[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Tue Apr 13 09:31:01 EDT 2010


Hi,

It seems that with the great hint from Armin Krauss I was able to get
things working (at least the IPSEC part) with the
Openswan crypto modules. Whenever I try to make an IPSEC connection from
my WinXP client I see the info shown further below.
I can start the vpn every time and get the same result so it works.
After I verified that this worked I started with setting up xl2tpd for
the L2TP part. I started the software with:

xl2tpd -c /etc/xl2tpd.conf -C /var/run/l2tp-control -D

But unfortunately IPSEC crashes again whenever I start a vpn connection.

When I start xl2tpd I see the following info:

xl2tpd[1705]: setsockopt recvref[22]: Protocol not available
xl2tpd[1705]: This binary does not support kernel L2TP.
xl2tpd[1705]: xl2tpd version xl2tpd-1.2.4 started on telemetry PID:1705
xl2tpd[1705]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1705]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1705]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1705]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1705]: Listening on IP address 0.0.0.0, port 1701

So it looks ok I think. Now I get the following message whenever I start
a vpn connection:

xl2tpd[1705]: Maximum retries exceeded for tunnel 51765. Closing.

In my /var/log/secure I see the following messages appear:

Apr 13 15:19:23 telemetry pluto[1607]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 13 15:19:23 telemetry pluto[1607]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 13 15:19:23 telemetry pluto[1607]: packet from 192.168.2.60:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Apr 13 15:19:23 telemetry pluto[1607]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
responding to Main Mode from unknown peer 192.168.2.60
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.2.60'
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
the peer proposed: 192.168.2.246/32:17/1701 -> 192.168.2.60/32:17/1701
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #6:
responding to Quick Mode proposal {msgid:a1b67eac}
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #6:
us: 192.168.2.246[+S=C]:17/1701
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #6:
them: 192.168.2.60[+S=C]:17/1701
Apr 13 15:19:23 telemetry pluto[1607]: | NAT-OA: 0 tunnel: 1  
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #6:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 13 15:19:23 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #6:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 13 15:19:23 telemetry pluto[1607]: ERROR: "RoadWarrior"[1]
192.168.2.60 #6: pfkey write() of K_SADB_X_ADDFLOW message 16 for flow
esp.644b7484 at 192.168.2.60 failed. Errno 17: File exists
Apr 13 15:19:23 telemetry pluto[1607]: |   02 0e 00 02  18 00 00 00  10
00 00 00  47 06 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   03 00 01 00  64 4b 74 84  00
00 00 00  00 00 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   00 00 00 00  00 00 00 00  03
00 05 00  00 00 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   02 00 06 a5  c0 a8 02 f6  00
00 00 00  00 00 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   03 00 06 00  00 00 00 00  02
00 06 a5  c0 a8 02 3c
Apr 13 15:19:23 telemetry pluto[1607]: |   00 00 00 00  00 00 00 00  03
00 15 00  00 00 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   02 00 06 a5  c0 a8 02 f6  00
00 00 00  00 00 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   03 00 16 00  00 00 00 00  02
00 06 a5  c0 a8 02 3c
Apr 13 15:19:23 telemetry pluto[1607]: |   00 00 00 00  00 00 00 00  03
00 17 00  00 00 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   02 00 ff ff  ff ff ff ff  00
00 00 00  00 00 00 00
Apr 13 15:19:23 telemetry pluto[1607]: |   03 00 18 00  00 00 00 00  02
00 ff ff  ff ff ff ff
Apr 13 15:19:23 telemetry pluto[1607]: |   00 00 00 00  00 00 00 00  01
00 1a 00  11 2a 00 00
Apr 13 15:19:23 telemetry pluto[1607]: | raw_eroute result=0 
Apr 13 15:19:33 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #6:
discarding duplicate packet; already STATE_QUICK_R1
Apr 13 15:19:53 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #6:
discarding duplicate packet; already STATE_QUICK_R1
Apr 13 15:19:58 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x644b7484) not found
(maybe expired)
Apr 13 15:19:58 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
received and ignored informational message
Apr 13 15:19:58 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #5:
received Delete SA payload: deleting ISAKMP State #5
Apr 13 15:19:58 telemetry pluto[1607]: packet from 192.168.2.60:500:
received and ignored informational message

/etc/ppp/options.xl2tpd:

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.1
ms-dns  192.168.1.3
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

/etc/xl2tpd.conf:

[lns default]
ip range = 10.0.15.100-10.0.15.154
local ip = 10.0.15.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	uniqueids=yes
	nat_traversal=yes
	
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
	protostack=klips
	plutodebug="none"
	klipsdebug=verbose
conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=secret
conn RoadWarrior
	authby=secret
	# Set ikelifetime and keylife to same defaults windows has
	ikelifetime=8h
	keylife=1h
	# l2tp-over-ipsec is transport mode
	type=transport
#	type=tunnel
	pfs=no
	rekey=no
	keyingtries=3
	left=%defaultroute
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
	auto=add
#	keyexchange=ike

Working log for /var/log/secure:

