headers
Paul Wouters | 6 Mar 2012 17:10
Picon
Favicon

[Openswan dev] [IPsec] I-D ACTION:draft-ietf-ipsecme-p2p-vpn-problem-00.txt (fwd)


Have not read it yet, might be interesting.

Paul

---------- Forwarded message ----------
Date: Tue, 6 Mar 2012 11:00:40
From: Internet-Drafts <at> ietf.org
Cc: ipsec <at> ietf.org
To: i-d-announce <at> ietf.org
Subject: [IPsec] I-D ACTION:draft-ietf-ipsecme-p2p-vpn-problem-00.txt
X-Spam-Flag: NO

A new Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions Working Group of the IETF.

     Title         : Point to Point VPNs Problem Statement
     Author(s)     : S. Hanna
     Filename      : draft-ietf-ipsecme-p2p-vpn-problem
     Pages         : 13
     Date          : March 6, 2012

    This document describes the problem of enabling a large number of
    systems to communicate directly using IPsec to protect the traffic
    between them.  Manual configuration of all possible tunnels is too
    cumbersome in such cases, so an automated method is needed.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-p2p-vpn-problem
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Wouters | 12 Mar 2012 23:45
Picon
Gravatar

[Openswan dev] openswan 2.6.38 release candidate 1


Hi developers,

Please test openswan 2.6.38 Release Candidate 1:

http://download.openswan.org/openswan/testing/openswan-2.6.38rc1.tar.gz
http://download.openswan.org/openswan/testing/openswan-2.6.38rc1.tar.gz.asc

See for the CHANGES:

http://download.openswan.org/openswan/CHANGES

Paul
Permalink | Reply | 0 comments |
headers
Paul Wouters | 20 Mar 2012 17:46
Picon
Gravatar

[Openswan dev] openswan 2.6.38 release candidate 2


Hi developers,

Please test openswan 2.6.38 Release Candidate 2:

http://download.openswan.org/openswan/testing/openswan-2.6.38rc2.tar.gz
http://download.openswan.org/openswan/testing/openswan-2.6.38rc2.tar.gz.asc

See for the CHANGES:

http://download.openswan.org/openswan/CHANGES

Paul
_______________________________________________
Dev mailing list
Dev <at> lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev
Permalink | Reply | 0 comments |
headers
Tuomo Soini | 24 Mar 2012 00:22
Picon
Favicon

[Openswan dev] [Announce] openswan 2.6.38 released


Dear community,

As Paul Wouters is currently unable to perform his role as Release
Manager, I have stepped in to temporarily take over his
responsibilities.

Openswan 2.6.38 released to the community

https://www.openswan.org/download/openswan-2.6.38.tar.gz
https://www.openswan.org/download/openswan-2.6.38.tar.gz.asc
https://www.openswan.org/download/CHANGES

Mirror site:
ftp://ftp.openswan.fi/pub/openswan/openswan-2.6.38.tar.gz
ftp://ftp.openswan.fi/pub/openswan/openswan-2.6.38.tar.gz.asc
ftp://ftp.openswan.fi/pub/openswan/CHANGES

This is a major bugfix release. It fixes and enhances IKEv2
functionality. It works around the Linux kernel bug for
wrong SHA2 truncation that caused openswan to fail to interop
with other vendors such as Checkpoint. It has various NAT-T
fixes for better interop with Android and I-Phones. And it now
supports reconfiguring a locally running DNSSEC server with
nameservers obtained via XAUTH/ModeConfig.

A full list of changes follows below

Furthermore, the long expected move to make "bugs.openswan.org" the
new webste has finally been completed. This means that everyone can now
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nrupen Chudasma | 28 Mar 2012 08:08
Picon

[Openswan dev] BUG 1201: dpd + ddns does not work

Hi,

Yesterday I sent the same comment in the User's list. But I think it would be appropriate to discuss about the bug in dev list.

I have been using openswan 2.6.24 with NETKEY for quite a long time.
I had a requirement for DYNDNS based remote host support for making the connections. As there is support added, I tried with the 2.6.24 version and could not succeed.
I searched out for bug#1201 with the exact reason. So I uprated to version 2.6.33. But the problem is still there. Even I tried latest version i.e. 2.6.38 but the result is same.

According to the RCA done for the bug, "conn->dnshostname" is NULL. The specified solution was to work with ipsec whack.

