[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Thu Apr 8 11:01:08 EDT 2010 

Hi all,

It seems there is still no solution for my problem :-( I really hope
there is someone who knows what is going on
or can steer me in the right direction.
I've already tried to change to an older kernel version (2.6.31.13) and
I still get the
same result. And when I try to apply the kernel patch for KLIPS support
it still barfs
on the net/Makefile file so I still have to manually edit this file for
the compile to work.

I did notice that adding a "forceencaps=yes" to the config adds a little
bit more to the log file:

Apr  8 16:38:06 telemetry pluto[1575]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr  8 16:38:06 telemetry pluto[1575]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr  8 16:38:06 telemetry pluto[1575]: packet from 192.168.2.60:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Apr  8 16:38:06 telemetry pluto[1575]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr  8 16:38:06 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
responding to Main Mode from unknown peer 192.168.2.60
Apr  8 16:38:06 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  8 16:38:06 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are
NATed
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
Main mode peer ID is ID_FQDN: '@mylaptop.mydomain.local'
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[3] 192.168.2.60 #3:
switched from "RoadWarrior" to "RoadWarrior"
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
deleting connection "RoadWarrior" instance with peer 192.168.2.60
{isakmp=#0/ipsec=#0}
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
new NAT mapping for #3, was 192.168.2.60:500, now 192.168.2.60:4500
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
peer client type is FQDN
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
Applying workaround for MS-818043 NAT-T bug
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
IDci was FQDN: \300\250\002?, using NAT_OA=192.168.2.60/32 as IDci
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
the peer proposed: 192.168.2.63/32:17/1701 -> 192.168.2.60/32:17/0
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #4:
responding to Quick Mode proposal {msgid:f4b9843b}
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #4:
us: 192.168.2.63[+S=C]:17/1701
Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #4:
them: 192.168.2.60[@mylaptop.mydomain.local,+S=C]:17/1701
Apr  8 16:38:07 telemetry pluto[1575]: | NAT-OA: 4 tunnel: 1  
Apr  8 16:38:07 telemetry pluto[1575]: ERROR: "RoadWarrior"[4]
192.168.2.60 #4: pfkey write() of K_SADB_ADD message 6 for Add SA
esp.90613265 at 192.168.2.60 failed. Errno 71: Protocol error
Apr  8 16:38:07 telemetry pluto[1575]: |   02 03 00 03  18 00 00 00  06
00 00 00  27 06 00 00
Apr  8 16:38:07 telemetry pluto[1575]: |   03 00 01 00  90 61 32 65  40
01 02 03  00 00 00 00
Apr  8 16:38:07 telemetry pluto[1575]: |   00 00 00 00  00 00 00 00  03
00 05 00  00 00 00 00
Apr  8 16:38:07 telemetry pluto[1575]: |   02 00 06 a5  c0 a8 02 3f  00
00 00 00  00 00 00 00
Apr  8 16:38:07 telemetry pluto[1575]: |   03 00 06 00  00 00 00 00  02
00 06 a5  c0 a8 02 3c
Apr  8 16:38:07 telemetry pluto[1575]: |   00 00 00 00  00 00 00 00  03
00 08 00  80 00 00 00
Apr  8 16:38:07 telemetry pluto[1575]: |   88 a2 7f 5a  eb ac 15 2c  1e
69 a2 51  df 0c 2f b3
Apr  8 16:38:07 telemetry pluto[1575]: |   04 00 09 00  c0 00 00 00  6f
1b bb f9  6a fe cb e0
Apr  8 16:38:07 telemetry pluto[1575]: |   ba e2 68 81  e0 aa 6c 8d  26
bc 0c 4b  fc 17 36 47
Apr  8 16:38:07 telemetry pluto[1575]: |   01 00 1b 00  02 00 00 00  01
00 1c 00  94 11 00 00
Apr  8 16:38:07 telemetry pluto[1575]: |   01 00 1d 00  94 11 00 00  03
00 1e 00  00 00 00 00
Apr  8 16:38:07 telemetry pluto[1575]: |   02 00 00 00  c0 a8 02 3c  00
00 00 00  00 00 00 00
Apr  8 16:38:07 telemetry pluto[1575]: | failed to install outgoing SA:
0
Apr  8 16:38:08 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #4:
discarding duplicate packet; already STATE_QUICK_R0
Apr  8 16:38:09 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60 #3:
received Delete SA payload: deleting ISAKMP State #3
Apr  8 16:38:09 telemetry pluto[1575]: packet from 192.168.2.60:4500:
received and ignored informational message


Dennis

-----Original Message-----
From: David McCullough [mailto:david_mccullough at mcafee.com] 
Sent: dinsdag 6 april 2010 14:42
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Still server crash


Jivin Dennis van der Meer lays it down ...
> I don't know if the error is because I have not applied the NAT-T
patch
> but if it is then there is
> another problem since the patch cannot be applied to the kernel
version
> I am currently using (2.6.33).

