[Openswan Users] Still server crash

David McCullough david_mccullough at mcafee.com
Tue Apr 6 08:41:53 EDT 2010 

Jivin Dennis van der Meer lays it down ...
> I don't know if the error is because I have not applied the NAT-T patch
> but if it is then there is
> another problem since the patch cannot be applied to the kernel version
> I am currently using (2.6.33).

The NAT-T patch is no more,  as of 2.6.26 it is no longer needed with
current versions of openswan.

> Hopefully someone knows what is going on because I tried to google this
> error and came up with nothing
> relevant.

Not sure on the error,  we'll see if someone else can help :-)

Cheers,
Davidm

> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
> Behalf Of Dennis van der Meer
> Sent: maandag 5 april 2010 14:19
> To: Paul Wouters
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
> 
> Hi Paul,
> 
> The configuration will only be used on my VMWare test system. For
> production I will use different
> keys. I have made a little bit more progress but still it is not
> working. Right now I also have
> a L2TP server running (xl2tpd) so when I have ipsec running correctly I
> could get started on the
> next part.
> Since I am now working from a different location the ip information
> changed a little.
> The server itself still has 10.0.15.1 as its internal address. The
> external ip address has become
> 192.168.95.140. I have an XP client that connects from 192.168.95.104. 
> I had to comment the last line in the config file otherwise I will get
> the same error like I did
> in my previous email. Here is my new config:
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
> 
> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> version	2.0	# conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> 	uniqueids=yes
> 	nat_traversal=no
> 	
> virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
> :!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
> 	protostack=klips
> 	plutodebug="none"
> 	klipsdebug="none"
> conn %default
> 	keyingtries=0
> 	disablearrivalcheck=no
> 	authby=secret
> 	dpddelay=60
> 	dpdtimeout=120
> 	dpdaction=clear
> conn RoadWarrior
> 	authby=secret
> 	pfs=no
> 	rekey=no
> 	keyingtries=3
> 	left=%defaultroute
> 	leftprotoport=17/1701
> 	right=%any
> 	rightprotoport=17/%any
> 	auto=add
> 	type=tunnel
> #	keyexchange=ike
> 
> This is the output from /var/log/secure:
> 
> Apr  5 13:56:47 telemetry ipsec__plutorun: Starting Pluto subsystem...
> Apr  5 13:56:47 telemetry pluto[2147]: Starting Pluto (Openswan Version
> 2.6.25; Vendor ID OEC`nT{wo^XH) pid:2147
> Apr  5 13:56:47 telemetry pluto[2147]: Setting NAT-Traversal port-4500
> floating to off
> Apr  5 13:56:47 telemetry pluto[2147]:    port floating activation
> criteria nat_t=0/port_float=1
> Apr  5 13:56:47 telemetry pluto[2147]:    NAT-Traversal support
> [disabled]
> Apr  5 13:56:47 telemetry pluto[2147]: using /dev/urandom as source of
> random entropy
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: starting up 1 cryptographic
> helpers
> Apr  5 13:56:47 telemetry pluto[2147]: started helper pid=2149 (fd:7)
> Apr  5 13:56:47 telemetry pluto[2147]: Using KLIPS IPsec interface code
> on 2.6.33-smp
> Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
> '/etc/ipsec.d/aacerts'
> Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'
> Apr  5 13:56:47 telemetry pluto[2147]: Changing to directory
> '/etc/ipsec.d/crls'
> Apr  5 13:56:47 telemetry pluto[2147]:   Warning: empty directory
> Apr  5 13:56:47 telemetry pluto[2149]: using /dev/urandom as source of
> random entropy
> Apr  5 13:56:47 telemetry pluto[2147]: added connection description
> "RoadWarrior"
> Apr  5 13:56:47 telemetry pluto[2147]: listening for IKE messages
> Apr  5 13:56:47 telemetry pluto[2147]: adding interface ipsec0/eth0
> 192.168.95.140:500
> Apr  5 13:56:47 telemetry pluto[2147]: loading secrets from
> "/etc/ipsec.secrets"
> Apr  5 13:56:47 telemetry pluto[2147]: loaded private key for keyid:
> PPK_RSA:AQOeDYPHf
