Hey folks, I apologize if this is the wrong place to post to receive help for an issue like this.
I am trying to connect to an IPSEC gateway that requires single DES but I find that when I specify ike=des, the pluto process crashes and drops core. I've tried this on the version of OpenSwan that comes with RHEL / CentOS 6 (2.6.32) and the version of libreswan that comes with Fedora 20 (3.8) - booting a Live CD with Fedora 20 and confirming the result there was the quickest way I could think of to reproduce the issue on a late(r|st) version without a potentially complicated source code compile. The logging data in Fedora 20 produced by journalctl while using the cute little GUI applet looks like this: Jul 08 00:56:57 localhost pluto[5798]: loading secrets from "/etc/ipsec.secrets" Jul 08 00:56:57 localhost pluto[5798]: loading secrets from "/etc/ipsec.d/ipsec-nm-conn1.secrets" Jul 08 00:56:59 localhost pluto[5798]: | entering aalg_getbyname_esp() Jul 08 00:56:59 localhost pluto[5798]: added connection description "nm-conn1" Jul 08 00:56:59 localhost NetworkManager[903]: <info> VPN connection 'VPN 1' (Connect) reply received. Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc ealg=1 not present Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc ealg=1 not present Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc ealg=1 not present Jul 08 00:56:59 localhost pluto[5798]: | oakley_alg_makedb() ike enc ealg=1 not present Jul 08 00:56:59 localhost kernel: pluto[5798]: segfault at 4 ip 00007fd39977a35f sp 00007ffff99e65a0 error 6 in pluto[7fd39970a000+10c000] Jul 08 00:56:59 localhost abrt-hook-ccpp[5870]: Saved core dump of pid 5798 (/usr/libexec/ipsec/pluto) to /var/tmp/abrt/ccpp-2014-07-08-00:56:59-5798 (28303360 bytes) Jul 08 00:56:59 localhost NetworkManager[903]: <info> VPN plugin state changed: stopped (6) Jul 08 00:56:59 localhost NetworkManager[903]: <info> VPN plugin state change reason: 0 Jul 08 00:56:59 localhost NetworkManager[903]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active. Jul 08 00:56:59 localhost abrt-server[5871]: Generating core_backtrace Jul 08 00:56:59 localhost abrt-server[5871]: Generating backtrace Jul 08 00:57:01 localhost abrt-server[5871]: Duplicate: core backtrace Jul 08 00:57:01 localhost abrt-server[5871]: DUP_OF_DIR: /var/tmp/abrt/ccpp-2014-07-08-00:43:27-5095 Jul 08 00:57:01 localhost abrt-server[5871]: Deleting problem directory ccpp-2014-07-08-00:56:59-5798 (dup of ccpp-2014-07-08-00:43:27-5095) Jul 08 00:57:01 localhost gnome-session[1259]: abrt-applet: repeated problem in libreswan-3.8-1.fc20, not showing the notification Jul 08 00:57:05 localhost NetworkManager[903]: ipsec/pluto started with pid 5798 Jul 08 00:57:05 localhost NetworkManager[903]: pluto_watch: pluto died with signal 11 Jul 08 00:57:05 localhost NetworkManager[903]: <info> VPN service 'openswan' disappeared This is roughly the same result I get configuring the ipsec.d/conn.conf files by hand on the RHEL / CentOS 6 boxes. I believe I do actually need single DES; I have been able to establish a connection to this gateway using vpnc and using whatever IPSEC software runs on Android 4.4.2 when configuring a "Basic VPN" in "IPSec Xauth PSK" mode. The path of least resistance would seem to be to use vpnc to connect to this gateway, however, I have a need to connect to other IPSEC gateways in addition to this one at the same time as this one and I can obviously only have one thing bound to UDP 500 at a time - so unfortunately that's my use case. Not setting ike= results in NO_PROPOSAL_CHOSEN and setting it to aes or 3des results in INVALID_HASH_INFORMATION. I tried recompiling OpenSwan on the RHEL / CentOS 6 box using USE_WEAKSTUFF?