[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Fri Apr 2 10:37:40 EDT 2010


Hi David,

Great, because I am stuck again :-)
I have the following configuration:
	VMWare server with 2 network interfaces
	eth0:		192.168.2.63 /255.255.255.0
	eth1:		10.0.15.1 / 255.255.255.0
My internal lan is 192.168.2.63. I am trying to create a vpn connection
with my XP client
(which runs the VMWare server). My client has ip 192.168.2.60. I use a
PSK to make the
Connection between the XP client and the ipsec vpn server. Right now I
don't have l2tp
setup but I will do that as soon as I have the ipsec connection working.
I know the vpn
connection will not work without l2tp but I should at least get ipsec
going but
according to /var/log/secure it is not working. It is probably a simple
configuration
problem but I have no idea what is wrong.
Roadwarriors can work with PSK, right?

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.2.0     *               255.255.255.0   U     0      0        0
eth0
192.168.2.0     *               255.255.255.0   U     0      0        0
ipsec0
10.0.15.0       *               255.255.255.0   U     0      0        0
eth1
loopback        *               255.0.0.0       U     0      0        0
lo
default         192.168.2.63    0.0.0.0         UG    1      0        0
eth0

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	uniqueids=yes
	nat_traversal=no
	
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
	protostack=klips
	plutodebug="none"
	klipsdebug="none"

conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=secret
	dpddelay=60
	dpdtimeout=120
	dpdaction=clear

conn RoadWarrior
	auto=add
	left=192.168.2.63
	leftsourceip=10.0.15.1
	leftsubnet=10.0.15.0/24
	leftprotoport=17/1701

	right=%any
	rightprotoport=17/%any
	rightsubnet=vhost:%no,%priv
	pfs=no
	authby=secret
	type=tunnel
	keyingtries=5
	keyexchange=ike


ipsec.secrets:

%any %any : PSK
"716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"
#192.168.2.63 %any : PSK
"716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"


/var/log/secure:

Apr  2 16:28:24 telemetry ipsec__plutorun: Starting Pluto subsystem...
Apr  2 16:28:24 telemetry pluto[3192]: Starting Pluto (Openswan Version
2.6.25; Vendor ID OEC`nT{wo^XH) pid:3192
Apr  2 16:28:24 telemetry pluto[3192]: Setting NAT-Traversal port-4500
floating to off
Apr  2 16:28:24 telemetry pluto[3192]:    port floating activation
criteria nat_t=0/port_float=1
Apr  2 16:28:24 telemetry pluto[3192]:    NAT-Traversal support
[disabled]
Apr  2 16:28:24 telemetry pluto[3192]: using /dev/urandom as source of
random entropy
Apr  2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr  2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr  2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr  2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr  2 16:28:24 telemetry pluto[3192]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr  2 16:28:24 telemetry pluto[3192]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr  2 16:28:24 telemetry pluto[3192]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr  2 16:28:24 telemetry pluto[3192]: starting up 1 cryptographic
helpers
Apr  2 16:28:24 telemetry pluto[3192]: started helper pid=3194 (fd:7)
Apr  2 16:28:24 telemetry pluto[3192]: Using KLIPS IPsec interface code
on 2.6.33-smp
Apr  2 16:28:24 telemetry pluto[3192]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr  2 16:28:24 telemetry pluto[3192]: Changed path to directory
'/etc/ipsec.d/aacerts'
Apr  2 16:28:24 telemetry pluto[3192]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Apr  2 16:28:24 telemetry pluto[3192]: Changing to directory
'/etc/ipsec.d/crls'
Apr  2 16:28:24 telemetry pluto[3192]:   Warning: empty directory
Apr  2 16:28:24 telemetry pluto[3194]: using /dev/urandom as source of
random entropy
Apr  2 16:28:24 telemetry pluto[3192]: added connection description
"RoadWarrior"
Apr  2 16:28:24 telemetry pluto[3192]: listening for IKE messages
Apr  2 16:28:24 telemetry pluto[3192]: adding interface ipsec0/eth0
192.168.2.63:500
Apr  2 16:28:24 telemetry pluto[3192]: loading secrets from
"/etc/ipsec.secrets"
Apr  2 16:28:24 telemetry pluto[3192]: loaded private key for keyid:
PPK_RSA:AQOeDYPHf
Apr  2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr  2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr  2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Apr  2 16:28:37 telemetry pluto[3192]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr  2 16:28:37 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
responding to Main Mode from unknown peer 192.168.2.60
Apr  2 16:28:37 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  2 16:28:37 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
Main mode peer ID is ID_IPV4_ADDR: '192.168.2.60'
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr  2 16:28:38 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr  2 16:28:39 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr  2 16:28:39 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr  2 16:28:39 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr  2 16:28:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr  2 16:28:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr  2 16:28:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr  2 16:28:45 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr  2 16:28:45 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr  2 16:28:45 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr  2 16:28:53 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr  2 16:28:53 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr  2 16:28:53 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr  2 16:29:09 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr  2 16:29:09 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.2.63<192.168.2.63>[+S=C]:17/1701...192.168.2.60[+S=C]:17/%any
Apr  2 16:29:09 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.2.60:500
Apr  2 16:29:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60 #1:
received Delete SA payload: deleting ISAKMP State #1
Apr  2 16:29:41 telemetry pluto[3192]: "RoadWarrior"[1] 192.168.2.60:
deleting connection "RoadWarrior" instance with peer 192.168.2.60
{isakmp=#0/ipsec=#0}
Apr  2 16:29:41 telemetry pluto[3192]: packet from 192.168.2.60:500:
received and ignored informational message