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> ignoring Vendor ID payload [FRAGMENTATION]
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but port floating is off
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: responding to Main Mode from unknown peer 192.168.95.104
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.95.104'
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: Dead Peer Detection (RFC 3706): not enabled because peer did not
> advertise it
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: the peer proposed: 192.168.95.140/32:17/1701 ->
> 192.168.95.104/32:17/0
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2: responding to Quick Mode proposal {msgid:0140e494}
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2:     us: 192.168.95.140[+S=C]:17/1701
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2:   them: 192.168.95.104[+S=C]:17/1701
> Apr  5 13:56:56 telemetry pluto[2147]: | NAT-OA: 0 tunnel: 1  
> Apr  5 13:56:56 telemetry pluto[2147]: ERROR: "RoadWarrior"[1]
> 192.168.95.104 #2: pfkey write() of K_SADB_ADD message 5 for Add SA
> esp.b2b35fa4 at 192.168.95.104 failed. Errno 71: Protocol error
> Apr  5 13:56:56 telemetry pluto[2147]: |   02 03 00 03  12 00 00 00  05
> 00 00 00  63 08 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   03 00 01 00  b2 b3 5f a4  40
> 01 02 03  00 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   00 00 00 00  00 00 00 00  03
> 00 05 00  00 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   02 00 06 a5  c0 a8 5f 8c  00
> 00 00 00  00 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   03 00 06 00  00 00 00 00  02
> 00 06 a5  c0 a8 5f 68
> Apr  5 13:56:56 telemetry pluto[2147]: |   00 00 00 00  00 00 00 00  03
> 00 08 00  80 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   dd 6f c5 0d  9b 56 13 9c  12
> f1 d4 3e  cf f0 67 e1
> Apr  5 13:56:56 telemetry pluto[2147]: |   04 00 09 00  c0 00 00 00  ab
> 83 a9 3a  4a 64 44 fc
> Apr  5 13:56:56 telemetry pluto[2147]: |   88 b5 93 d1  33 58 4e 96  dd
> 0a cb 66  0d 01 11 c3
> Apr  5 13:56:56 telemetry pluto[2147]: | failed to install outgoing SA:
> 0
> Apr  5 13:56:57 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2: discarding duplicate packet; already STATE_QUICK_R0
> Apr  5 13:57:27 telemetry last message repeated 4 times
> Apr  5 13:57:42 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: received Delete SA payload: deleting ISAKMP State #1
> Apr  5 13:57:42 telemetry pluto[2147]: packet from 192.168.95.104:500:
> received and ignored informational message
> Apr  5 14:01:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104:
> deleting connection "RoadWarrior" instance with peer 192.168.95.104
> {isakmp=#0/ipsec=#0}
> 
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: vrijdag 2 april 2010 23:57
> To: Dennis van der Meer
> Cc: David McCullough; users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
> 
> On Fri, 2 Apr 2010, Dennis van der Meer wrote:
> 
> > # basic configuration
> > config setup
> > 	uniqueids=yes
> > 	nat_traversal=no
> >
> >
> virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
> >
> :!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
> > 	protostack=klips
> > 	plutodebug="none"
> > 	klipsdebug="none"
> 
> That blank line will cause trouble
> 
> > conn RoadWarrior
> > 	auto=add
> > 	left=192.168.2.63
> > 	leftsourceip=10.0.15.1
> > 	leftsubnet=10.0.15.0/24
> > 	leftprotoport=17/1701
> >
> > 	right=%any
> > 	rightprotoport=17/%any
> > 	rightsubnet=vhost:%no,%priv
> > 	pfs=no
> > 	authby=secret
> > 	type=tunnel
> > 	keyingtries=5
> > 	keyexchange=ike
> 
> And so will that blanc line.
> 
> >
> > ipsec.secrets:
> >
> > %any %any : PSK
> > "716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"
> 
> You will have to change this secret in production
> 
> > Apr  2 16:28:24 telemetry pluto[3192]:    NAT-Traversal support
> > [disabled]
> 
> This is due to the blanc line.
> 
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Users mailing list