[Openswan Users] pluto core dump IKEv2 openswan 2.6.41

Alan Chester amcheste at gmail.com
Tue Aug 19 13:40:36 EDT 2014 

Hello,

I am currently seeing an issue with pluto core dumping when using IKEv2.  I
am using openswan version 2.6.41.

Here is my current setup please let me know if I have something configured
in correctly:


 /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        plutostderrlog=/var/log/ipsec.log
        dumpdir=/var/TKLC/core
        plutorestartoncrash=no
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
include /etc/ipsec.d/*.conf


Box A:
>From test.conf:
conn test
  left=192.168.165.70
  pfs=yes
  keylife=15m
  ikev2=yes
  authby=secret
  right=192.168.165.74
  auto=start
  type=tunnel
  ike=aes128-sha1;modp2048
  phase2alg=aes128-sha1

Box B:
>From test.conf:
conn test
  left=192.168.165.74
  pfs=yes
  keylife=15m
  ikev2=yes
  authby=secret
  right=192.168.165.70
  auto=start
  type=tunnel
  ike=aes128-sha1;modp2048
  phase2alg=aes128-sha1

The connection will successfully come up and function for a while but
eventually pluto will core dump.  I notice the failure faster the lower my
keylife is.

I noticed the following in /var/log/messages:
Aug 17 04:18:20 localhost ipsec_setup: Starting Openswan IPsec
U2.6.32/K2.6.32-431.17.1.el6prerel7.0.0.0.0_86.7.0.x86_64...
Aug 17 04:18:20 localhost ipsec_setup: Using NETKEY(XFRM) stack
Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock not detected.
Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock Hash Engine not
detected.
Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock not detected.
Aug 17 04:18:20 localhost ipsec_setup: ...Openswan IPsec started
Aug 17 04:18:20 localhost pluto: adjusting ipsec.d to /etc/ipsec.d
Aug 17 04:18:21 localhost ipsec__plutorun: 002 added connection description
"test"
Aug 17 04:18:21 localhost ipsec__plutorun: 133 "test" #1: STATE_PARENT_I1:
initiate
Aug 17 04:27:06 localhost rsyslogd: -- MARK --
Aug 17 04:42:06 localhost rsyslogd: -- MARK --
Aug 17 04:57:06 localhost rsyslogd: -- MARK --
Aug 17 05:12:06 localhost rsyslogd: -- MARK --
Aug 17 05:14:25 localhost kernel: pluto[5829]: segfault at 0 ip
00007f87e7f0e676 sp 00007fffdb0aa3c0 error 4 in pluto[7f87e7ea3000+fd000]
Aug 17 05:14:25 localhost ipsec__plutorun: /usr/libexec/ipsec/_plutorun:
line 250:  5829 Segmentation fault      /usr/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey
--uniqueids --nat_traversal --virtual_private oe=off --stderrlog 2>>
/var/log/ipsec.log
Aug 17 05:14:25 localhost ipsec__plutorun: !pluto failure!:  exited with
error status 139 (signal 11)
Aug 17 05:14:25 localhost ipsec__plutorun: restarting IPsec after pause...
Aug 17 05:14:35 localhost ipsec_setup: Stopping Openswan IPsec...
Aug 17 05:14:35 localhost ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:
Aug 17 05:14:35 localhost ipsec_setup: ...Openswan IPsec stopped

The following is from /var/log/ipsec:
...
"test" #1: initiating v2 parent SA
"test" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
"test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
"test" #2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2
"test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
| found connection: test
"test" #3: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
"test" #3: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
"test" #3: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.165.70'
| CHILD SA proposals received
"test" #3: PAUL: this is where we have to check the TSi/TSr
| printing contents struct traffic_selector
|   ts_type: IKEv2_TS_IPV4_ADDR_RANGE
|   ipprotoid: 0
|   startport: 0
|   endport: 65535
|   ip low: 192.168.165.74
|   ip high: 192.168.165.74
| printing contents struct traffic_selector
|   ts_type: IKEv2_TS_IPV4_ADDR_RANGE
|   ipprotoid: 0
|   startport: 0
|   endport: 65535
|   ip low: 192.168.165.70
|   ip high: 192.168.165.70
"test" #4: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
"test" #4: negotiated tunnel [192.168.165.74,192.168.165.74:0-65535 0] ->
[192.168.165.70,192.168.165.70:0-65535 0]
"test" #4: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel
mode {ESP=>0x14aeeb9a <0x36b9246b xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
| releasing whack for #4 (sock=-1)
| releasing whack for #3 (sock=-1)
"test" #5: initiating Main Mode
pluto_crypto_helper: helper (2) is  normal exiting
...

