[Openswan Users] ABORT at openswan-2.6.41/programs/pluto/ikev1_main.c:1085

[Tom Parker]

Hello List

This morning I updated one of my firewalls to openswan-2.6.41 from
2.6.33 and immediately started seeing this message in my logs

Apr  9 06:27:30 mga-kali-0 ipsec__plutorun: Aborted
Apr  9 06:27:30 mga-kali-0 ipsec__plutorun: !pluto failure!:  exited
with error status 134 (signal 6)
Apr  9 06:27:30 mga-kali-0 ipsec__plutorun: restarting IPsec after pause...
Apr  9 06:27:30 mga-kali-0 pluto[9064]:
"mga-kali-lafise-proddmz-10_11_0_69" #163: ABORT at
/var/lib/go-agent/pipelines/BuildBase/toastix/tmp/work/x86_64-oe-linux/openswan-2.6.41-r0.15/openswan-2.6.41/programs/pluto/ikev1_main.c:1085
Apr  9 06:27:30 mga-kali-0 pluto[9064]:
"mga-kali-lafise-proddmz-10_11_0_69" #163: ABORT at
/var/lib/go-agent/pipelines/BuildBase/toastix/tmp/work/x86_64-oe-linux/openswan-2.6.41-r0.15/openswan-2.6.41/programs/pluto/ikev1_main.c:1085

There are over 25MB of Gzipped logs so I'm not sure what is
interesting.  My main ipsec.conf is this:

#/etc/ipsec.conf - Openswan IPsec configuration file

version 2

config setup
        # We do IPsec on the internet-facing interface
        #interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        # Start all connections simultaneously instead of in sequence;
        # otherwise a failing connection might hold up the startup script?
        plutowait=no
        nat_traversal=yes
        #
        # On slow machines, pluto refuses to do crypto if it has a helper
        # and its helper is busy doing crypto for another connection.
        # This is no good, because all our machines are slow.
        # Turning off helpers forces it to do all crypto synchronously,
        # in-process.
        nhelpers=0

# Connection defaults.

conn %default
        # Unlimited retries.
        keyingtries=0
        # Sanity check packets on arrival.
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        #
        # Use AES256. Gives UDP throughput of over 900 KByte/sec on a
net4801.
        #
        ike=aes256-sha,aes256-md5
       
esp=aes256-sha1,aes256-md5                                                                                                                                                                                              

                                                                                                                                                                                                                                

# Include cbnca
tunnels                                                                                                                                                                                                         

include
/tmp/cluster/ipsec.active                                                                                                                                                                                               

                                                                                                                                                                                                                                

# Include common tunnel
configurations                                                                                                                                                                                          

include /etc/ipsec.d/*.tun

But I have hundreds of tunnels included.

If the list can let me know what they think is interesting I will reply
with that information attached.

Thanks

Tom