Package: openswan Version: 1:2.6.38-1 Severity: normal Dear Maintainer, openswan literally crashes my vps. This happens when a remote machine initiates an ipsec connection to the VPS. Below is what I have in /var/log/syslog when openswan is started, since I think it could be relevant:
Aug 11 18:53:39 vserver ipsec_setup: Starting Openswan IPsec U2.6.38-g312f1b8a-dirty/K3.9-0.bpo.1-amd64... Aug 11 18:53:39 vserver ipsec_setup: Using NETKEY(XFRM) stack Aug 11 18:53:39 vserver kernel: [ 606.915072] Initializing XFRM netlink socket Aug 11 18:53:40 vserver kernel: [ 607.059905] AVX instructions are not detected. Aug 11 18:53:40 vserver kernel: [ 607.083834] AVX instructions are not detected. Aug 11 18:53:40 vserver ipsec_setup: ...Openswan IPsec started Aug 11 18:53:40 vserver ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Aug 11 18:53:40 vserver pluto: adjusting ipsec.d to /etc/ipsec.d Aug 11 18:53:40 vserver kernel: [ 607.359226] alg: No test for cipher_null (cipher_null-generic) Aug 11 18:53:40 vserver kernel: [ 607.359279] alg: No test for ecb(cipher_null) (ecb-cipher_null) Aug 11 18:53:40 vserver kernel: [ 607.359313] alg: No test for compress_null (compress_null-generic) Aug 11 18:53:40 vserver kernel: [ 607.359346] alg: No test for digest_null (digest_null-generic) Aug 11 18:53:40 vserver kernel: [ 607.382661] sha1_ssse3: Neither AVX nor SSSE3 is available/usable. Aug 11 18:53:40 vserver ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/servercert.pem Aug 11 18:53:40 vserver ipsec__plutorun: 002 loaded host cert file '/etc/ipsec .d/certs/servercert.pem Aug 11 18:53:40 vserver ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/servercert.pem' (1505 bytes) Aug 11 18:53:40 vserver ipsec__plutorun: 002 no subjectAltName matches ID '%fromcert', replaced by subject DN Aug 11 18:53:40 vserver ipsec__plutorun: 002 added connection description "l2tp" The VPS crashes when I try to initiate a connection from a win7 client. Nothing gets written to the logs here, so the output below is the last screen full I get when logged into the vps via the serial console using out of band access, with the vps running in run level 1, and invoke-rc.d ipsec start done by hand: pluto[2265]: packet from 10.0.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115 pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload [FRAGMENTATION] pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload [Vid-Initial-Contact] pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload [IKE CGA version 1] pluto[2265]: "l2tp"[1] 10.0.0.1 #1: responding to Main Mode from unknown peer 10.0.0.1 pluto[2265]: "l2tp"[1] 10.0.0.1 #1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION pluto[2265]: "l2tp"[1] 10.0.0.1 #1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION pluto[2265]: "l2tp"[1] 10.0.0.1 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 pluto[2265]: "l2tp"[1] 10.0.0.1 #1: STATE_MAIN_R1: sent MR1, expecting MI2pluto[2265]: "l2tp"[1] 10.0.0.1 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed pluto[2265]: "l2tp"[1] 10.0.0.1 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 pluto[2265]: "l2tp"[1] 10.0.0.1 #1: STATE_MAIN_R2: sent MR2, expecting MI3 At this point, the VPS isn't running anymore. I have to send it a boot request, and it boots up starting with grub and so on. This happens with openswan in wheezy, and the version in unstable to which I upgraded the openswan package before filing this bug. I see that openswan depends on bind9-host. My VPS is also running bind9 as a name server, which also crashes the VPS under certain conditions. I mention this here, in case it's relevant. The VPS is based on KVM/QEMU. According to /proc/cpuinfo on my VPS, the version of KVM/QEMU seems to be 0.91. The banner displayed when I login to the out of band access account indicates the host is running openbsd. I don't know however if the machine on which my VPS runs is the same one used to provide out of band access. I'm not sure what else I can do to help debug this. I will do my best to provide whatever additional information is necessary. Thank you. -- System Information: Debian Release: 7.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.9-0.bpo.1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openswan depends on: ii bind9-host [host] 1:9.8.4.dfsg.P1-6+nmu2+deb7u1 ii bsdmainutils 9.0.3 ii debconf [debconf-2.0] 1.5.49 ii host 1:9.8.4.dfsg.P1-6+nmu2+deb7u1 ii iproute 20120521-3+b3 ii libc6 2.13-38 ii libcurl3 7.26.0-1+wheezy3 ii libgmp10 2:5.0.5+dfsg-2 ii libldap-2.4-2 2.4.31-1+nmu2 ii libpam0g 1.1.3-7.1 ii openssl 1.0.1e-2 openswan recommends no packages. Versions of packages openswan suggests: pn curl <none> ii openswan-doc 1:2.6.37-3 pn openswan-modules-source | openswan-modules-dkms <none> -- Configuration Files: /etc/ipsec.conf changed: version 2.0 # conforms to second version of ipsec.conf specification config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.2.0/24 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null interfaces="%none" include /etc/ipsec.d/conf/l2tp.conf /etc/ipsec.secrets [Errno 13] Permission denied: u'/etc/ipsec.secrets' /etc/logcheck/ignore.d.paranoid/openswan [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/openswan' /etc/logcheck/ignore.d.server/openswan [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/openswan' /etc/logcheck/ignore.d.workstation/openswan [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.workstation/openswan' /etc/logcheck/violations.ignore.d/openswan [Errno 13] Permission denied: u'/etc/logcheck/violations.ignore.d/openswan' -- debconf information: openswan/no-oe_include_file: openswan/existing_x509_key_filename: openswan/x509_state_name: openswan/x509_email_address: openswan/x509_country_code: AT openswan/x509_self_signed: true openswan/rsa_key_length: 2048 openswan/restart: true * openswan/install_x509_certificate: false openswan/x509_organizational_unit: openswan/x509_locality_name: openswan/how_to_get_x509_certificate: create openswan/existing_x509_rootca_filename: openswan/runlevel_changes: openswan/existing_x509_certificate_filename: openswan/x509_common_name: openswan/x509_organization_name: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org