-----Original Message-----
From: David McCullough [mailto:david_mccullough at mcafee.com] 
Sent: vrijdag 2 april 2010 14:25
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Still server crash


Jivin Dennis van der Meer lays it down ...
> Hi David,
> 
> It seems that your suggestion did the trick. I needed a few days to
> build a new kernel.
> For some reason I had a lot of problems with it but it had nothing to
do
> with openswan.
> Now I need to get my roadwarrior setup working, together with l2tp but
I
> am sure it will 
> work eventually.
> Thanks for all the help.

Great,  we let us know if you hit problems,

Cheers,
Davidm

> -----Original Message-----
> From: David McCullough [mailto:david_mccullough at mcafee.com] 
> Sent: dinsdag 30 maart 2010 6:27
> To: Dennis van der Meer
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
> 
> 
> Jivin Dennis van der Meer lays it down ...
> > Hi,
> > 
> > Last week I have been trying to see if I can get a stable version of
> KLIPS working but I seem to crash my entire server
> > 
> > whenever I try this. I??ve been able to crash my VMWare test system
> but also a production server that is not using VMWare.
> > 
> > As soon as I try to make a connection using ipsec from another
> location the whole system crashes. I was able to change
> > 
> > the number of screen lines to 60 so I could see a little bit more
(see
> partial info below). Maybe someone can help me track 
> > 
> > down the problem. So far I have tried a recent GIT build, 2
different
> kernel versions and the latest official openswan version;
> > 
> > all have the same problems with the crash.
> 
> 
> We have been seeing problems with the builtin crypto for openswan.  I
> haven't had a chance to look at it yet but the workaround is fairly
> simple.
> We just switch to using the kernel crypto API and not the openswan
> included
> versions of des etc.
> 
> Setup for kernel .config as follows (or similar depending on kernel
> version):
> 
> 	CONFIG_KLIPS=y
> 	#
> 	# KLIPS options
> 	#
> 	CONFIG_KLIPS_ESP=y
> 	# CONFIG_KLIPS_AH is not set
> 	CONFIG_KLIPS_AUTH_HMAC_MD5=y
> 	CONFIG_KLIPS_AUTH_HMAC_SHA1=y
> 	CONFIG_KLIPS_ALG=y
> 	CONFIG_KLIPS_ENC_CRYPTOAPI=y
> 	# CONFIG_KLIPS_ENC_1DES is not set
