Menu
▾
▴
ipsec-tools-commits — CVS Commit Log Messages
This list is closed, nobody may subscribe to it.
| 2004 |
Jan
(59) |
Feb
(43) |
Mar
(72) |
Apr
(93) |
May
(57) |
Jun
(84) |
Jul
(13) |
Aug
(13) |
Sep
(73) |
Oct
(71) |
Nov
(151) |
Dec
(53) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
(64) |
Feb
(94) |
Mar
(58) |
Apr
(157) |
May
(178) |
Jun
(81) |
Jul
(135) |
Aug
(35) |
Sep
(33) |
Oct
(49) |
Nov
(34) |
Dec
(33) |
| 2006 |
Jan
(19) |
Feb
(39) |
Mar
(7) |
Apr
(56) |
May
(69) |
Jun
(38) |
Jul
(24) |
Aug
(15) |
Sep
(12) |
Oct
(6) |
Nov
(1) |
Dec
|
| 2007 |
Jan
(7) |
Feb
(8) |
Mar
(2) |
Apr
(6) |
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
(2) |
Sep
(1) |
Oct
(1) |
Nov
(4) |
Dec
|
| 2008 |
Jan
|
Feb
(4) |
Mar
(5) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
(2) |
Oct
(2) |
Nov
(8) |
Dec
|
| 2009 |
Jan
(109) |
Feb
|
Mar
|
Apr
(5) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
(1) |
Dec
(2) |
| 2010 |
Jan
|
Feb
(4) |
Mar
(2) |
Apr
(4) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(4) |
Nov
(1) |
Dec
(3) |
| 2011 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(5) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
(4) |
Jun
|
Jul
(3) |
Aug
(2) |
Sep
|
Oct
|
Nov
(3) |
Dec
|
| 2013 |
Jan
(3) |
Feb
(6) |
Mar
|
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: SourceForge.net <no...@so...> - 2013-05-29 19:55:36
|
Bugs item #3603844, was opened at 2013-02-08 08:45 Message generated for change (Comment added) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 7 Private: No Submitted By: Todd Blum (ttblum) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools 0.8.0 racoon segfaults after losing connectivity Initial Comment: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least five remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- >Comment By: Todd Blum (ttblum) Date: 2013-05-29 12:55 Message: Probably seemed to correlate with the outages of a single ISP. The ISP replaced/repaired a DSL DSLAM and possibly some core routers as well. racoon has been up stable now for several weeks since this change. ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-05-01 12:43 Message: racoon segfaulted again, but this time without any sainfo messages. The crash coincided with an ISP outage that affected at least 6 remote endpoints. DPD was enabled on these tunnels: ... May 1 01:18:27 192.168.116.250 racoon: INFO: ISAKMP-SA deleted my.end.poi.nt[500]-x.x.x.x [500] spi:48131b4e56ac24b8:32ef67f65454935e May 1 01:18:28 192.168.116.250 racoon: [y.y.y.y ] INFO: DPD: remote (ISAKMP-SA spi=622012ee7f51261d:7e39cc0f5ee916a0) seems to be dead. May 1 01:18:28 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=622012ee7f51261d:7e39cc0f5ee916a0. May 1 01:18:28 192.168.116.250 racoon: INFO: purged IPsec-SA spi=2284023606. May 1 01:18:28 192.168.116.250 racoon: INFO: purged IPsec-SA spi=187964617. May 1 01:18:28 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=622012ee7f51261d:7e39cc0f5ee916a0. May 1 01:18:28 192.168.116.250 racoon: INFO: ISAKMP-SA deleted my.end.poi.nt[500]-y.y.y.y [500] spi:622012ee7f51261d:7e39cc0f5ee916a0 May 1 01:18:29 192.168.116.250 racoon: [z.z.z.z ] INFO: DPD: remote (ISAKMP-SA spi=3c837090349206bf:1086e896dce5e982) seems to be dead. May 1 01:18:29 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=3c837090349206bf:1086e896dce5e982. May 1 01:18:29 192.168.116.250 racoon: INFO: purged IPsec-SA spi=3531119898. May 1 01:18:29 192.168.116.250 racoon: INFO: purged IPsec-SA spi=124488619. May 1 01:18:29 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=3c837090349206bf:1086e896dce5e982. The segfaults still seem to coinside with connectivity issues. ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-23 07:22 Message: Today I've found that I had duplicate IPSec tunnels configured in pfSense, one disabled and the other enabled. I've moved this tunnel elsewhere, and I've removed both from the pfSense config to see if this improves my racoon stability. ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-22 10:31 Message: The error message 'failed to get sainfo' is usually appearing in the logs prior to the segfaults, then not at all afterwards: Apr 16 09:59:51 192.168.116.250 racoon: [xx.xx.xxx.xx] ERROR: unknown Informational exchange received. Apr 16 09:59:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 09:59:57 192.168.116.250 racoon: [yy.yy.yy.yyy] ERROR: unknown Informational exchange received. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:41 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:14 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:14 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:01:17 192.168.116.250 racoon: INFO: ISAKMP-SA established zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0 c Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=2201026904. Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3679806084. Apr 16 10:01:18 192.168.116.250 racoon: INFO: respond new phase 2 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=119993144(0x726f338) Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=2718404122(0xa2078e1a) Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA expired zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA deleted zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:30 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:40 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:41 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:02:41 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:02:42 192.168.116.250 kernel: pid 45397 (racoon), uid 0: exited on signal 11 (core dumped) Is there any relation to this error report? https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/913935 ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-10 11:57 Message: It seems like the more Phase1's not establishing, the more likely racoon is to segfault. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-05-01 19:43:19
|
Bugs item #3603844, was opened at 2013-02-08 08:45 Message generated for change (Comment added) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 7 Private: No Submitted By: Todd Blum (ttblum) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools 0.8.0 racoon segfaults after losing connectivity Initial Comment: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least five remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- >Comment By: Todd Blum (ttblum) Date: 2013-05-01 12:43 Message: racoon segfaulted again, but this time without any sainfo messages. The crash coincided with an ISP outage that affected at least 6 remote endpoints. DPD was enabled on these tunnels: ... May 1 01:18:27 192.168.116.250 racoon: INFO: ISAKMP-SA deleted my.end.poi.nt[500]-x.x.x.x [500] spi:48131b4e56ac24b8:32ef67f65454935e May 1 01:18:28 192.168.116.250 racoon: [y.y.y.y ] INFO: DPD: remote (ISAKMP-SA spi=622012ee7f51261d:7e39cc0f5ee916a0) seems to be dead. May 1 01:18:28 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=622012ee7f51261d:7e39cc0f5ee916a0. May 1 01:18:28 