Re: [strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
Hi Vilhelm, On Wednesday 21 March 2012 03:24 PM, Vilhelm Jutvik wrote: > Hello Gowri, > > this seems to be the same problem (however I cannot confirm that > SIGSEGV is the culprit in my case). > So, can you check/paste what is happening while ENC parsing IKE_SA_INIT response for SA payload. You can get it from charon.log with strongswan.conf setting as in http://wiki.strongswan.org/issues/184 If you see that, charon restarts just after that, following a error message something like "killing ourself, received critical signal", this confirms the SIGSEGV issue. Thanks, Gowri Shankar > I saw that you hadn't been able to reproduce the error on x86. My > error occurred on x86 while running on virtualized hardware (virtual > box). > > Sincerely, > Vilhelm Jutvik > > 2012/3/21 gowrishankar: >> Hi Tobias, >> >> >> On Wednesday 21 March 2012 12:44 AM, Vilhelm Jutvik wrote: >>> Dear Tobias, >>> >>> thank you very much. I thought that charon was signalled by the IPsec >>> stack's SPD when a new SA was to be negotiated, not that it itself set >>> the policy. >>> >>> Your solution didn't work right away though. I found that "ipsec >>> start" only started the starter process and nothing more. It was not >>> until I removed the charondebug option of the config section (as seen >>> below) that it started. It works though if you limit the debugging >>> level and / or the number of debugging options. I've reproduced this >>> several times just to be sure. Why is this? >>> >> I have observed the same problem recently and posted a patch in >> issue tracker. Can you please have a check. >> >> http://wiki.strongswan.org/issues/184 >> >> Thanks, >> Gowri Shankar >> >>> The problem line was (in full): >>> charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" >>> It works if you change it so (e.g.) charondebug="ike 3" >>> >>> My strongswan version is 4.5.2 as included in Ubuntu 11.10 >>> >>> Sincerely, >>> Vilhelm Jutvik >>> MS Thesis Student at SICS >>> >>> 2012/3/13 Tobias Brunner: Hi Vilhelm, > config setup >crlcheckinterval=180 >strictcrlpolicy=no >plutostart=no >charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4" > > conn %default >auth=esp >authby=psk >esp=aes128ctr-aesxcbc! >ikelifetime=60m >keylife=20m >keyingtries=1 >rekeymargin=3m >keyexchange=ikev2 >ike=aes128ctr-aesxcbc-ecp192! >type=transport Your config file looks incomplete. You have to specify at least one conn section (other than %default) with the auto keyword (auto can be specified in %default, though). Where auto=route might be what you want, as charon will then install policies in the kernel's SPD and an SA will automatically be negotiated upon matching traffic. You also need to specify right and optionally left (the endpoints of the IKE_SA) in that conn section. If you only want specific traffic to be tunneled use the left|rightsubnet and left|rightprotoport keywords (see the example at [1]). Also if you want to configure the policies in the kernel yourself make sure you use a reqid>0 and then specify reqid=and installpolicy=no in the respective conn section. Regards, Tobias [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/ >>> ___ >>> Users mailing list >>> Users@lists.strongswan.org >>> https://lists.strongswan.org/mailman/listinfo/users >>> >>> > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
No, there was no such message in my logs. Furthermore, the starter process didn't die. You had to kill it manually, remove the PID file and then type "ipsec start" again. I think I suffered from the same problem as experienced by Gowri. Regards, Ville 2012/3/21 Tobias Brunner : > Hi Vilhelm, > >> It works though if you limit the debugging level and / or the number >> of debugging options. I've reproduced this several times just to be >> sure. Why is this? >> >> The problem line was (in full): >> charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" >> It works if you change it so (e.g.) charondebug="ike 3" >> >> My strongswan version is 4.5.2 as included in Ubuntu 11.10 > > Well, my guess is that this is because the asn log group was not added > until the most recent release (4.6.2). But you should have seen a > message regarding this (something like "unrecognized option '--debug-asn'"). > > Regards, > Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