The NAT-T patch is no more,  as of 2.6.26 it is no longer needed with
current versions of openswan.

> Hopefully someone knows what is going on because I tried to google
this
> error and came up with nothing
> relevant.

Not sure on the error,  we'll see if someone else can help :-)

Cheers,
Davidm

> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
On
> Behalf Of Dennis van der Meer
> Sent: maandag 5 april 2010 14:19
> To: Paul Wouters
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
> 
> Hi Paul,
> 
> The configuration will only be used on my VMWare test system. For
> production I will use different
> keys. I have made a little bit more progress but still it is not
> working. Right now I also have
> a L2TP server running (xl2tpd) so when I have ipsec running correctly
I
> could get started on the
> next part.
> Since I am now working from a different location the ip information
> changed a little.
> The server itself still has 10.0.15.1 as its internal address. The
> external ip address has become
> 192.168.95.140. I have an XP client that connects from 192.168.95.104.

> I had to comment the last line in the config file otherwise I will get
> the same error like I did
> in my previous email. Here is my new config:
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
> 
> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> version	2.0	# conforms to second version of ipsec.conf
specification
> 
> # basic configuration
> config setup
> 	uniqueids=yes
> 	nat_traversal=no
> 	
>
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
>
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
> 	protostack=klips
> 	plutodebug="none"
> 	klipsdebug="none"
> conn %default
> 	keyingtries=0
> 	disablearrivalcheck=no
> 	authby=secret
> 	dpddelay=60
> 	dpdtimeout=120
> 	dpdaction=clear
> conn RoadWarrior
> 	authby=secret
> 	pfs=no
> 	rekey=no
> 	keyingtries=3
> 	left=%defaultroute
> 	leftprotoport=17/1701
> 	right=%any
> 	rightprotoport=17/%any
> 	auto=add
> 	type=tunnel
> #	keyexchange=ike
> 
> This is the output from /var/log/secure:
> 
> Apr  5 13:56:47 telemetry ipsec__plutorun: Starting Pluto subsystem...
> Apr  5 13:56:47 telemetry pluto[2147]: Starting Pluto (Openswan
Version
> 2.6.25; Vendor ID OEC`nT{wo^XH) pid:2147
> Apr  5 13:56:47 telemetry pluto[2147]: Setting NAT-Traversal port-4500
> floating to off
> Apr  5 13:56:47 telemetry pluto[2147]:    port floating activation
> criteria nat_t=0/port_float=1
> Apr  5 13:56:47 telemetry pluto[2147]:    NAT-Traversal support
> [disabled]
> Apr  5 13:56:47 telemetry pluto[2147]: using /dev/urandom as source of
> random entropy
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Apr  5 13:56:47 telemetry pluto[2147]: starting up 1 cryptographic
> helpers
> Apr  5 13:56:47 telemetry pluto[2147]: started helper pid=2149 (fd:7)
> Apr  5 13:56:47 telemetry pluto[2147]: Using KLIPS IPsec interface
code
> on 2.6.33-smp
> Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
> '/etc/ipsec.d/aacerts'
> Apr  5 13:56:47 telemetry pluto[2147]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'
> Apr  5 13:56:47 telemetry pluto[2147]: Changing to directory
> '/etc/ipsec.d/crls'
> Apr  5 13:56:47 telemetry pluto[2147]:   Warning: empty directory
> Apr  5 13:56:47 telemetry pluto[2149]: using /dev/urandom as source of
> random entropy
> Apr  5 13:56:47 telemetry pluto[2147]: added connection description
> "RoadWarrior"
> Apr  5 13:56:47 telemetry pluto[2147]: listening for IKE messages
> Apr  5 13:56:47 telemetry pluto[2147]: adding interface ipsec0/eth0
> 192.168.95.140:500
> Apr  5 13:56:47 telemetry pluto[2147]: loading secrets from
> "/etc/ipsec.secrets"
> Apr  5 13:56:47 telemetry pluto[2147]: loaded private key for keyid:
> PPK_RSA:AQOeDYPHf
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> ignoring Vendor ID payload [FRAGMENTATION]
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but port floating is off