The following backtrace was created from the core file:

Core file created at UTC: 1408373805.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[New Thread 5708]
[Thread debugging using libthread_db enabled]
Core was generated by `/usr/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fd4bd53e311 in oakley_alg_makedb (ai=<value optimized out>,
base=0x7fd4bd7c8620, maxtrans=-1) at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:191
191
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:
No such file or directory.
        in
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c

Thread 1 (Thread 0x7fd4bd4cb700 (LWP 5708)):
#0  0x00007fd4bd53e311 in oakley_alg_makedb (ai=<value optimized out>,
base=0x7fd4bd7c8620, maxtrans=-1) at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:191
        hash = <value optimized out>
        auth = 0x7fd4bdd5a3d0
        grp = <value optimized out>
        enc = <value optimized out>
        enc_keylen = <value optimized out>
        new_auth = <value optimized out>
        trans = 0x7fd4bdd5a3a0
        prop = 0x7fd4bdd5a380
        cprop = 0x7fd4bdd5c540
        gsp = <value optimized out>
        emp_sp = 0x7fd4bdd5a350
        ike_info = <value optimized out>
        ealg = 7
        halg = 2
        modp = <value optimized out>
        eklen = <value optimized out>
        last_modp = <value optimized out>
        wrong_modp = <value optimized out>
        enc_desc = <value optimized out>
        transcnt = <value optimized out>
        i = <value optimized out>
#1  0x00007fd4bd5418cf in out_sa (outs=0x7fff24fcdb08, sadb=0x7fd4bd7c8620,
st=0x7fd4bdd5d420, oakley_mode=1, aggressive_mode=<value optimized out>,
np=13 '\r') at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_v1_struct.c:259
        sa_pbs = {container = 0x7fff24fce76c, desc = 0x7fff24fcdb08, name =
0x7fff24fce750 "\257\264\017Q\372\312R\306", start = 0x0, cur = 0x53f2142d
<Address 0x53f2142d out of bounds>, roof = 0x0, lenfld = 0x7fd4bd7e27a0 "",
lenfld_desc = 0x7fd4bd7c33d0}
        pcn = <value optimized out>
        ret = 0
        ah_spi_generated = 0
        esp_spi_generated = 0
        ipcomp_cpi_generated = 0
        revised_sadb = <value optimized out>
#2  0x00007fd4bd515243 in main_outI1 (whack_sock=<value optimized out>,
c=0x7fd4bdd56f60, predecessor=0x0, policy=<value optimized out>,
try=140551688890300, importance=<value optimized out>) at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/ikev1_main.c:192
        sa_start = 0x7fd4bd7d27bc "$"
        np = 13
        st = 0x7fd4bdd5d420
#3  0x00007fd4bd50a98b in handle_next_timer_event () at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/timer.c:584
        c = <value optimized out>
        newest = <value optimized out>
        ev = 0x7fd4bdd5c990
        tm = 1408373805
        type = 5
        st = 0x7fd4bdd5ca90
#4  0x00007fd4bd50ad7a in handle_timer_event () at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/timer.c:435
        tm = <value optimized out>
        ev = <value optimized out>
        type = 5
#5  0x00007fd4bd5088e1 in call_server () at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/server.c:806
        readfds = {__osfds_bits = {0 <repeats 128 times>}}
        writefds = {__osfds_bits = {0 <repeats 128 times>}}
        ndes = <value optimized out>
        ifp = <value optimized out>
#6  0x00007fd4bd50567a in main (argc=12, argv=0x7fff24fcf488) at
/scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/plutomain.c:1110
        fork_desired = <value optimized out>
        lockfd = -1119045976
        ocspuri = 0x0
        nhelpers = -1
        coredir = <value optimized out>
        oco = 0x7fd4bd7d22a0
        nat_traversal = 1
        nat_t_spf = 1
        keep_alive = 0
        force_keepalive = 0
        virtual_private = 0x7fff24fd0c56 "oe=off"

Is there something wrong with my configuration?  I am just passing ICMP
traffic.  I do not notice this area with IKEv1.


Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140819/ead74677/attachment.html>

More information about the Users mailing list