Package: openswan
Version: 1:2.6.38-1
Severity: normal
Dear Maintainer,
openswan literally crashes my vps.
This happens when a remote machine initiates an ipsec connection to the VPS.
Below is what I have in /var/log/syslog when openswan is started, since I think
it could be relevant:
Aug 11 18:53:39 vserver ipsec_setup: Starting Openswan IPsec
U2.6.38-g312f1b8a-dirty/K3.9-0.bpo.1-amd64...
Aug 11 18:53:39 vserver ipsec_setup: Using NETKEY(XFRM) stack
Aug 11 18:53:39 vserver kernel: [ 606.915072] Initializing XFRM netlink socket
Aug 11 18:53:40 vserver kernel: [ 607.059905] AVX instructions are not
detected.
Aug 11 18:53:40 vserver kernel: [ 607.083834] AVX instructions are not
detected.
Aug 11 18:53:40 vserver ipsec_setup: ...Openswan IPsec started
Aug 11 18:53:40 vserver ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug 11 18:53:40 vserver pluto: adjusting ipsec.d to /etc/ipsec.d
Aug 11 18:53:40 vserver kernel: [ 607.359226] alg: No test for cipher_null
(cipher_null-generic)
Aug 11 18:53:40 vserver kernel: [ 607.359279] alg: No test for
ecb(cipher_null) (ecb-cipher_null)
Aug 11 18:53:40 vserver kernel: [ 607.359313] alg: No test for compress_null
(compress_null-generic)
Aug 11 18:53:40 vserver kernel: [ 607.359346] alg: No test for digest_null
(digest_null-generic)
Aug 11 18:53:40 vserver kernel: [ 607.382661] sha1_ssse3: Neither AVX nor
SSSE3 is available/usable.
Aug 11 18:53:40 vserver ipsec__plutorun: 002 loading certificate from
/etc/ipsec.d/certs/servercert.pem
Aug 11 18:53:40 vserver ipsec__plutorun: 002 loaded host cert file '/etc/ipsec
.d/certs/servercert.pem
Aug 11 18:53:40 vserver ipsec__plutorun: 002 loaded host cert file
'/etc/ipsec.d/certs/servercert.pem' (1505 bytes)
Aug 11 18:53:40 vserver ipsec__plutorun: 002 no subjectAltName matches ID
'%fromcert', replaced by subject DN
Aug 11 18:53:40 vserver ipsec__plutorun: 002 added connection description "l2tp"
The VPS crashes when I try to initiate a connection from a win7
client. Nothing gets written to the logs here, so the output below is
the last screen full I get when logged into the vps via the serial
console using out of band access, with the vps running in run level 1,
and invoke-rc.d ipsec start done by hand:
pluto[2265]: packet from 10.0.0.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload
[FRAGMENTATION]
pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload
[MS-Negotiation Discovery Capable]
pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
pluto[2265]: packet from 10.0.0.1:500: ignoring Vendor ID payload [IKE CGA
version 1]
pluto[2265]: "l2tp"[1] 10.0.0.1 #1: responding to Main Mode from unknown peer
10.0.0.1
pluto[2265]: "l2tp"[1] 10.0.0.1 #1: OAKLEY_GROUP 20 not supported. Attribute
OAKLEY_GROUP_DESCRIPTION
pluto[2265]: "l2tp"[1] 10.0.0.1 #1: OAKLEY_GROUP 19 not supported. Attribute
OAKLEY_GROUP_DESCRIPTION
pluto[2265]: "l2tp"[1] 10.0.0.1 #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
pluto[2265]: "l2tp"[1] 10.0.0.1 #1: STATE_MAIN_R1: sent MR1, expecting
MI2pluto[2265]: "l2tp"[1] 10.0.0.1 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
pluto[2265]: "l2tp"[1] 10.0.0.1 #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
pluto[2265]: "l2tp"[1] 10.0.0.1 #1: STATE_MAIN_R2: sent MR2, expecting MI3
At this point, the VPS isn't running anymore.
I have to send it a boot request, and it boots up starting with grub and so on.
This happens with openswan in wheezy, and the version in unstable to which I
upgraded the openswan package before filing this bug.
I see that openswan depends on bind9-host.
My VPS is also running bind9 as a name server, which also crashes the VPS under
certain conditions.
I mention this here, in case it's relevant.
The VPS is based on KVM/QEMU. According to /proc/cpuinfo on my VPS, the version
of KVM/QEMU seems to be 0.91.
The banner displayed when I login to the out of band access account indicates
the host is running openbsd.
I don't know however if the machine on which my VPS runs is the same one used
to provide out of band access.
I'm not sure what else I can do to help debug this. I will do my best to
provide whatever additional information is necessary.
Thank you.
-- System Information:
Debian Release: 7.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.9-0.bpo.1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openswan depends on:
ii bind9-host [host] 1:9.8.4.dfsg.P1-6+nmu2+deb7u1
ii bsdmainutils 9.0.3
ii debconf [debconf-2.0] 1.5.49
ii host 1:9.8.4.dfsg.P1-6+nmu2+deb7u1
ii iproute 20120521-3+b3
ii libc6 2.13-38
ii libcurl3 7.26.0-1+wheezy3
ii libgmp10 2:5.0.5+dfsg-2
ii libldap-2.4-2 2.4.31-1+nmu2
ii libpam0g 1.1.3-7.1
ii openssl 1.0.1e-2
openswan recommends no packages.
Versions of packages openswan suggests:
pn curl <none>
ii openswan-doc 1:2.6.37-3
pn openswan-modules-source | openswan-modules-dkms <none>
-- Configuration Files:
/etc/ipsec.conf changed:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.2.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems
(like openwrt)
#plutostderrlog=/dev/null
interfaces="%none"
include /etc/ipsec.d/conf/l2tp.conf
/etc/ipsec.secrets [Errno 13] Permission denied: u'/etc/ipsec.secrets'
/etc/logcheck/ignore.d.paranoid/openswan [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/openswan'
/etc/logcheck/ignore.d.server/openswan [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/openswan'
/etc/logcheck/ignore.d.workstation/openswan [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.workstation/openswan'
/etc/logcheck/violations.ignore.d/openswan [Errno 13] Permission denied:
u'/etc/logcheck/violations.ignore.d/openswan'
-- debconf information:
openswan/no-oe_include_file:
openswan/existing_x509_key_filename:
openswan/x509_state_name:
openswan/x509_email_address:
openswan/x509_country_code: AT
openswan/x509_self_signed: true
openswan/rsa_key_length: 2048
openswan/restart: true
* openswan/install_x509_certificate: false
openswan/x509_organizational_unit:
openswan/x509_locality_name:
openswan/how_to_get_x509_certificate: create
openswan/existing_x509_rootca_filename:
openswan/runlevel_changes:
openswan/existing_x509_certificate_filename:
openswan/x509_common_name:
openswan/x509_organization_name:
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
