[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] ASSERTION FAILED using Openswan 2.3.0DR5
From: Ken Bantoft <ken () xelerance ! com>
Date: 2004-12-31 14:03:21
Message-ID: 41D55C29.2020903 () xelerance ! com
[Download RAW message or body]
Hi Axel,
Fixed in CVS...
checkout -rPRE2_3 for the 2.3.x branch, or wait a day until I post
another release.
Axel Mueller wrote:
> For some months I was running a combination of Openswan 2.10 using
> kernel 2.6.4 on client side and kernel 2.4.22 on server side.
> It was using X.509 based authentication which I got running thanks to
> Nate Carlsons HowTo.
>
> Yesterday I switched to kernel 2.6.10 for client and server using the
> configuration (certificates, config files, etc.) that worked well so far:
>
> # ipsec version
> Linux Openswan U2.3.0dr5/K2.6.10 (netkey)
>
> Openswan startup on server side looks good:
>
> Dec 28 15:14:33 gate ipsec_setup: Starting Openswan IPsec
> U2.1.4/K2.6.10...
> Dec 28 15:14:33 gate ipsec_setup: KLIPS ipsec0 on eth2
> 192.168.70.1/255.255.255.0 broadcast 192.168.70.255
> Dec 28 15:14:33 gate ipsec__plutorun: Starting Pluto subsystem...
> Dec 28 15:14:33 gate pluto[17347]: Starting Pluto (Openswan Version
> 2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
> Dec 28 15:14:33 gate pluto[17347]: including NAT-Traversal patch
> (Version 0.6c) [disabled]
> Dec 28 15:14:33 gate pluto[17347]: Using Linux 2.6 IPsec interface code
> Dec 28 15:14:34 gate ipsec_setup: ...Openswan IPsec started
> Dec 28 15:14:34 gate pluto[17347]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Dec 28 15:14:34 gate pluto[17347]: loaded cacert file 'cacert.pem'
> (1249 bytes)
> Dec 28 15:14:34 gate pluto[17347]: Changing to directory
> '/etc/ipsec.d/crls'
> Dec 28 15:14:34 gate pluto[17347]: loaded crl file 'crl.pem' (508
> bytes)
> Dec 28 15:14:35 gate pluto[17347]: loaded host cert file
> '/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
> Dec 28 15:14:35 gate pluto[17347]: added connection description
> "mueller-family-wlan"
> Dec 28 15:14:35 gate pluto[17347]: listening for IKE messages
> Dec 28 15:14:35 gate pluto[17347]: adding interface ppp0/ppp0
> 80.128.172.213
> Dec 28 15:14:35 gate pluto[17347]: adding interface eth2/eth2
> 192.168.70.1
> Dec 28 15:14:35 gate pluto[17347]: adding interface eth1/eth1
> 192.168.69.1
> Dec 28 15:14:35 gate pluto[17347]: adding interface eth0/eth0 169.254.0.1
> Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo 127.0.0.1
> Dec 28 15:14:35 gate pluto[17347]: adding interface lo/lo ::1
> Dec 28 15:14:35 gate pluto[17347]: loading secrets from
> "/etc/ipsec.secrets"
> Dec 28 15:14:35 gate pluto[17347]: loaded private key file
> '/etc/ipsec.d/private/mueller-family.dyndns.org.key' (1692 bytes)
>
>
> When I start up the Openswan client an assertion occures causing
> Openswan to be restarted:
>
> Dec 28 18:16:39 gate pluto[21517]: packet from 192.168.70.5:500:
> received Vendor ID payload [Dead Peer Detection]
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
> 192.168.70.5 #1: responding to Main Mode from unknown peer 192.168.70.5
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
> 192.168.70.5 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
> 192.168.70.5 #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
> 192.168.70.5 #1: Main mode peer ID is ID_DER_ASN1_DN: 'CȚ,
> ST=Hessen, L=Altenstadt-Lindheim, O=mueller-family,
> CN=miraculix.mueller-family.de, E=axel@mueller-family.de'
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[1]
> 192.168.70.5 #1: crl update for "CȚ, ST=Hessen,
> L=Altenstadt-Lindheim, O=mueller-family, CNÊ,
> EÊ@mueller-family.de" is overdue since Aug 15 11:43:12 UTC 2004
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #1: deleting connection "mueller-family-wlan" instance
> with peer 192.168.70.5 {isakmp=#0/ipsec=#0}
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #1: I am sending my cert
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #1: sent MR3, ISAKMP SA established
> Dec 28 18:16:39 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: responding to Quick Mode
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: ASSERTION FAILED at ipsec_doi.c:3172: case 12 unexpected
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: interface lo/lo ::1
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: interface lo/lo 127.0.0.1
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: interface eth0/eth0 169.254.0.1
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: interface eth1/eth1 192.168.69.1
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: interface eth2/eth2 192.168.70.1
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: interface ppp0/ppp0 80.128.172.213
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: %myid = (none)
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: debug none