> Apr  5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: responding to Main Mode from unknown peer 192.168.95.104
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.95.104'
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: Dead Peer Detection (RFC 3706): not enabled because peer did not
> advertise it
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: the peer proposed: 192.168.95.140/32:17/1701 ->
> 192.168.95.104/32:17/0
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2: responding to Quick Mode proposal {msgid:0140e494}
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2:     us: 192.168.95.140[+S=C]:17/1701
> Apr  5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2:   them: 192.168.95.104[+S=C]:17/1701
> Apr  5 13:56:56 telemetry pluto[2147]: | NAT-OA: 0 tunnel: 1  
> Apr  5 13:56:56 telemetry pluto[2147]: ERROR: "RoadWarrior"[1]
> 192.168.95.104 #2: pfkey write() of K_SADB_ADD message 5 for Add SA
> esp.b2b35fa4 at 192.168.95.104 failed. Errno 71: Protocol error
> Apr  5 13:56:56 telemetry pluto[2147]: |   02 03 00 03  12 00 00 00
05
> 00 00 00  63 08 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   03 00 01 00  b2 b3 5f a4
40
> 01 02 03  00 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   00 00 00 00  00 00 00 00
03
> 00 05 00  00 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   02 00 06 a5  c0 a8 5f 8c
00
> 00 00 00  00 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   03 00 06 00  00 00 00 00
02
> 00 06 a5  c0 a8 5f 68
> Apr  5 13:56:56 telemetry pluto[2147]: |   00 00 00 00  00 00 00 00
03
> 00 08 00  80 00 00 00
> Apr  5 13:56:56 telemetry pluto[2147]: |   dd 6f c5 0d  9b 56 13 9c
12
> f1 d4 3e  cf f0 67 e1
> Apr  5 13:56:56 telemetry pluto[2147]: |   04 00 09 00  c0 00 00 00
ab
> 83 a9 3a  4a 64 44 fc
> Apr  5 13:56:56 telemetry pluto[2147]: |   88 b5 93 d1  33 58 4e 96
dd
> 0a cb 66  0d 01 11 c3
> Apr  5 13:56:56 telemetry pluto[2147]: | failed to install outgoing
SA:
> 0
> Apr  5 13:56:57 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #2: discarding duplicate packet; already STATE_QUICK_R0
> Apr  5 13:57:27 telemetry last message repeated 4 times
> Apr  5 13:57:42 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
> #1: received Delete SA payload: deleting ISAKMP State #1
> Apr  5 13:57:42 telemetry pluto[2147]: packet from 192.168.95.104:500:
> received and ignored informational message
> Apr  5 14:01:56 telemetry pluto[2147]: "RoadWarrior"[1]
192.168.95.104:
> deleting connection "RoadWarrior" instance with peer 192.168.95.104
> {isakmp=#0/ipsec=#0}
> 
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: vrijdag 2 april 2010 23:57
> To: Dennis van der Meer
> Cc: David McCullough; users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
> 
> On Fri, 2 Apr 2010, Dennis van der Meer wrote:
> 
> > # basic configuration
> > config setup
> > 	uniqueids=yes
> > 	nat_traversal=no
> >
> >
>
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
> >
>
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
> > 	protostack=klips
> > 	plutodebug="none"
> > 	klipsdebug="none"
> 
> That blank line will cause trouble
> 
> > conn RoadWarrior
> > 	auto=add
> > 	left=192.168.2.63
> > 	leftsourceip=10.0.15.1
> > 	leftsubnet=10.0.15.0/24
> > 	leftprotoport=17/1701
> >
> > 	right=%any
> > 	rightprotoport=17/%any
> > 	rightsubnet=vhost:%no,%priv
> > 	pfs=no
> > 	authby=secret
> > 	type=tunnel
> > 	keyingtries=5
> > 	keyexchange=ike
> 
> And so will that blanc line.
> 
> >
> > ipsec.secrets:
> >
> > %any %any : PSK
> > "716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"
> 
> You will have to change this secret in production
> 
> > Apr  2 16:28:24 telemetry pluto[3192]:    NAT-Traversal support
> > [disabled]
> 
> This is due to the blanc line.
> 
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com
http://www.uCdot.org

More information about the Users mailing list