Apr 13 13:02:14 telemetry pluto[1607]: Starting Pluto (Openswan Version
2.6.master-201014.git-gcfb97bc7; Vendor ID OENM at VzLsvV\177) pid:1607
Apr 13 13:02:14 telemetry pluto[1607]: Setting NAT-Traversal port-4500
floating to on
Apr 13 13:02:14 telemetry pluto[1607]:    port floating activation
criteria nat_t=1/port_float=1
Apr 13 13:02:14 telemetry pluto[1607]:    NAT-Traversal support
[enabled]
Apr 13 13:02:14 telemetry pluto[1607]: using /dev/urandom as source of
random entropy
Apr 13 13:02:14 telemetry pluto[1607]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 13 13:02:14 telemetry pluto[1607]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 13 13:02:14 telemetry pluto[1607]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 13 13:02:14 telemetry pluto[1607]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 13 13:02:14 telemetry pluto[1607]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 13 13:02:14 telemetry pluto[1607]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 13 13:02:14 telemetry pluto[1607]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 13 13:02:14 telemetry pluto[1607]: starting up 1 cryptographic
helpers
Apr 13 13:02:14 telemetry pluto[1612]: using /dev/urandom as source of
random entropy
Apr 13 13:02:14 telemetry pluto[1607]: started helper pid=1612 (fd:7)
Apr 13 13:02:14 telemetry pluto[1607]: Using KLIPS IPsec interface code
on 2.6.31.13
Apr 13 13:02:15 telemetry pluto[1607]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr 13 13:02:15 telemetry pluto[1607]: Changed path to directory
'/etc/ipsec.d/aacerts'
Apr 13 13:02:15 telemetry pluto[1607]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Apr 13 13:02:15 telemetry pluto[1607]: Changing to directory
'/etc/ipsec.d/crls'
Apr 13 13:02:15 telemetry pluto[1607]:   Warning: empty directory
Apr 13 13:02:15 telemetry pluto[1607]: added connection description
"RoadWarrior"
Apr 13 13:02:15 telemetry pluto[1607]: added connection description
"L2TP-PSK-NAT"
Apr 13 13:02:15 telemetry pluto[1607]: listening for IKE messages
Apr 13 13:02:15 telemetry pluto[1607]: NAT-Traversal: Trying new style
NAT-T
Apr 13 13:02:15 telemetry pluto[1607]: adding interface ipsec0/eth0
192.168.2.246:500
Apr 13 13:02:15 telemetry pluto[1607]: adding interface ipsec0/eth0
192.168.2.246:4500
Apr 13 13:02:15 telemetry pluto[1607]: loading secrets from
"/etc/ipsec.secrets"
Apr 13 13:02:15 telemetry pluto[1607]: loaded private key for keyid:
PPK_RSA:AQOeDYPHf
Apr 13 14:52:08 telemetry pluto[1607]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 13 14:52:08 telemetry pluto[1607]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 13 14:52:08 telemetry pluto[1607]: packet from 192.168.2.60:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Apr 13 14:52:08 telemetry pluto[1607]: packet from 192.168.2.60:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
responding to Main Mode from unknown peer 192.168.2.60
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
Main mode peer ID is ID_IPV4_ADDR: '192.168.2.60'
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
the peer proposed: 192.168.2.246/32:17/1701 -> 192.168.2.60/32:17/0
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #2:
responding to Quick Mode proposal {msgid:e373b324}
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #2:
us: 192.168.2.246[+S=C]:17/1701
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #2:
them: 192.168.2.60[+S=C]:17/1701
Apr 13 14:52:08 telemetry pluto[1607]: | NAT-OA: 0 tunnel: 1  
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 13 14:52:08 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #2:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x94fa78c1
<0xcc6fb5f2 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Apr 13 14:52:43 telemetry pluto[1607]: "RoadWarrior"[1] 192.168.2.60 #1:
received Delete SA payload: deleting ISAKMP State #1
Apr 13 14:52:43 telemetry pluto[1607]: packet from 192.168.2.60:500:
received and ignored informational message
Apr 13 14:52:43 telemetry pluto[1607]: packet from 192.168.2.60:500:
Informational Exchange is for an unknown (expired?) SA with
MSGID:0xd44ecee8

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: vrijdag 9 april 2010 17:23
To: Dennis van der Meer
Cc: users at openswan.org
Subject: RE: [Openswan Users] Still server crash

On Thu, 8 Apr 2010, Dennis van der Meer wrote:

> Linux Openswan 2.6.master-201014.git-gcfb97bc7 (klips)
>
> So I use KLIPS.

> ip ah init: can't add protocol
> ip esp init: can't add protocol

>
> I checked my kernel config and found out some of the options were
> enabled so I changed the following:
>
> # CONFIG_INET_AH is not set
> # CONFIG_INET_ESP is not set
> # CONFIG_INET_IPCOMP is not set
> # CONFIG_INET_XFRM_TUNNEL is not set
> CONFIG_INET_TUNNEL=y

You should disasble that too, as KLIPS will be providing all the hooks.

> # CONFIG_INET_XFRM_MODE_TRANSPORT is not set
> # CONFIG_INET_XFRM_MODE_TUNNEL is not set
> # CONFIG_INET_XFRM_MODE_BEET is not set
>
> KLIPS options are set as recommended in an earlier email. I recompiled
> the kernel, restarted the system
> and checked the logs. No messages anymore about esp and ah but ipsec
> still crashes as soon as I start the vpn

Yes, we are currently working on that crasher. As a work around, you can
enable cryptoapi, and disable the built in 3DES and AES in KLIPS.

Paul


More information about the Users mailing list