Re: [VF]Re: [Users] super-freeswan-1.99kb2 !pluto failure! <- FIXED

From: James P. Kinney III (jkinney_at_localnetsolutions.com)
Date: Mon Dec 16 2002 - 04:10:07 CET

I got that problem fixed by removing the "extra stuff" from the
ipsec.secrets file.

New problem. Testing a connection between a Win2k client and a
linux/FreeSWan server on a private network (to avoid the phone dialup
while learning).

The ipsec starts OK but it can't set the routing to the win2k box. It
gripes about missing or bad nexthop setting. The win2k box has no
nexthop. It is joined by ethernet through a 100M switch to the head end!
I tried the IP address of the head end NIC and also the IP of the win2k
box. It seems like this should be similar to the "wireless LAN client
VPN connection", i.e. a single box connecting to a gateway.

I thought it was firewall problems. It may still be. I set iptables to
forward anything between the 192.168.0.0/24 and 192.168.1.0/24 subnets
without MASQUERADING.

So I'm stumped. Again. If anyone has suggestions, please post them. I'll
be buried back in the docs and examples again.

Dec 15 21:45:16 castle pluto[4997]: packet from 192.168.1.13:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY]
Dec 15 21:45:16 castle pluto[4997]: "roadwarrior"[1] 192.168.1.13 #1:
responding to Main Mode from unknown peer 192.168.1.13
Dec 15 21:45:16 castle pluto[4997]: "roadwarrior"[1] 192.168.1.13 #1:
Peer ID is ID_DER_ASN1_DN: 'C=US, ST=Georgia, L=Tucker, O=Local Net
Solutions, OU=OU, CN=arthur, E=jkinney_at_localnetsolutions.com'
Dec 15 21:45:16 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #1:
deleting connection "roadwarrior" instance with peer 192.168.1.13
Dec 15 21:45:16 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #1:
sent MR3, ISAKMP SA established
Dec 15 21:45:17 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
responding to Quick Mode
Dec 15 21:45:17 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client output: SIOCADDRT: Network is unreachable
Dec 15 21:45:17 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client output: /usr/local/lib/ipsec/_updown: `route add -net
192.168.1.13 netmask 255.255.255.255 dev ipsec0 gw 192.168.1.13' failed
Dec 15 21:45:17 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client output: /usr/local/lib/ipsec/_updown: (incorrect or missing
nexthop setting??)
Dec 15 21:45:17 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client command exited with status 7
Dec 15 21:45:27 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client output: SIOCADDRT: Network is unreachable
Dec 15 21:45:27 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client output: /usr/local/lib/ipsec/_updown: `route add -net
192.168.1.13 netmask 255.255.255.255 dev ipsec0 gw 192.168.1.13' failed
Dec 15 21:45:27 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client output: /usr/local/lib/ipsec/_updown: (incorrect or missing
nexthop setting??)
Dec 15 21:45:27 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
route-client command exited with status 7
Dec 15 21:45:27 castle pluto[4997]: ERROR: "roadwarrior"[2] 192.168.1.13
#2: pfkey write() of SADB_DELETE message 22 for Delete SA
esp.42c003b0_at_192.168.0.1 failed. Errno 3: No such process
Dec 15 21:45:27 castle pluto[4997]: | 02 04 00 03 0a 00 00 00 16 00
00 00 85 13 00 00
Dec 15 21:45:27 castle pluto[4997]: | 02 00 01 00 42 c0 03 b0 00 01
00 00 00 00 00 00
Dec 15 21:45:27 castle pluto[4997]: | 03 00 05 00 00 00 00 00 02 00
01 f4 c0 a8 01 0d
Dec 15 21:45:27 castle pluto[4997]: | 00 00 00 00 00 00 00 00 03 00
06 00 00 00 00 00
Dec 15 21:45:27 castle pluto[4997]: | 02 00 00 00 c0 a8 00 01 00 00
00 00 00 00 00 00

On Sat, 2002-12-14 at 23:36, Ken Bantoft wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> Never seen/head of this before.. and I'm running RH 8.0 on this very
> laptop.
>
>
> On 13 Dec 2002, James P. Kinney III wrote:
>
> > I'm running RedHat 8 with the super-freeswan-1.99kb2 and the patched
> > kernel source rpm (_that_ took a while to compile :) of
> > 2.4.18-18.8.0.2foo.
> >
> > When ipsec is started, pluto fails, sleeps 10 seconds, reloads and
> > continues this process forever. I turned on full debugging ad have
> > included a short snippet:
> >
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_remove_socket: .
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_remove_socket:
> > succeeded.
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_destroy_socket:
> > pfkey_remove_socket called.
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_destroy_socket:
> > sk(c45b1140)->(&c45b1188)receive_queue.{next=c45b1188,prev=c45b1188}.
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_destroy_socket:
> > destroyed.
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_list_remove_socket:
> > removing sock=cb7a2ac4
> > Dec 13 09:28:39 castle last message repeated 7 times
> > Dec 13 09:28:39 castle ipsec__plutorun: !pluto failure!: exited with
> > error status 136 (signal 8)
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_list_remove_socket:
> > removing sock=cb7a2ac4
> > Dec 13 09:28:39 castle ipsec__plutorun: restarting IPsec after pause...
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_list_remove_socket:
> > removing sock=cb7a2ac4
> > Dec 13 09:28:39 castle last message repeated 3 times
> > Dec 13 09:28:39 castle kernel: klips_debug:pfkey_release: succeeded.
> > Dec 13 09:28:43 castle ipsec_setup: Stopping FreeS/WAN IPsec...
> >
> > The last line is where I killed it. In fact, the /etc/init.d/ipsec stop
> > won't stop it. I added a procedure that would rename ipsec/_plutorun to
> > force it to die after it's 10 second time out.
> >
> > Is this a config issue or something else I don't understand?
>
> Could be... you didn't include any config bits, so it's a shot in the
> dark.
>
> - From "man 7 signal":
>
> SIGFPE 8 C Floating point exception
>
> So it's apparently a floating point exception.
>
> This has been seen earlier with straight FreeS/WAN + X.509 patch:
>
> http://lists.freeswan.org/pipermail/users/2002-September/013981.html
>
> However no result was ever posted.
>
> - --
> Ken Bantoft The Unoffical FreeS/WAN Site:
> ken_at_freeswan.ca http://www.freeswan.ca
> PGP Key: finger ken_at_bantoft.org
> "Anyone who considers arithmetical methods of producing
> random digits is, of course, in a state of sin."
> -- John Von Neumann, 1951
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQCVAwUBPfwGtFiWUusaxGxpAQEBEQP8C3xRGosGZ8OpLyUjooshiazq7fjLCu+c
> zXvoRIYfbZo/j3GVoKBPbJVQ7wzVOve5hBbKL5Hcmaq7v0CpmsJ70pDOUMBjgD/s
> gDVg7nWFBeb2FFWTAF8fbAufBln0iFa/y5OUVKiAp5PICTctfgcRKZmo67zDrc9Q
> FKe7j0ilqA8=
> =khIy
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Ipsec-users mailing list
> Ipsec-users_at_tossell.net
> http://lists.tossell.net/lists/listinfo/ipsec-users 

-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney_at_localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Tue Dec 17 2002 - 05:21:05 CET