192.168.116.250 racoon: INFO: purged IPsec-SA spi=2284023606. May 1 01:18:28 192.168.116.250 racoon: INFO: purged IPsec-SA spi=187964617. May 1 01:18:28 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=622012ee7f51261d:7e39cc0f5ee916a0. May 1 01:18:28 192.168.116.250 racoon: INFO: ISAKMP-SA deleted my.end.poi.nt[500]-y.y.y.y [500] spi:622012ee7f51261d:7e39cc0f5ee916a0 May 1 01:18:29 192.168.116.250 racoon: [z.z.z.z ] INFO: DPD: remote (ISAKMP-SA spi=3c837090349206bf:1086e896dce5e982) seems to be dead. May 1 01:18:29 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=3c837090349206bf:1086e896dce5e982. May 1 01:18:29 192.168.116.250 racoon: INFO: purged IPsec-SA spi=3531119898. May 1 01:18:29 192.168.116.250 racoon: INFO: purged IPsec-SA spi=124488619. May 1 01:18:29 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=3c837090349206bf:1086e896dce5e982. The segfaults still seem to coinside with connectivity issues. ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-23 07:22 Message: Today I've found that I had duplicate IPSec tunnels configured in pfSense, one disabled and the other enabled. I've moved this tunnel elsewhere, and I've removed both from the pfSense config to see if this improves my racoon stability. ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-22 10:31 Message: The error message 'failed to get sainfo' is usually appearing in the logs prior to the segfaults, then not at all afterwards: Apr 16 09:59:51 192.168.116.250 racoon: [xx.xx.xxx.xx] ERROR: unknown Informational exchange received. Apr 16 09:59:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 09:59:57 192.168.116.250 racoon: [yy.yy.yy.yyy] ERROR: unknown Informational exchange received. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:41 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:14 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:14 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:01:17 192.168.116.250 racoon: INFO: ISAKMP-SA established zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0 c Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=2201026904. Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3679806084. Apr 16 10:01:18 192.168.116.250 racoon: INFO: respond new phase 2 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=119993144(0x726f338) Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=2718404122(0xa2078e1a) Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA expired zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA deleted zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:30 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:40 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:41 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:02:41 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:02:42 192.168.116.250 kernel: pid 45397 (racoon), uid 0: exited on signal 11 (core dumped) Is there any relation to this error report? https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/913935 ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-10 11:57 Message: It seems like the more Phase1's not establishing, the more likely racoon is to segfault. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-04-30 00:01:57
|
