[Swan] SEGV using NULL authentication with multiple peers

Mamta Gambhir via Swan Mon, 20 Jan 2025 17:40:36 -0800

I have been using NULL authentication method with opportunistic connection, but 
now increased # peers and I see this error message and SEGV.Is it known issue 
with libreswan or related to multiple peers using NULL authentication or 
opportunistic connection?




I see message like –

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for 
different IP's cannot replace each other

And then SEGV coredump.


Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface stre1 192.200.7.6:500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface stre1 192.200.7.6:4500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface stre0 192.200.7.5:500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface stre0 192.200.7.5:4500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface eth0 10.106.16.43:500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface eth0 10.106.16.43:4500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface lo 127.0.0.1:500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface lo 127.0.0.1:4500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface lo [::1]:500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding 
UDP interface lo [::1]:4500

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: 
"private-or-clear-2": oriented IKEv2 connec

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: tion 
(local: left=192.200.7.6  remote: right=0.0.0.0)

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: 
"private-or-clear": oriented IKEv2 connection (local: left=192.200.7.5  remote: 
right=0.0.0.0)

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading 
secrets from "/etc/ipsec.secrets"

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading 
group "/etc/ipsec.d/policies/private-or-clear-2"

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading 
group "/etc/ipsec.d/policies/private-or-clear"

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: 
"private-or-clear#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: 
"private-or-clear#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: 
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: 
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a 
destination address

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for 
packet 192.200.7.5:0-ICMP->192.200.7.7:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[2] ...192.200.7.8: initiate on-demand for 
packet 192.200.7.5:0-ICMP->192.200.7.8:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for 
packet 192.200.7.6:0-ICMP->192.200.7.7:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[3] ...192.200.7.10: initiate on-demand for 
packet 192.200.7.5:8-ICMP->192.200.7.10:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[4] ...192.200.7.47: initiate on-demand for 
packet 192.200.7.5:8-ICMP->192.200.7.47:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[5] ...192.200.7.48: initiate on-demand for 
packet 192.200.7.5:8-ICMP->192.200.7.48:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[2] ...192.200.7.47: initiate on-demand for 
packet 192.200.7.6:8-ICMP->192.200.7.47:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[6] ...192.200.7.6: initiate on-demand for 
packet 192.200.7.5:8-ICMP->192.200.7.6:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[3] ...192.200.7.48: initiate on-demand for 
packet 192.200.7.6:8-ICMP->192.200.7.48:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for 
packet 192.200.7.5:8-ICMP->192.200.7.9:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: initiate on-demand for 
packet 192.200.7.6:8-ICMP->192.200.7.5:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[5] ...192.200.7.9: initiate on-demand for 
packet 192.200.7.6:8-ICMP->192.200.7.9:0

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear#192.200.7.0/24"[6] ...192.200.7.6 #8: processed IKE_SA_INIT 
response from 192.200.7.6:UDP/500 {cipher=AES_GCM_16_256 integ=n>

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: processed 
IKE_SA_INIT response from 192.200.7.5:UDP/500 {cipher=AES_GCM_16_256 inte>

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: processing decrypted 
IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_M>

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: responder 
established IKE SA; authenticated peer using authby=null and ID_NULL 'ID_>

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for 
different IP's cannot replace each other

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: terminating SAs using 
this connection

Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: 
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: deleting IKE SA 
(sent IKE_AUTH request)

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Main 
process exited, code=dumped, status=11/SEGV

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Failed 
with result 'core-dump'.

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: 
Service RestartSec=100ms expired, scheduling restart.

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: 
Scheduled restart job, restart counter is at 5.

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Stopped Internet Key 
Exchange (IKE) Protocol Daemon for IPsec.

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Start 
request repeated too quickly.

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Failed 
with result 'core-dump'.

Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Failed to start 
Internet Key Exchange (IKE) Protocol Daemon for IPsec.


Libreswan version used –
# ipsec status
ERROR: ipsec whack: connect(pluto_ctl) failed: Connection refused (errno 111)
#rpm -qa | grep libreswan
libreswan-5.0-1.0.1.el8.x86_64

# rpm -qa | grep libreswan
libreswan-5.0-1.0.1.el8.x86_64

My .conf files are –

conn private-or-clear

        authby=null

        leftid=%null

        rightid=%null

        left=192.200.7.5

        right=%opportunisticgroup

        negotiationshunt=passthrough

        failureshunt=passthrough

        ikev2=insist

        auto=route

        type=transport

        nic-offload=packet

conn private-or-clear-2

        authby=null

        leftid=%null

        rightid=%null

        left=192.200.7.6

        right=%opportunisticgroup

        negotiationshunt=passthrough

        failureshunt=passthrough

        ikev2=insist

        auto=route

        type=transport

        nic-offload=packet

Thanks for the pointers

_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[Swan] SEGV using NULL authentication with multiple peers

Reply via email to