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
> keysizemind, keysizemaxd
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin�2, keysizemax�2
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
> ivlen=8, keysizemin@, keysizemaxD8
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP encrypt: id�, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP encrypt: id%2, name=ESP_SERPENT,
> ivlen=8, keysizemin�8, keysizemax%6
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP encrypt: id%3, name=ESP_TWOFISH,
> ivlen=8, keysizemin�8, keysizemax%6
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP auth attr: id=1,
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin�8, keysizemax�8
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin�0, keysizemax�0
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin%6, keysizemax%6
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm ESP auth attr: id%1, name=(null),
> keysizemin=0, keysizemax=0
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2:
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
> blocksize�, keydeflen�8
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
> blocksize=8, keydeflen�2
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize�
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits�24
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits�36
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE dh group: id�,
> name=OAKLEY_GROUP_MODP2048, bits 48
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE dh group: id�,
> name=OAKLEY_GROUP_MODP3072, bits072
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE dh group: id�,
> name=OAKLEY_GROUP_MODP4096, bits@96
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE dh group: id�,
> name=OAKLEY_GROUP_MODP6144, bitsa44
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: algorithm IKE dh group: id�,
> name=OAKLEY_GROUP_MODP8192, bits92
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2:
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: stats db_ops.c: {curr_cnt, total_cnt, maxsz}
> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2:
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan": 0.0.0.0/0==�2.168.70.1[CȚ,
> ST=Hessen, L=Altenstadt-Lindheim, O=mueller-family,
> CN=mueller-family.dyndns.org,
> E=axel@mueller-family.de]...%virtual===?; unrouted; eroute owner: #0
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan": srcip=unset; dstip=unset
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan": CAs: 'CȚ, ST=Hessen,
> L=Altenstadt-Lindheim, O=mueller-family, CNÊ,
> EÊ@mueller-family.de'...'%any'
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan": ike_life: 3600s; ipsec_life:
> 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan": policy:
> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan": newest ISAKMP SA: #0; newest
> IPsec SA: #0;
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan"[2]:
> 0.0.0.0/0==�2.168.70.1[CȚ, ST=Hessen, L=Altenstadt-Lindheim,
> O=mueller-family, CN=mueller-family.dyndns.org,
> E=axel@mueller-family.de]...192.168.70.5[CȚ, ST=Hessen,
> L=Altenstadt-Lindheim, O=mueller-family,
> CN=miraculix.mueller-family.de, E=axel@mueller-family.de]; unrouted;
> eroute owner: #0
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan"[2]: srcip=unset; dstip=unset
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan"[2]: CAs: 'CȚ, ST=Hessen,
> L=Altenstadt-Lindheim, O=mueller-family, CNÊ,
> EÊ@mueller-family.de'...'%any'
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan"[2]: ike_life: 3600s;
> ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan"[2]: policy:
> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32; interface: eth2;
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan"[2]: newest ISAKMP SA: #1;
> newest IPsec SA: #0;
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: "mueller-family-wlan"[2]: IKE algorithm newest:
> 3DES_CBC_192-MD5-MODP1536
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2:
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: #2: "mueller-family-wlan"[2] 192.168.70.5 (null)
> ((null)); EVENT_CRYPTO_FAILED in 299s; lastdpd=-1s(seq in:0 out:0)
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2: #1: "mueller-family-wlan"[2] 192.168.70.5
> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
> 3329s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> Dec 28 18:16:40 gate pluto[21517]: "mueller-family-wlan"[2]
> 192.168.70.5 #2:
> Dec 28 18:16:40 gate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
> line 1: 21517 Aborted /usr/local/libexec/ipsec/pluto
> --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
> --uniqueids --virtual_private %v4:192.168.70.0/24
> Dec 28 18:16:40 gate ipsec__plutorun: !pluto failure!: exited with
> error status 134 (signal 6)
> Dec 28 18:16:40 gate ipsec__plutorun: restarting IPsec after pause...