I tried with that. Please correct me if my approach for the problem is wrong. I have put remote as "ddnstest" and added entry in the /etc/hosts file.
I add one connection with ipsec whack. Initiate the connection. Later I change my remote host's IP and add the according entry in /etc/hosts.
The dpdtimeout happens as the former IP no longer available and thus I get the DPD in which case my action restart triggers the initiation of the connection.
Still my connection is initiated to the same IP as before.

Point me if I am doing something wrong.
Find the details of the steps I have done so far and the logs as below.

root <at> ng:~# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth2.2/eth2.2 10.103.7.133
000 interface eth2.2/eth2.2 10.103.7.133
000 interface br-lan/br-lan 10.1.2.1
000 interface br-lan/br-lan 10.1.2.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,216} attrs={0,2,288}
000
000
000
root <at> ng:~#
root <at> ng:~#
root <at> ng:~#
root <at> ng:~#
root <at> ng:~#
root <at> ng:~#
root <at> ng:~#
root <at> ng:~# cat /etc/ipsec.conf
version 2.0      # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        oe=off
        protostack=netkey


conn ngpassthrough
        left=10.1.2.1
        right=0.0.0.0
        leftsubnet=10.1.2.0/255.255.255.0
        rightsubnet=10.1.2.0/255.255.255.0
        authby=never
        type=passthrough
        auto=route

conn ng
        right=ddnstest
        rightsubnet=10.1.1.0/24
        left=10.103.7.133
        leftsubnet=10.1.2.0/255.255.255.0
        leftnexthop=10.103.6.1
        auto=start
        #x_rightdynamic=yes
        authby=secret
        compress=no
        failureshunt=drop
        dpddelay=15
        dpdtimeout=60
        dpdaction=restart
        pfs=yes
        ike=aes128-md5-modp1024,

aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
        esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1

root <at> ng:~# cat /etc/ipsec.secrets
10.103.7.133 ddnstest : PSK "adminadmin"
root <at> ng:~#
root <at> ng:~#
root <at> ng:~# ipsec whack --name test --encrypt --tunnel --pfs --dpddelay 15 --dpdtimeout 60 --dpdaction restart --psk --host 10.
103.7.133 --nexthop 10.103.6.1 --client 10.1.2.0/24 --to --host ddnstest --client 10.1.1.0/24
002 added connection description "test"
root <at> ng:~#
root <at> ng:~# ipsec whack --initiate --name test
002 "test" #11: initiating Main Mode
104 "test" #11: STATE_MAIN_I1: initiate
003 "test" #11: ignoring unknown Vendor ID payload [4f45557d6068416e77737478]
003 "test" #11: received Vendor ID payload [Dead Peer Detection]
003 "test" #11: received Vendor ID payload [RFC 3947] method set to=109
002 "test" #11: enabling possible NAT-traversal with method 4
002 "test" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "test" #11: STATE_MAIN_I2: sent MI2, expecting MR2
003 "test" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
002 "test" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "test" #11: STATE_MAIN_I3: sent MI3, expecting MR3
003 "test" #11: received Vendor ID payload [CAN-IKEv2]
002 "test" #11: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.70'
002 "test" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "test" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
002 "test" #11: Dead Peer Detection (RFC 3706): enabled
002 "test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11 msgid:faa36d7a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
117 "test" #12: STATE_QUICK_I1: initiate
002 "test" #12: Dead Peer Detection (RFC 3706): enabled
002 "test" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "test" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x81cd918c <0xf4534088 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
root <at> ng:~#
root <at> ng:~#
root <at> ng:~# vi /etc/hosts

127.0.0.1 localhost.
10.103.6.71 ddnstest





LOGS from /var/log/messages...
Dec  4 17:35:31 ng authpriv.warn pluto[11096]: added connection description "test"

Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: initiating Main Mode
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: ignoring unknown Vendor ID payload [4f45557d6068416e77737478]
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor ID payload [Dead Peer Detection]
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor ID payload [RFC 3947] method set to=109
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: enabling possible NAT-traversal with method 4
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I2: sent MI2, expecting MR2
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I3: sent MI3, expecting MR3
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: received Vendor ID payload [CAN-IKEv2]
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.70'
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Dead Peer Detection (RFC 3706): enabled
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11 msgid:faa36d7a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: Dead Peer Detection (RFC 3706): enabled
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x81cd918c <0xf4534088 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}