> 	# CONFIG_KLIPS_ENC_3DES is not set
> 	# CONFIG_KLIPS_ENC_AES is not set
> 	CONFIG_KLIPS_IPCOMP=y
> 	# CONFIG_KLIPS_OCF is not set
> 	CONFIG_KLIPS_DEBUG=y
> 	CONFIG_KLIPS_IF_MAX=4
> 
> 	CONFIG_CRYPTO=y
> 	#
> 	# Crypto core or helper
> 	#
> 	CONFIG_CRYPTO_ALGAPI=y
> 	CONFIG_CRYPTO_ALGAPI2=y
> 	CONFIG_CRYPTO_AEAD2=y
> 	CONFIG_CRYPTO_BLKCIPHER=y
> 	CONFIG_CRYPTO_BLKCIPHER2=y
> 	CONFIG_CRYPTO_HASH=y
> 	CONFIG_CRYPTO_HASH2=y
> 	CONFIG_CRYPTO_RNG2=y
> 	CONFIG_CRYPTO_PCOMP=y
> 	CONFIG_CRYPTO_MANAGER=y
> 	CONFIG_CRYPTO_MANAGER2=y
> 	CONFIG_CRYPTO_WORKQUEUE=y
> 	CONFIG_CRYPTO_CBC=y
> 	CONFIG_CRYPTO_ECB=y
> 	CONFIG_CRYPTO_HMAC=y
> 	CONFIG_CRYPTO_MD5=y
> 	CONFIG_CRYPTO_SHA1=y
> 	CONFIG_CRYPTO_SHA256=y
> 	CONFIG_CRYPTO_SHA512=y
> 	CONFIG_CRYPTO_AES=y
> 	CONFIG_CRYPTO_ARC4=y
> 	CONFIG_CRYPTO_DES=y
> 
> That should see you working I think,
> 
> Cheers,
> Davidm
> 	
> 
> > Partial crash info:
> > 
> >  
> > 
> > Code: 00 00 00 23 1f a3 e0 20 1f a3 e0 17 1f a3 e0 13 1f a3 e0 10 1f
> a3 e0 0d 1f
> > 
> >  a3 e0 04 1f a3 e0 55 53 56 57 8b 6c 24 1c 8b 5c 24 2c (8b) 33 8b 7b
> 04 57 56 57
> > 
> >  56 89 e3 8b 74 24 24 8b 7c 24 28 8b 4c
> > 
> > EIP: [(e0a31f9c)] .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec] SS:ESP
> 0068:de775af0
> > 
> > CR2: 000000006a5a85a4
> > 
> > ---[ end trace 33b374d09a6bcf21 ]---
> > 
> > Kernel panic ?? not syncing: Fatal exception in interrupt
> > 
> > Pid: 2043, comm.: sh Tainted: G     D    2.6.33 #4
> > 
> > Call Trace:
> > 
> >  [<c148fd84>] ? printk+0x18/0x1a
> > 
> >  [<c148fcb2>] panic+0x43/0xfd
> > 
> >  [<c100d3c3>] oops_end+0x83/0x90
> > 
> >  [<c101f4be>] no_context+0xbe/0x160
> > 
> >  [<c101f5af>] __bad_area_nosemaphone+0x4f/0x180
> > 
> >  [<c104efd2>] ? sched_clock_local+0xd2/0x170
> > 
> >  [<c1031423>] ? task_tick_fair+0x33/0x110
> > 
> >  [<c103108b>] ? scheduler_tick+0xeb/0x150
> > 
> >  [<c101f6f2>] bad_area_nosemaphone+0x12/0x20
> > 
> >  [<c101fadc>] do_page_fault+0x25c/0x300
> > 
> >  [<c10559e5>] ? tick_periodic+0x25/0x70
> > 
> >  [<c1055a49>] ? tick_handle_periodic+0x19/0x90
> > 
> >  [<c101f880>] ? do_page_fault+0x0/0x300
> > 
> >  [<c1492ace>] error_code+0x66/0x6c
> > 
> >  [<c101f880>] ? do_page_fault+0x0/0x300
> > 