Bugs item #3612235, was opened at 2013-04-29 17:01 Message generated for change (Tracker Item Submitted) made by knoxfred You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3612235&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Fred Knox (knoxfred) Assigned to: Nobody/Anonymous (nobody) Summary: Racoon crashes and reboots system Initial Comment: Running Kernel 3.9-rc-1 IPSec Tools 8.1 If I create a racoon server on one machine and then connect to the server from my linux laptop (both running same kernel and image) I get a connection. If I stop the racoon server the client crashes and reboots the laptop Here is the crash info. Any help would be appreciated. FYI I run a older version on a kernel 3.02 with no issues. 0c000018 a66777f0 0b94a8e1 e88e1981 e[ 694.839677] BUG: unable to handle kernel NULL pointer dereference at 00000010 [ 694.840042] IP: [<c03e0af2>] xfrm_output_resume+0x61/0x30e [ 694.840042] *pde = 00000000 [ 694.840042] Oops: 0000 [#1] PREEMPT [ 694.840042] Modules linked in: 8021q garp stp llc xt_limit xt_conntrack xt_state ipt_MASQUERADE xt_LOG iptable_mangle iptable_filtex [ 694.840042] Pid: 17272, comm: ping Tainted: G W 3.9.0-rc1-test #4 /AMD-GX3 [ 694.840042] EIP: 0060:[<c03e0af2>] EFLAGS: 00010246 CPU: 0 [ 694.840042] EIP is at xfrm_output_resume+0x61/0x30e [ 694.840042] EAX: 00000000 EBX: dd42b840 ECX: 00000000 EDX: c05321a8 [ 694.840042] ESI: 00000000 EDI: dda56a00 EBP: dd8a1c4c ESP: dd8a1c3c [ 694.840042] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 [ 694.840042] CR0: 8005003b CR2: 00000010 CR3: 1d941000 CR4: 00000090 [ 694.840042] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 694.840042] DR6: ffff0ff0 DR7: 00000400 [ 694.840042] Process ping (pid: 17272, ti=dd8a0000 task=de9e37f0 task.ti=dd8a0000) [ 694.840042] Stack: [ 694.840042] c0547594 dd42b840 c0547594 dd8a1f58 dd8a1c54 c03e0dac dd8a1c68 c03e0e59 [ 694.840042] dd42b840 c03d7c13 dd8a1f58 dd8a1c70 c03d7c3a dd8a1c80 c03d7c68 dd42b840 [ 694.840042] c0547594 dd8a1c8c c039e0e4 de8dd040 dd8a1c9c c039eef7 de8dd040 00000000 [ 694.840042] Call Trace: [ 694.840042] [<c03e0dac>] xfrm_output2+0xd/0xf [ 694.840042] [<c03e0e59>] xfrm_output+0xab/0xba [ 694.840042] [<c03d7c13>] ? xfrm4_extract_output+0x8c/0x8c [ 694.840042] [<c03d7c3a>] xfrm4_output_finish+0x27/0x29 [ 694.840042] [<c03d7c68>] xfrm4_output+0x2c/0x64 [ 694.840042] [<c039e0e4>] ip_local_out+0x1b/0x1e [ 694.840042] [<c039eef7>] ip_send_skb+0xe/0x43 [ 694.840042] [<c039ef55>] ip_push_pending_frames+0x29/0x32 [ 694.840042] [<c03b9b19>] raw_sendmsg+0x66c/0x6f1 [ 694.840042] [<c0366000>] ? skb_recv_datagram+0x2b/0x30 [ 694.840042] [<c0362e39>] ? consume_skb+0x24/0x26 [ 694.840042] [<c03b903f>] ? raw_recvmsg+0x63/0x12b [ 694.840042] [<c03c2378>] inet_sendmsg+0x20/0x4a [ 694.840042] [<c035c643>] sock_sendmsg+0x82/0x9d [ 694.840042] [<c035c476>] ? sock_recvmsg+0x91/0xad [ 694.840042] [<c035c802>] __sys_sendmsg+0x16d/0x1f2 [ 694.840042] [<c035cda5>] ? __sys_recvmsg+0xde/0x174 [ 694.840042] [<c035c3e5>] ? brioctl_set+0x23/0x23 [ 694.840042] [<c0137907>] ? __wake_up+0x2f/0x57 [ 694.840042] [<c0137915>] ? __wake_up+0x3d/0x57 [ 694.840042] [<c02ea93e>] ? tty_wakeup+0x49/0x51 [ 694.840042] [<c02f2852>] ? pty_write+0x48/0x52 [ 694.840042] [<c02ed6ae>] ? do_output_char+0x8b/0x16d [ 694.840042] [<c02ea93e>] ? tty_wakeup+0x49/0x51 [ 694.840042] [<c0131e24>] ? remove_wait_queue+0x39/0x50 [ 694.840042] [<c02ede33>] ? n_tty_write+0x266/0x29a [ 694.840042] [<c02edbcd>] ? n_tty_ioctl+0x92/0x92 [ 694.840042] [<c0137907>] ? __wake_up+0x2f/0x57 [ 694.840042] [<c0134e44>] ? __srcu_read_lock+0x36/0x4f [ 694.840042] [<c01b3abe>] ? fsnotify+0x1c6/0x207 [ 694.840042] [<c035df33>] sys_sendmsg+0x2b/0x46 [ 694.840042] [<c035e3b7>] sys_socketcall+0x160/0x1d1 [ 694.840042] [<c0121e10>] ? sys_gettimeofday+0x29/0x5b [ 