Dec  4 17:36:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]

Dec  4 17:36:31 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:36:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:37:01 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: No response from peer - declaring peer dead
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: Restarting Connection
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state (STATE_QUICK_I2)
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state (STATE_QUICK_I2)
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink response for Del SA esp.81cd918c <at> 10.103.6.70 included errno 3: No such process
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink response for Del SA esp.f4534088 <at> 10.103.7.133 included errno 3: No such process
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #13: initiating Main Mode to replace #11
Dec  4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:37:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:37:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:38:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Dec  4 17:39:06 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
_______________________________________________
Dev mailing list
Dev <at> lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev
Permalink | Reply | 2 comments |
headers
Nrupen Chudasma | 28 Mar 2012 14:39
Picon

[Openswan dev] DPD action restart creates segfault in Roadwarrior connection

Hi,

I am using openswan 2.6.24. I have configured one connection at VPN gateway where many road warriors can connect the tunnel from different IPs.
Below is my configuration.

version 2.0      # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        oe=off
        protostack=netkey


conn ng
        right=%any
        rightsubnet="vhost:%v:0.0.0.0/0"
        left=10.103.6.71
        leftsubnet=10.1.1.0/255.255.255.0
        leftnexthop=10.103.6.1
        auto=add
        x_rightdynamic=yes
        authby=secret
        compress=no
        failureshunt=drop
        dpddelay=15
        dpdtimeout=60
        dpdaction=restart
        pfs=yes
        ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
        esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1


I have kept dpdaction=restart. After successfully establishing the connection, I plug out the road-warrior from network. So when DPD is hit at my VPN gateway, the dpdaction restart is called.
I get the segfault at this place.
The problem is 100% re creatable.

Find the /var/log/messages for this.

Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [RFC 3947] method set to=109
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [Dead Peer Detection]
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: responding to Main Mode from unknown peer 10.103.6.93
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: Main mode peer ID is ID_IPV4_ADDR: '10.1.2.11'
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: switched from "ng" to "ng"
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: deleting connection "ng" instance with peer 10.103.6.93 {isakmp=#0/ipsec=#0}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: Dead Peer Detection (RFC 3706): enabled
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: the peer proposed: 10.1.1.0/24:0/0 -> 10.1.2.11/32:0/0
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: responding to Quick Mode proposal {msgid:341f6228}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2:     us: 10.1.1.0/24===10.103.6.71<10.103.6.71>[+S=C]---10.103.6.1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2:   them: 10.103.6.93[10.1.2.11,+S=C]
Mar 28 18:03:53 netgenie authpriv.debug pluto[19074]: | NAT-OA: 32 tunnel: 0 
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: Dead Peer Detection (RFC 3706): enabled
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xd9d12c60 <0xf1bb6bc0 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=10.103.6.93:4500 DPD=enabled}
Mar 28 18:04:42 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port 4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Mar 28 18:04:57 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port 4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: DPD: No response from peer - declaring peer dead
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: DPD: Restarting Connection
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.d9d12c60 <at> 10.103.6.93 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.f1bb6bc0 <at> 10.103.6.71 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: deleting connection "ng" instance with peer 10.103.6.93 {isakmp=#1/ipsec=#2}
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: deleting state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.d9d12c60 <at> 10.103.6.93 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.f1bb6bc0 <at> 10.103.6.71 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #1: deleting state (STATE_MAIN_R3)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: DPD: Restarting all connections that share this peer
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: Segmentation fault
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: restarting IPsec after pause...
Mar 28 18:05:09 netgenie authpriv.warn pluto[19079]: pluto_crypto_helper: helper (0) is  normal exiting


Regards,
Nrupen

_______________________________________________
Dev mailing list
Dev <at> lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev
Permalink | Reply | 1 comment |
headers
Ruchir Thakkar | 28 Mar 2012 19:57
Picon

Re: [Openswan dev] DPD action restart creates segfault in Roadwarrior connection

Hi Nrupen,

Do not keep dpd action "restart" in connection definition where the peer ip is wildcard.

Regards,
Ruchir.