=true, with no impact, I have the same symptoms. Anyway, here's the gdb output from the crash. Am I out of luck or do I have any options for troubleshooting this further? I would greatly appreciate any help you folks can provide. Thank you. [root@localhost ccpp-2014-07-08-00:43:27-5095]# gdb /usr/libexec/ipsec/pluto coredump GNU gdb (GDB) Fedora 7.6.50.20130731-16.fc20 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". .. Reading symbols from /usr/libexec/ipsec/pluto...Reading symbols from /usr/lib/debug/usr/libexec/ipsec/pluto.debug...done. done. [New LWP 5095] [New LWP 5098] [New LWP 5100] [New LWP 5099] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork'. Program terminated with signal SIGSEGV, Segmentation fault. #0 oakley_alg_makedb (ai=<optimized out>, base=0x7f26367e26c8 <oakley_am_sadb+360>, maxtrans=maxtrans@entry=2) at /usr/src/debug/libreswan-3.8/programs/pluto/spdb_struct.c:308 308 gsp->parentSA = TRUE; Missing separate debuginfos, use: debuginfo-install audit-libs-2.3.2-1.fc20.x86_64 cyrus-sasl-lib-2.1.26-14.fc20.x86_64 keyutils-libs-1.5.8-1.fc20.x86_64 krb5-libs-1.11.3-33.fc20.x86_64 ldns-1.6.16-6.fc20.x86_64 libcom_err-1.42.8-3.fc20.x86_64 libevent-2.0.21-3.fc20.x86_64 libidn-1.28-2.fc20.x86_64 libssh2-1.4.3-8.fc20.x86_64 nss-mdns-0.10-13.fc20.x86_64 nss-softokn-3.15.2-2.fc20.x86_64 nss-softokn-freebl-3.15.2-2.fc20.x86_64 openssl-libs-1.0.1e-30.fc20.x86_64 pcre-8.33-2.fc20.1.x86_64 python-libs-2.7.5-9.fc20.x86_64 sqlite-3.8.1-2.fc20.x86_64 systemd-libs-208-9.fc20.x86_64 zlib-1.2.8-3.fc20.x86_64 (gdb) where #0 oakley_alg_makedb (ai=<optimized out>, base=0x7f26367e26c8 <oakley_am_sadb+360>, maxtrans=maxtrans@entry=2) at /usr/src/debug/libreswan-3.8/programs/pluto/spdb_struct.c:308 #1 0x00007f263653687c in init_am_st_oakley (st=st@entry=0x7f2636a645c0, policy=policy@entry=1376452709) at /usr/src/debug/libreswan-3.8/programs/pluto/spdb_v1_struct.c:1528 #2 0x00007f2636545d55 in aggr_outI1 (whack_sock=25, c=0x7f2636a60eb0, predecessor=0x0, policy=1376452709, try=1, importance=pcim_demand_crypto, uctx=0x0) at /usr/src/debug/libreswan-3.8/programs/pluto/ikev1_aggr.c:1163 #3 0x00007f26364eaa46 in initiate_a_connection (c=<optimized out>, arg=arg@entry=0x7fffe558e650) at /usr/src/debug/libreswan-3.8/programs/pluto/initiate.c:267 #4 0x00007f26364ec8a5 in initiate_connection (name=0x7fffe5590108 "nm-conn1", whackfd=24, moredebug=0, importance=importance@entry=pcim_demand_crypto) at /usr/src/debug/libreswan-3.8/programs/pluto/initiate.c:299 #5 0x00007f2636527102 in whack_process (whackfd=whackfd@entry=23, msg=...) at /usr/src/debug/libreswan-3.8/programs/pluto/rcv_whack.c:527 #6 0x00007f2636527cd6 in whack_handle (whackctlfd=<optimized out>) at /usr/src/debug/libreswan-3.8/programs/pluto/rcv_whack.c:659 #7 0x00007f26364f85f8 in call_server () at /usr/src/debug/libreswan-3.8/programs/pluto/server.c:764 #8 0x00007f26364e1d95 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libreswan-3.8/programs/pluto/plutomain.c:1355 (gdb) _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