> >  [<e0a31f9c>] ? .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec]
> > 
> >  [<e0a2f279>] ? _3des_cbc_encrypt+0x49/0x60 [ipsec]
> > 
> >  [<e0a2f15d>] ? ipsec_alg_esp_encrypt+0x5d/0x130 [ipsec]
> > 
> >  [<e0a2a5f5>] ? ipsec_rcv_esp_decrypt+0x75/0x110 [ipsec]
> > 
> >  [<e0a17cc5>] ? ipsec_rcv_decrypt+0x25/0x60 [ipsec]
> > 
> >  [<e0a19649>] ? ipsec_rsm+0x49/0x2a0 [ipsec]
> > 
> >  [<e0a1955b>] ? ipsec_rcv_state_new+0x4b/0xb0 [ipsec]
> > 
> >  [<e0a199d7>] ? ipsec_rcv+0x27/0x90 [ipsec]
> > 
> >  [<c14065a6>] ? ip_local_deliver_finish+0x86/0x170
> > 
> >  [<c140671f>] ? ip_local_deliver+0x8f/0xa0
> > 
> >  [<c1406520>] ? ip_local_deliver_finish+0x0/0x170
> > 
> >  [<c1405fbb>] ? ip_rcv_finish+0x14b/0x310
> > 
> >  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> > 
> >  [<c14063b5>] ? ip_rcv+0x235/0x290
> > 
> >  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> > 
> >  [<c13af3ec>] ? netif_receive_skb+0x1bc/0x450
> > 
> >  [<e08304f4>] ? e1000_clean_rx_irq+0x2d4/0x420 [e1000]
> > 
> >  [<e082fbdd>] ? e1000_clean+0x1cd/0x500 [e1000]
> > 
> >  [<c106c46e>] ? handle_fasteoi_irq+0x7e/0xc0
> > 
> >  [<c10053ca>] ? handle_irq+0x1a/0x30
> > 
> >  [<c13afd2d>] ? net_rx_action+0x7d/0x100
> > 
> >  [<c103af45>] ? __do_softirq+0x85/0x110
> > 
> >  [<c1040054>] ? update_process_times+0x54/0x70
> > 
> >  [<c103affd>] ? do_softirq+0x2d/0x40
> > 
> >  [<c103b15d>] ? irq_exit+0x2d/0x40
> > 
> >  [<c1017b17>] ? smp_apic_time_interrupt+0x57/0x90
> > 
> >  [<c14928a2>] ? apic_timer_interrupt+0x2a/0x30
> > 
> >  [<c125e0a2>] ? prio_tree_remove+0x32/0xe0
> > 
> >  [<c1088122>] ? vma_prio_tree_remove+0x72/0xf0
> > 
> >  [<c10917dd>] ? vma_adjust+0xfd/0x470
> > 
> >  [<c1091c3a>] ? __split_vma+0xea/0x140
> > 
> >  [<c1091fbf>] ? split_vma+0x2f/0x40
> > 
> >  [<c1093596>] ? mprotect_fixup+0x306/0x360
> > 
> >  [<c109376e>] ? sys_mprotect+0x17e/0x220
> > 
> >  [<c14924b5>] ? syscall_call+0x7/0xb
> > 
> >  
> > 
> > Thanks,
> > 
> >  
> > 
> > Dennis
> > 
> > 
> 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> >
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com
> http://www.uCdot.org
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com
http://www.uCdot.org


More information about the Users mailing list