On Mar 28, 2012 8:39 AM, "Nrupen Chudasma" <nrupen <at> gmail.com> wrote:
Hi,

I am using openswan 2.6.24. I have configured one connection at VPN gateway where many road warriors can connect the tunnel from different IPs.
Below is my configuration.

version 2.0      # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        oe=off
        protostack=netkey


conn ng
        right=%any
        rightsubnet="vhost:%v:0.0.0.0/0"
        left=10.103.6.71
        leftsubnet=10.1.1.0/255.255.255.0
        leftnexthop=10.103.6.1
        auto=add
        x_rightdynamic=yes
        authby=secret
        compress=no
        failureshunt=drop
        dpddelay=15
        dpdtimeout=60
        dpdaction=restart
        pfs=yes
        ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
        esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1


I have kept dpdaction=restart. After successfully establishing the connection, I plug out the road-warrior from network. So when DPD is hit at my VPN gateway, the dpdaction restart is called.
I get the segfault at this place.
The problem is 100% re creatable.

Find the /var/log/messages for this.

Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Mar 28 18:03:44 netgenie daemon.err ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [RFC 3947] method set to=109
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: packet from 10.103.6.93:4500: received Vendor ID payload [Dead Peer Detection]
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: responding to Main Mode from unknown peer 10.103.6.93
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: Main mode peer ID is ID_IPV4_ADDR: '10.1.2.11'
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[1] 10.103.6.93 #1: switched from "ng" to "ng"
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: deleting connection "ng" instance with peer 10.103.6.93 {isakmp=#0/ipsec=#0}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: Dead Peer Detection (RFC 3706): enabled
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: the peer proposed: 10.1.1.0/24:0/0 -> 10.1.2.11/32:0/0
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: responding to Quick Mode proposal {msgid:341f6228}
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2:     us: 10.1.1.0/24===10.103.6.71<10.103.6.71>[+S=C]---10.103.6.1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2:   them: 10.103.6.93[10.1.2.11,+S=C]
Mar 28 18:03:53 netgenie authpriv.debug pluto[19074]: | NAT-OA: 32 tunnel: 0 
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 28 18:03:53 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: Dead Peer Detection (RFC 3706): enabled
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 28 18:03:54 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xd9d12c60 <0xf1bb6bc0 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=10.103.6.93:4500 DPD=enabled}
Mar 28 18:04:42 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port 4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Mar 28 18:04:57 netgenie authpriv.warn pluto[19074]: ERROR: asynchronous network error report on eth2.2 (sport=4500) for message to 10.103.6.93 port 4500, complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: DPD: No response from peer - declaring peer dead
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: DPD: Restarting Connection
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: rekeying state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.d9d12c60 <at> 10.103.6.93 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.f1bb6bc0 <at> 10.103.6.71 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng"[2] 10.103.6.93 #1: deleting connection "ng" instance with peer 10.103.6.93 {isakmp=#1/ipsec=#2}
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: deleting state (STATE_QUICK_R2)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.d9d12c60 <at> 10.103.6.93 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #2: ERROR: netlink response for Del SA esp.f1bb6bc0 <at> 10.103.6.71 included errno 3: No such process
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: "ng" #1: deleting state (STATE_MAIN_R3)
Mar 28 18:05:09 netgenie authpriv.warn pluto[19074]: DPD: Restarting all connections that share this peer
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: Segmentation fault
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
Mar 28 18:05:09 netgenie daemon.err ipsec__plutorun: restarting IPsec after pause...
Mar 28 18:05:09 netgenie authpriv.warn pluto[19079]: pluto_crypto_helper: helper (0) is  normal exiting


Regards,
Nrupen

_______________________________________________
Dev mailing list
Dev <at> lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

_______________________________________________
Dev mailing list
Dev <at> lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev
Permalink | Reply | 0 comments |
headers
Tuomo Soini | 29 Mar 2012 19:11
Picon
Favicon

Re: [Openswan dev] BUG 1201: dpd + ddns does not work

On Wed, 28 Mar 2012 11:38:03 +0530
Nrupen Chudasma <nrupen <at> gmail.com> wrote:

