[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Mon Apr 5 08:19:08 EDT 2010


Hi Paul,

The configuration will only be used on my VMWare test system. For
production I will use different
keys. I have made a little bit more progress but still it is not
working. Right now I also have
a L2TP server running (xl2tpd) so when I have ipsec running correctly I
could get started on the
next part.
Since I am now working from a different location the ip information
changed a little.
The server itself still has 10.0.15.1 as its internal address. The
external ip address has become
192.168.95.140. I have an XP client that connects from 192.168.95.104. 
I had to comment the last line in the config file otherwise I will get
the same error like I did
in my previous email. Here is my new config:

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	uniqueids=yes
	nat_traversal=no
	
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
	protostack=klips
	plutodebug="none"
	klipsdebug="none"
conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=secret
	dpddelay=60
	dpdtimeout=120
	dpdaction=clear
conn RoadWarrior
	authby=secret
	pfs=no
	rekey=no
	keyingtries=3
	left=%defaultroute
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
	auto=add
	type=tunnel
#	keyexchange=ike

This is the output from /var/log/secure:

Apr  5 13:56:47 telemetry ipsec__plutorun: Starting Pluto subsystem...
Apr  5 13:56:47 telemetry pluto[2147]: Starting Pluto (Openswan Version
2.6.25; Vendor ID OEC`nT{wo^XH) pid:2147
Apr  5 13:56:47 telemetry pluto[2147]: Setting NAT-Traversal port-4500
floating to off
Apr  5 13:56:47 telemetry pluto[2147]:    port floating activation
criteria nat_t=0/port_float=1
Apr  5 13:56:47 telemetry pluto[2147]:    NAT-Traversal support
[disabled]
Apr  5 13:56:47 telemetry pluto[2147]: using /dev/urandom as source of
random entropy
Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr  5 13:56:47 telemetry pluto[2147]: starting up 1 cryptographic
helpers
Apr  5 13:56:47 telemetry pluto[2147]: started helper pid=2149 (fd:7)
Apr  5 13:56:47 telemetry pluto[2147]: Using KLIPS IPsec interface code
on 2.6.33-smp
Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
'/etc/ipsec.d/aacerts'
Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Apr  5 13:56:47 telemetry pluto[2147]: Changing to directory
'/etc/ipsec.d/crls'
Apr  5 13:56:47 telemetry pluto[2147]:   Warning: empty directory
Apr  5 13:56:47 telemetry pluto[2149]: using /dev/urandom as source of
random entropy
Apr  5 13:56:47 telemetry pluto[2147]: added connection description
"RoadWarrior"
Apr  5 13:56:47 telemetry pluto[2147]: listening for IKE messages
Apr  5 13:56:47 telemetry pluto[2147]: adding interface ipsec0/eth0
192.168.95.140:500
Apr  5 13:56:47 telemetry pluto[2147]: loading secrets from
"/etc/ipsec.secrets"
Apr  5 13:56:47 telemetry pluto[2147]: loaded private key for keyid:
PPK_RSA:AQOeDYPHf
Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: responding to Main Mode from unknown peer 192.168.95.104
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: Main mode peer ID is ID_IPV4_ADDR: '192.168.95.104'
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: the peer proposed: 192.168.95.140/32:17/1701 ->
192.168.95.104/32:17/0
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2: responding to Quick Mode proposal {msgid:0140e494}
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2:     us: 192.168.95.140[+S=C]:17/1701
Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2:   them: 192.168.95.104[+S=C]:17/1701
Apr  5 13:56:56 telemetry pluto[2147]: | NAT-OA: 0 tunnel: 1  
Apr  5 13:56:56 telemetry pluto[2147]: ERROR: "RoadWarrior"[1]
192.168.95.104 #2: pfkey write() of K_SADB_ADD message 5 for Add SA
esp.b2b35fa4 at 192.168.95.104 failed. Errno 71: Protocol error
Apr  5 13:56:56 telemetry pluto[2147]: |   02 03 00 03  12 00 00 00  05
00 00 00  63 08 00 00
Apr  5 13:56:56 telemetry pluto[2147]: |   03 00 01 00  b2 b3 5f a4  40
01 02 03  00 00 00 00
Apr  5 13:56:56 telemetry pluto[2147]: |   00 00 00 00  00 00 00 00  03
00 05 00  00 00 00 00
Apr  5 13:56:56 telemetry pluto[2147]: |   02 00 06 a5  c0 a8 5f 8c  00
00 00 00  00 00 00 00
Apr  5 13:56:56 telemetry pluto[2147]: |   03 00 06 00  00 00 00 00  02
00 06 a5  c0 a8 5f 68
Apr  5 13:56:56 telemetry pluto[2147]: |   00 00 00 00  00 00 00 00  03
00 08 00  80 00 00 00
Apr  5 13:56:56 telemetry pluto[2147]: |   dd 6f c5 0d  9b 56 13 9c  12
f1 d4 3e  cf f0 67 e1
Apr  5 13:56:56 telemetry pluto[2147]: |   04 00 09 00  c0 00 00 00  ab
83 a9 3a  4a 64 44 fc
Apr  5 13:56:56 telemetry pluto[2147]: |   88 b5 93 d1  33 58 4e 96  dd
0a cb 66  0d 01 11 c3
Apr  5 13:56:56 telemetry pluto[2147]: | failed to install outgoing SA:
0
Apr  5 13:56:57 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2: discarding duplicate packet; already STATE_QUICK_R0
Apr  5 13:57:27 telemetry last message repeated 4 times
Apr  5 13:57:42 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: received Delete SA payload: deleting ISAKMP State #1
Apr  5 13:57:42 telemetry pluto[2147]: packet from 192.168.95.104:500:
received and ignored informational message
Apr  5 14:01:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104:
deleting connection "RoadWarrior" instance with peer 192.168.95.104
{isakmp=#0/ipsec=#0}

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: vrijdag 2 april 2010 23:57
To: Dennis van der Meer
Cc: David McCullough; users at openswan.org
Subject: Re: [Openswan Users] Still server crash

On Fri, 2 Apr 2010, Dennis van der Meer wrote:

> # basic configuration
> config setup
> 	uniqueids=yes
> 	nat_traversal=no
>
>
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
>
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
> 	protostack=klips
> 	plutodebug="none"
> 	klipsdebug="none"

That blank line will cause trouble

> conn RoadWarrior
> 	auto=add
> 	left=192.168.2.63
> 	leftsourceip=10.0.15.1
> 	leftsubnet=10.0.15.0/24
> 	leftprotoport=17/1701
>
> 	right=%any
> 	rightprotoport=17/%any
> 	rightsubnet=vhost:%no,%priv
> 	pfs=no
> 	authby=secret
> 	type=tunnel
> 	keyingtries=5
> 	keyexchange=ike

And so will that blanc line.

>
> ipsec.secrets:
>
> %any %any : PSK
> "716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"

You will have to change this secret in production

> Apr  2 16:28:24 telemetry pluto[3192]:    NAT-Traversal support
> [disabled]

This is due to the blanc line.

Paul


More information about the Users mailing list