipsec]
> >
> > [<e0a19649>] ? ipsec_rsm+0x49/0x2a0 [ipsec]
> >
> > [<e0a1955b>] ? ipsec_rcv_state_new+0x4b/0xb0 [ipsec]
> >
> > [<e0a199d7>] ? ipsec_rcv+0x27/0x90 [ipsec]
> >
> > [<c14065a6>] ? ip_local_deliver_finish+0x86/0x170
> >
> > [<c140671f>] ? ip_local_deliver+0x8f/0xa0
> >
> > [<c1406520>] ? ip_local_deliver_finish+0x0/0x170
> >
> > [<c1405fbb>] ? ip_rcv_finish+0x14b/0x310
> >
> > [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> >
> > [<c14063b5>] ? ip_rcv+0x235/0x290
> >
> > [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> >
> > [<c13af3ec>] ? netif_receive_skb+0x1bc/0x450
> >
> > [<e08304f4>] ? e1000_clean_rx_irq+0x2d4/0x420 [e1000]
> >
> > [<e082fbdd>] ? e1000_clean+0x1cd/0x500 [e1000]
> >
> > [<c106c46e>] ? handle_fasteoi_irq+0x7e/0xc0
> >
> > [<c10053ca>] ? handle_irq+0x1a/0x30
> >
> > [<c13afd2d>] ? net_rx_action+0x7d/0x100
> >
> > [<c103af45>] ? __do_softirq+0x85/0x110
> >
> > [<c1040054>] ? update_process_times+0x54/0x70
> >
> > [<c103affd>] ? do_softirq+0x2d/0x40
> >
> > [<c103b15d>] ? irq_exit+0x2d/0x40
> >
> > [<c1017b17>] ? smp_apic_time_interrupt+0x57/0x90
> >
> > [<c14928a2>] ? apic_timer_interrupt+0x2a/0x30
> >
> > [<c125e0a2>] ? prio_tree_remove+0x32/0xe0
> >
> > [<c1088122>] ? vma_prio_tree_remove+0x72/0xf0
> >
> > [<c10917dd>] ? vma_adjust+0xfd/0x470
> >
> > [<c1091c3a>] ? __split_vma+0xea/0x140
> >
> > [<c1091fbf>] ? split_vma+0x2f/0x40
> >
> > [<c1093596>] ? mprotect_fixup+0x306/0x360
> >
> > [<c109376e>] ? sys_mprotect+0x17e/0x220
> >
> > [<c14924b5>] ? syscall_call+0x7/0xb
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Dennis
> >
> >
>
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> >
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> --
> David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
> McAfee - SnapGear http://www.mcafee.com
> http://www.uCdot.org
>
>
--
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com
http://www.uCdot.org
More information about the Users
mailing list