> Hi,
> 
> Yesterday I sent the same comment in the User's list. But I think it
> would be appropriate to discuss about the bug in dev list.
> 
> I have been using openswan 2.6.24 with NETKEY for quite a long time.
> I had a requirement for DYNDNS based remote host support for making
> the connections. As there is support added, I tried with the 2.6.24
> version and could not succeed.
> I searched out for bug#1201 with the exact reason. So I uprated to
> version 2.6.33. But the problem is still there. Even I tried latest
> version i.e. 2.6.38 but the result is same.
> 
> According to the RCA done for the bug, "conn->dnshostname" is NULL.
> The specified solution was to work with ipsec whack.
> 
> I tried with that. Please correct me if my approach for the problem is
> wrong. I have put remote as "ddnstest" and added entry in
> the /etc/hosts file.
> I add one connection with ipsec whack. Initiate the connection. Later
> I change my remote host's IP and add the according entry
> in /etc/hosts. The dpdtimeout happens as the former IP no longer
> available and thus I get the DPD in which case my action restart
> triggers the initiation of the connection.
> Still my connection is initiated to the same IP as before.

Anything in /etc/hosts is static data - not dynamic dns - there is no
guarantee it gets read without restarting whole pluto.

--

-- 
Tuomo Soini <tis <at> foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Permalink | Reply | 1 comment |
headers
Nrupen Chudasma | 30 Mar 2012 14:05
Picon

Re: [Openswan dev] BUG 1201: dpd + ddns does not work

Hi,

For the explanation about /etc/hosts being static and only need to restart the pluto for correct entry, refer to to below code.

#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h> 
#include <netinet/in.h>
#include <unistd.h>

int
main(int argc, char **argv) {
        struct hostent *host;     /* host information */
        struct in_addr h_addr;    /* internet address */
        if (argc != 2) {
                fprintf(stderr, "USAGE: nslookup <inet_address>\n");
                return 1;
        }
        while(1){
                if ((host = gethostbyname(argv[1])) == NULL) {
                        fprintf(stderr, "(mini) nslookup failed on '%s'\n", argv[1]);
                        return 1;
                }
                h_addr.s_addr = *((unsigned long *) host->h_addr_list[0]);
                fprintf(stdout, "%s\n", inet_ntoa(h_addr));
                sleep(5);
        }
        return 0;
}

After successfully complying the code, I run it with /etc/hosts entry for 'ddnstest' as '10.103.6.70'. While the program is running, I change the entry for ddnstest to 10.103.6.71 and see that it is reflected in my running program.

root <at> netgenie:~# ./lookup ddnstest
10.103.6.70
10.103.6.70
10.103.6.71
...

The one who thinks that pluto needs to restart, for /etc/hosts as these are static entries needs to rethink about the problem.
I am heavily on to the DPD and related feature's testing. I have found some SIGABORT and SIGSEGV for few configurations. Let us please resolve issues before really guessing the unwanted posts.

Regards,
Nrupen

On Thu, Mar 29, 2012 at 10:41 PM, Tuomo Soini <tis <at> foobar.fi> wrote:
On Wed, 28 Mar 2012 11:38:03 +0530
Nrupen Chudasma <nrupen <at> gmail.com> wrote:

> Hi,
>
> Yesterday I sent the same comment in the User's list. But I think it
> would be appropriate to discuss about the bug in dev list.
>
> I have been using openswan 2.6.24 with NETKEY for quite a long time.
> I had a requirement for DYNDNS based remote host support for making
> the connections. As there is support added, I tried with the 2.6.24
> version and could not succeed.
> I searched out for bug#1201 with the exact reason. So I uprated to
> version 2.6.33. But the problem is still there. Even I tried latest
> version i.e. 2.6.38 but the result is same.
>
> According to the RCA done for the bug, "conn->dnshostname" is NULL.
> The specified solution was to work with ipsec whack.
>
> I tried with that. Please correct me if my approach for the problem is
> wrong. I have put remote as "ddnstest" and added entry in
> the /etc/hosts file.
> I add one connection with ipsec whack. Initiate the connection. Later
> I change my remote host's IP and add the according entry
> in /etc/hosts. The dpdtimeout happens as the former IP no longer
> available and thus I get the DPD in which case my action restart
> triggers the initiation of the connection.
> Still my connection is initiated to the same IP as before.

Anything in /etc/hosts is static data - not dynamic dns - there is no
guarantee it gets read without restarting whole pluto.

--
Tuomo Soini <tis <at> foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
_______________________________________________
Dev mailing list
Dev <at> lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev
 

_______________________________________________
Dev mailing list
Dev <at> lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev
Permalink | Reply | 0 comments |

Gmane