> Dec 28 18:16:51 gate kernel: NET: Unregistered protocol family 15
> Dec 28 18:16:51 gate ipsec_setup: ...Openswan IPsec stopped
> Dec 28 18:16:51 gate ipsec_setup: Stopping Openswan IPsec...
> Dec 28 18:16:51 gate ipsec_setup: Removing orphaned /var/run/pluto.pid:
> Dec 28 18:16:52 gate kernel: NET: Registered protocol family 15
> Dec 28 18:16:53 gate kernel: Initializing IPsec netlink socket
> Dec 28 18:16:53 gate ipsec_setup: KLIPS ipsec0 on eth2
> 192.168.70.1/255.255.255.0 broadcast 192.168.70.255
> Dec 28 18:16:53 gate ipsec__plutorun: Restarting Pluto subsystem...
> Dec 28 18:16:53 gate ipsec_setup: ...Openswan IPsec started
> Dec 28 18:16:53 gate pluto[22217]: Starting Pluto (Openswan Version
> 2.3.0dr5 X.509-1.5.4 PLUTO_USES_KEYRR)
> Dec 28 18:16:53 gate pluto[22217]: Setting port floating to off
> Dec 28 18:16:53 gate pluto[22217]: port floating activate 0/1
> Dec 28 18:16:53 gate pluto[22217]: including NAT-Traversal patch
> (Version 0.6c) [disabled]
> Dec 28 18:16:53 gate pluto[22217]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Dec 28 18:16:53 gate pluto[22217]: starting up 1 cryptographic helpers
> Dec 28 18:16:53 gate pluto[22217]: started helper pid"226 (fd:6)
> Dec 28 18:16:53 gate pluto[22217]: Using Linux 2.6 IPsec interface code
> Dec 28 18:16:54 gate pluto[22217]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Dec 28 18:16:54 gate pluto[22217]: loaded CA cert file 'cacert.pem'
> (1249 bytes)
> Dec 28 18:16:54 gate pluto[22217]: Could not change to directory
> '/etc/ipsec.d/aacerts'
> Dec 28 18:16:54 gate pluto[22217]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
> Dec 28 18:16:54 gate pluto[22217]: Changing to directory
> '/etc/ipsec.d/crls'
> Dec 28 18:16:54 gate ipsec_setup: Restarting Openswan IPsec 2.3.0dr5...
> Dec 28 18:16:54 gate ipsec_setup: insmod
> /lib/modules/2.6.10/kernel/net/key/af_key.ko
> Dec 28 18:16:54 gate ipsec_setup: insmod
> /lib/modules/2.6.10/kernel/net/ipv4/xfrm4_tunnel.ko
> Dec 28 18:16:54 gate ipsec_setup: insmod
> /lib/modules/2.6.10/kernel/net/xfrm/xfrm_user.ko
> Dec 28 18:16:54 gate pluto[22217]: loaded crl file 'crl.pem' (508
> bytes)
> Dec 28 18:16:55 gate pluto[22217]: loaded host cert file
> '/etc/ipsec.d/certs/mueller-family.dyndns.org.pem' (3659 bytes)
> Dec 28 18:16:55 gate pluto[22217]: added connection description
> "mueller-family-wlan"
> Dec 28 18:16:55 gate pluto[22217]: listening for IKE messages
> Dec 28 18:16:55 gate pluto[22217]: adding interface ppp0/ppp0
> 80.128.172.213
> Dec 28 18:16:55 gate pluto[22217]: adding interface eth2/eth2
> 192.168.70.1
> Dec 28 18:16:55 gate pluto[22217]: adding interface eth1/eth1
> 192.168.69.1
> Dec 28 18:16:55 gate pluto[22217]: adding interface eth0/eth0 169.254.0.1
> Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo 127.0.0.1
> Dec 28 18:16:55 gate pluto[22217]: adding interface lo/lo ::1
>
> The problem does not seem to relate on the kernel version on the
> client side - at least 2.6.9 shows the same behavior.
> Any idea?
>
> Axel
>
> _______________________________________________
> Users mailing list
> Users@openswan.org
> http://lists.openswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openswan.org
http://lists.openswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic