[Openswan Users] pluto core dump IKEv2 openswan 2.6.41
Alan Chester
amcheste at gmail.com
Fri Aug 29 11:13:13 EDT 2014
I am also seeing the following in ipsec.log now:
"test" #1: ERROR: asynchronous network error report on bond0.3 (sport=500)
for message to 192.168.165.74 port 500, complainant 192.168.165.74: No
route to host [errno 113, origin ICMP type 3 code 10 (not authenticated)]
Alan
On Tue, Aug 19, 2014 at 1:40 PM, Alan Chester <amcheste at gmail.com> wrote:
> Hello,
>
> I am currently seeing an issue with pluto core dumping when using IKEv2.
> I am using openswan version 2.6.41.
>
> Here is my current setup please let me know if I have something configured
> in correctly:
>
>
> /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual: ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for
> lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> protostack=netkey
> nat_traversal=yes
> virtual_private=
> oe=off
> plutostderrlog=/var/log/ipsec.log
> dumpdir=/var/TKLC/core
> plutorestartoncrash=no
> # Enable this if you see "failed to find any available worker"
> # nhelpers=0
>
> #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
> uncomment this.
> include /etc/ipsec.d/*.conf
>
>
> Box A:
> From test.conf:
> conn test
> left=192.168.165.70
> pfs=yes
> keylife=15m
> ikev2=yes
> authby=secret
> right=192.168.165.74
> auto=start
> type=tunnel
> ike=aes128-sha1;modp2048
> phase2alg=aes128-sha1
>
> Box B:
> From test.conf:
> conn test
> left=192.168.165.74
> pfs=yes
> keylife=15m
> ikev2=yes
> authby=secret
> right=192.168.165.70
> auto=start
> type=tunnel
> ike=aes128-sha1;modp2048
> phase2alg=aes128-sha1
>
> The connection will successfully come up and function for a while but
> eventually pluto will core dump. I notice the failure faster the lower my
> keylife is.
>
> I noticed the following in /var/log/messages:
> Aug 17 04:18:20 localhost ipsec_setup: Starting Openswan IPsec
> U2.6.32/K2.6.32-431.17.1.el6prerel7.0.0.0.0_86.7.0.x86_64...
> Aug 17 04:18:20 localhost ipsec_setup: Using NETKEY(XFRM) stack
> Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock not detected.
> Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock Hash Engine not
> detected.
> Aug 17 04:18:20 localhost kernel: padlock: VIA PadLock not detected.
> Aug 17 04:18:20 localhost ipsec_setup: ...Openswan IPsec started
> Aug 17 04:18:20 localhost pluto: adjusting ipsec.d to /etc/ipsec.d
> Aug 17 04:18:21 localhost ipsec__plutorun: 002 added connection
> description "test"
> Aug 17 04:18:21 localhost ipsec__plutorun: 133 "test" #1: STATE_PARENT_I1:
> initiate
> Aug 17 04:27:06 localhost rsyslogd: -- MARK --
> Aug 17 04:42:06 localhost rsyslogd: -- MARK --
> Aug 17 04:57:06 localhost rsyslogd: -- MARK --
> Aug 17 05:12:06 localhost rsyslogd: -- MARK --
> Aug 17 05:14:25 localhost kernel: pluto[5829]: segfault at 0 ip
> 00007f87e7f0e676 sp 00007fffdb0aa3c0 error 4 in pluto[7f87e7ea3000+fd000]
> Aug 17 05:14:25 localhost ipsec__plutorun: /usr/libexec/ipsec/_plutorun:
> line 250: 5829 Segmentation fault /usr/libexec/ipsec/pluto --nofork
> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey
> --uniqueids --nat_traversal --virtual_private oe=off --stderrlog 2>>
> /var/log/ipsec.log
> Aug 17 05:14:25 localhost ipsec__plutorun: !pluto failure!: exited with
> error status 139 (signal 11)
> Aug 17 05:14:25 localhost ipsec__plutorun: restarting IPsec after pause...
> Aug 17 05:14:35 localhost ipsec_setup: Stopping Openswan IPsec...
> Aug 17 05:14:35 localhost ipsec_setup: Removing orphaned
> /var/run/pluto/pluto.pid:
> Aug 17 05:14:35 localhost ipsec_setup: ...Openswan IPsec stopped
>
> The following is from /var/log/ipsec:
> ...
> "test" #1: initiating v2 parent SA
> "test" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
> "test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
> "test" #2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2
> "test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
> cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
> | found connection: test
> "test" #3: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
> "test" #3: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
> cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
> "test" #3: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.165.70'
> | CHILD SA proposals received
> "test" #3: PAUL: this is where we have to check the TSi/TSr
> | printing contents struct traffic_selector
> | ts_type: IKEv2_TS_IPV4_ADDR_RANGE
> | ipprotoid: 0
> | startport: 0
> | endport: 65535
> | ip low: 192.168.165.74
> | ip high: 192.168.165.74
> | printing contents struct traffic_selector
> | ts_type: IKEv2_TS_IPV4_ADDR_RANGE
> | ipprotoid: 0
> | startport: 0
> | endport: 65535
> | ip low: 192.168.165.70
> | ip high: 192.168.165.70
> "test" #4: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
> "test" #4: negotiated tunnel [192.168.165.74,192.168.165.74:0-65535 0] ->
> [192.168.165.70,192.168.165.70:0-65535 0]
> "test" #4: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel
> mode {ESP=>0x14aeeb9a <0x36b9246b xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
> | releasing whack for #4 (sock=-1)
> | releasing whack for #3 (sock=-1)
> "test" #5: initiating Main Mode
> pluto_crypto_helper: helper (2) is normal exiting
> ...
>
> The following backtrace was created from the core file:
>
> Core file created at UTC: 1408373805.
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> [New Thread 5708]
> [Thread debugging using libthread_db enabled]
> Core was generated by `/usr/libexec/ipsec/pluto --nofork --secretsfile
> /etc/ipsec.secrets --ipsecdir /'.
> Program terminated with signal 11, Segmentation fault.
> #0 0x00007fd4bd53e311 in oakley_alg_makedb (ai=<value optimized out>,
> base=0x7fd4bd7c8620, maxtrans=-1) at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:191
> 191
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:
> No such file or directory.
> in
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c
>
> Thread 1 (Thread 0x7fd4bd4cb700 (LWP 5708)):
> #0 0x00007fd4bd53e311 in oakley_alg_makedb (ai=<value optimized out>,
> base=0x7fd4bd7c8620, maxtrans=-1) at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_struct.c:191
> hash = <value optimized out>
> auth = 0x7fd4bdd5a3d0
> grp = <value optimized out>
> enc = <value optimized out>
> enc_keylen = <value optimized out>
> new_auth = <value optimized out>
> trans = 0x7fd4bdd5a3a0
> prop = 0x7fd4bdd5a380
> cprop = 0x7fd4bdd5c540
> gsp = <value optimized out>
> emp_sp = 0x7fd4bdd5a350
> ike_info = <value optimized out>
> ealg = 7
> halg = 2
> modp = <value optimized out>
> eklen = <value optimized out>
> last_modp = <value optimized out>
> wrong_modp = <value optimized out>
> enc_desc = <value optimized out>
> transcnt = <value optimized out>
> i = <value optimized out>
> #1 0x00007fd4bd5418cf in out_sa (outs=0x7fff24fcdb08,
> sadb=0x7fd4bd7c8620, st=0x7fd4bdd5d420, oakley_mode=1,
> aggressive_mode=<value optimized out>, np=13 '\r') at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/spdb_v1_struct.c:259
> sa_pbs = {container = 0x7fff24fce76c, desc = 0x7fff24fcdb08, name
> = 0x7fff24fce750 "\257\264\017Q\372\312R\306", start = 0x0, cur =
> 0x53f2142d <Address 0x53f2142d out of bounds>, roof = 0x0, lenfld =
> 0x7fd4bd7e27a0 "", lenfld_desc = 0x7fd4bd7c33d0}
> pcn = <value optimized out>
> ret = 0
> ah_spi_generated = 0
> esp_spi_generated = 0
> ipcomp_cpi_generated = 0
> revised_sadb = <value optimized out>
> #2 0x00007fd4bd515243 in main_outI1 (whack_sock=<value optimized out>,
> c=0x7fd4bdd56f60, predecessor=0x0, policy=<value optimized out>,
> try=140551688890300, importance=<value optimized out>) at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/ikev1_main.c:192
> sa_start = 0x7fd4bd7d27bc "$"
> np = 13
> st = 0x7fd4bdd5d420
> #3 0x00007fd4bd50a98b in handle_next_timer_event () at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/timer.c:584
> c = <value optimized out>
> newest = <value optimized out>
> ev = 0x7fd4bdd5c990
> tm = 1408373805
> type = 5
> st = 0x7fd4bdd5ca90
> #4 0x00007fd4bd50ad7a in handle_timer_event () at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/timer.c:435
> tm = <value optimized out>
> ev = <value optimized out>
> type = 5
> #5 0x00007fd4bd5088e1 in call_server () at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/server.c:806
> readfds = {__osfds_bits = {0 <repeats 128 times>}}
> writefds = {__osfds_bits = {0 <repeats 128 times>}}
> ndes = <value optimized out>
> ifp = <value optimized out>
> #6 0x00007fd4bd50567a in main (argc=12, argv=0x7fff24fcf488) at
> /scratchpad/workdirs/achester/build/RPM/BUILD/openswan-2.6.41/programs/pluto/plutomain.c:1110
> fork_desired = <value optimized out>
> lockfd = -1119045976
> ocspuri = 0x0
> nhelpers = -1
> coredir = <value optimized out>
> oco = 0x7fd4bd7d22a0
> nat_traversal = 1
> nat_t_spf = 1
> keep_alive = 0
> force_keepalive = 0
> virtual_private = 0x7fff24fd0c56 "oe=off"
>
> Is there something wrong with my configuration? I am just passing ICMP
> traffic. I do not notice this area with IKEv1.
>
>
> Alan
>
>
--
Alan Chester
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140829/c188b7c5/attachment.html>
More information about the Users
mailing list