Hi Vilhelm, > It works though if you limit the debugging level and / or the number > of debugging options. I've reproduced this several times just to be > sure. Why is this? > > The problem line was (in full): > charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" > It works if you change it so (e.g.) charondebug="ike 3" > > My strongswan version is 4.5.2 as included in Ubuntu 11.10 Well, my guess is that this is because the asn log group was not added until the most recent release (4.6.2). But you should have seen a message regarding this (something like "unrecognized option '--debug-asn'"). Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
Hello Gowri, this seems to be the same problem (however I cannot confirm that SIGSEGV is the culprit in my case). I saw that you hadn't been able to reproduce the error on x86. My error occurred on x86 while running on virtualized hardware (virtual box). Sincerely, Vilhelm Jutvik 2012/3/21 gowrishankar : > Hi Tobias, > > > On Wednesday 21 March 2012 12:44 AM, Vilhelm Jutvik wrote: >> >> Dear Tobias, >> >> thank you very much. I thought that charon was signalled by the IPsec >> stack's SPD when a new SA was to be negotiated, not that it itself set >> the policy. >> >> Your solution didn't work right away though. I found that "ipsec >> start" only started the starter process and nothing more. It was not >> until I removed the charondebug option of the config section (as seen >> below) that it started. It works though if you limit the debugging >> level and / or the number of debugging options. I've reproduced this >> several times just to be sure. Why is this? >> > I have observed the same problem recently and posted a patch in > issue tracker. Can you please have a check. > > http://wiki.strongswan.org/issues/184 > > Thanks, > Gowri Shankar > >> The problem line was (in full): >> charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" >> It works if you change it so (e.g.) charondebug="ike 3" >> >> My strongswan version is 4.5.2 as included in Ubuntu 11.10 >> >> Sincerely, >> Vilhelm Jutvik >> MS Thesis Student at SICS >> >> 2012/3/13 Tobias Brunner: >>> >>> Hi Vilhelm, >>> config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4" conn %default auth=esp authby=psk esp=aes128ctr-aesxcbc! ikelifetime=60m keylife=20m keyingtries=1 rekeymargin=3m keyexchange=ikev2 ike=aes128ctr-aesxcbc-ecp192! type=transport >>> >>> Your config file looks incomplete. You have to specify at least one >>> conn section (other than %default) with the auto keyword (auto can be >>> specified in %default, though). Where auto=route might be what you >>> want, as charon will then install policies in the kernel's SPD and an SA >>> will automatically be negotiated upon matching traffic. You also need >>> to specify right and optionally left (the endpoints of the IKE_SA) in >>> that conn section. If you only want specific traffic to be tunneled use >>> the left|rightsubnet and left|rightprotoport keywords (see the example >>> at [1]). >>> >>> Also if you want to configure the policies in the kernel yourself make >>> sure you use a reqid> 0 and then specify reqid= and >>> installpolicy=no in the respective conn section. >>> >>> Regards, >>> Tobias >>> >>> [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/ >> >> ___ >> Users mailing list >> Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users >> >> > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
Hi Tobias, On Wednesday 21 March 2012 12:44 AM, Vilhelm Jutvik wrote: > Dear Tobias, > > thank you very much. I thought that charon was signalled by the IPsec > stack's SPD when a new SA was to be negotiated, not that it itself set > the policy. > > Your solution didn't work right away though. I found that "ipsec > start" only started the starter process and nothing more. It was not > until I removed the charondebug option of the config section (as seen > below) that it started. It works though if you limit the debugging > level and / or the number of debugging options. I've reproduced this > several times just to be sure. Why is this? > I have observed the same problem recently and posted a patch in issue tracker. Can you please have a check. http://wiki.strongswan.org/issues/184 Thanks, Gowri Shankar > The problem line was (in full): > charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" > It works if you change it so (e.g.) charondebug="ike 3" > > My strongswan version is 4.5.2 as included in Ubuntu 11.10 > > Sincerely, > Vilhelm Jutvik > MS Thesis Student at SICS > > 2012/3/13 Tobias Brunner: >> Hi Vilhelm, >> >>> config setup >>>crlcheckinterval=180 >>>strictcrlpolicy=no >>>plutostart=no >>>charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4" >>> >>> conn %default >>>auth=esp >>>authby=psk >>>esp=aes128ctr-aesxcbc! >>>ikelifetime=60m >>>keylife=20m >>>keyingtries=1 >>>rekeymargin=3m >>>keyexchange=ikev2 >>>ike=aes128ctr-aesxcbc-ecp192! >>>type=transport >> Your config file looks incomplete. You have to specify at least one >> conn section (other than %default) with the auto keyword (auto can be >> specified in %default, though). Where auto=route might be what you >> want, as charon will then install policies in the kernel's SPD and an SA >> will automatically be negotiated upon matching traffic. You also need >> to specify right and optionally left (the endpoints of the IKE_SA) in >> that conn section. If you only want specific traffic to be tunneled use >> the left|rightsubnet and left|rightprotoport keywords (see the example >> at [1]). >> >> Also if you want to configure the policies in the kernel yourself make >> sure you use a reqid> 0 and then specify reqid= and >> installpolicy=no in the respective conn section. >> >> Regards, >> Tobias >> >> [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/ > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
Dear Tobias, thank you very much. I thought that charon was signalled by the IPsec stack's SPD when a new SA was to be negotiated, not that it itself set the policy. Your solution didn't work right away though. I found that "ipsec start" only started the starter process and nothing more. It was not until I removed the charondebug option of the config section (as seen below) that it started. It works though if you limit the debugging level and / or the number of debugging options. I've reproduced this several times just to be sure. Why is this? The problem line was (in full): charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" It works if you change it so (e.g.) charondebug="ike 3" My strongswan version is 4.5.2 as included in Ubuntu 11.10 Sincerely, Vilhelm Jutvik MS Thesis Student at SICS 2012/3/13 Tobias Brunner : > Hi Vilhelm, > >> config setup >> crlcheckinterval=180 >> strictcrlpolicy=no >> plutostart=no >> charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4" >> >> conn %default >> auth=esp >> authby=psk >> esp=aes128ctr-aesxcbc! >> ikelifetime=60m >> keylife=20m >> keyingtries=1 >> rekeymargin=3m >> keyexchange=ikev2 >> ike=aes128ctr-aesxcbc-ecp192! >> type=transport > > Your config file looks incomplete. You have to specify at least one > conn section (other than %default) with the auto keyword (auto can be > specified in %default, though). Where auto=route might be what you > want, as charon will then install policies in the kernel's SPD and an SA > will automatically be negotiated upon matching traffic. You also need > to specify right and optionally left (the endpoints of the IKE_SA) in > that conn section. If you only want specific traffic to be tunneled use > the left|rightsubnet and left|rightprotoport keywords (see the example > at [1]). > > Also if you want to configure the policies in the kernel yourself make > sure you use a reqid > 0 and then specify reqid= and > installpolicy=no in the respective conn section. > > Regards, > Tobias > > [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/ ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
Hi Vilhelm, > config setup > crlcheckinterval=180 > strictcrlpolicy=no > plutostart=no > charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4" > > conn %default > auth=esp > authby=psk > esp=aes128ctr-aesxcbc! > ikelifetime=60m > keylife=20m > keyingtries=1 > rekeymargin=3m > keyexchange=ikev2 > ike=aes128ctr-aesxcbc-ecp192! > type=transport Your config file looks incomplete. You have to specify at least one conn section (other than %default) with the auto keyword (auto can be specified in %default, though). Where auto=route might be what you want, as charon will then install policies in the kernel's SPD and an SA will automatically be negotiated upon matching traffic. You also need to specify right and optionally left (the endpoints of the IKE_SA) in that conn section. If you only want specific traffic to be tunneled use the left|rightsubnet and left|rightprotoport keywords (see the example at [1]). Also if you want to configure the policies in the kernel yourself make sure you use a reqid > 0 and then specify reqid= and installpolicy=no in the respective conn section. Regards, Tobias [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/ ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users