694.840042] [<c0418306>] sysenter_do_call+0x12/0x22 [ 694.840042] Code: f8 ff 8b 43 74 c7 43 70 00 00 00 00 85 c0 74 0e ff 08 0f 94 c2 84 d2 74 05 e8 0a 5f da ff 8b 43 48 c7 43 74 00 003 [ 694.840042] EIP: [<c03e0af2>] xfrm_output_resume+0x61/0x30e SS:ESP 0068:dd8a1c3c [ 694.840042] CR2: 0000000000000010 da0c4b0 9c624f06 00000010 00000001 03040001 08c1e7c0 e09ea9c4 9ab7d207 02040003 24000000 00000000 a7400000 02000100 08c1e7c0 0403030c 00000000 04000300 00000000 00000000 00000000 80510100 00000000 00000000 00000000 04000400 00000000 00000000 00000000 000e0100 00000000 00000000 00000000 04000200 16000000 38070000 00000000 e032123e 00000000 e032123e 00000000 03000500 00200000 02000000 c0a831f8 00000000 00000000 03000600 00200000 02000000 c0a831f9 00000000 00000000 03000700 ff000000 02000000 00000000 00000000 00000000 04000800 a0000000 0d012011 033e3fdb 73f26334 8bb1eebb e43ef561 00000000 05000900 00010000 63bc0617 27e148b7 eb40ea9f 90cb13e4 a47505ef f3ed673d 223bd593 7a9b9c00 02001300 02000000 00000000 11400000 2002-12-31 19:14:45: DEBUG: DELETE message is not interesting because the message was originated by me. 2002-12-31 19:14:45: DEBUG: === 2002-12-31 19:14:45: DEBUG: 92 bytes message received from 192.168.49.249[500] to 192.168.49.248[500] 2002-12-31 19:14:50: DEBUG: 07a4c408 638f6792 a8b94d65 dfa22339 08100501 a331b68b 0000005c 69086025 56167fa8 1e8377ec cc12789f a563c294 f874028d 10bba3d3 556c2ad0 b7061b57 62960157 0305fa7b 5f35a2db f9d18a4e 1eadcc2f 126cf591 456666cf 2002-12-31 19:14:50: DEBUG: receive Information. 2002-12-31 19:14:50: DEBUG: compute IV for phase2 2002-12-31 19:14:50: DEBUG: phase1 last IV: 2002-12-31 19:14:50: DEBUG: a4e64de1 50a3d79e 241504cc 06c71f69 a331b68b 2002-12-31 19:14:50: DEBUG: hash(sha1) 2002-12-31 19:14:50: DEBUG: encryption(aes) 2002-12-31 19:14:50: DEBUG: phase2 IV computed: 2002-12-31 19:14:50: DEBUG: c80deb8a ba7b9755 e587e7ed 66f83814 2002-12-31 19:14:50: DEBUG: begin decryption. 2002-12-31 19:14:50: DEBUG: encryption(aes) 2002-12-31 19:14:50: DEBUG: IV was saved for next processing: 2002-12-31 19:14:50: DEBUG: f9d18a4e 1eadcc2f 126cf591 456666cf 2002-12-31 19:14:50: DEBUG: encryption(aes) 2002-12-31 19:14:50: DEBUG: with key: 2002-12-31 19:14:50: DEBUG: be8a4d9c f69b2c9f 803b7e58 ff16a9f7 5d1017e7 674bcde6 cce1a148 3920dcf3 2002-12-31 19:14:50: DEBUG: decrypted payload by IV: 2002-12-31 19:14:50: DEBUG: c80deb8a ba7b9755 e587e7ed 66f83814 2002-12-31 19:14:50: DEBUG: decrypted payload, but not trimed. 2002-12-31 19:14:50: DEBUG: 0c000018 eb068056 cc1bda3e 8b1d70d4 29e8308b 7239e453 0000001c 00000001 01100001 07a4c408 638f6792 a8b94d65 dfa22339 9db7d0f0 dbf6c49c cbb0840b 2002-12-31 19:14:50: DEBUG: padding len=12 2002-12-31 19:14:50: DEBUG: skip to trim padding. 2002-12-31 19:14:50: DEBUG: decrypted. 2002-12-31 19:14:50: DEBUG: 07a4c408 638f6792 a8b94d65 dfa22339 08100501 a331b68b 0000005c 0c000018 eb068056 cc1bda3e 8b1d70d4 29e8308b 7239e453 0000001c 00000001 01100001 07a4c408 638f6792 a8b94d65 dfa22339 9db7d0f0 dbf6c49c cbb0840b 2002-12-31 19:14:50: DEBUG: IV freed 2002-12-31 19:14:50: DEBUG: HASH with: 2002-12-31 19:14:50: DEBUG: a331b68b 0000001c 00000001 01100001 07a4c408 638f6792 a8b94d65 dfa22339 2002-12-31 19:14:50: DEBUG: hmac(hmac_sha1) 2002-12-31 19:14:50: DEBUG: HASH computed: 2002-12-31 19:14:50: DEBUG: eb068056 cc1bda3e 8b1d70d4 29e8308b 7239e453 2002-12-31 19:14:50: DEBUG: hash validated. 2002-12-31 19:14:50: DEBUG: begin. 2002-12-31 19:14:50: DEBUG: seen nptype=8(hash) 2002-12-31 19:14:50: DEBUG: seen nptype=12(delete) 2002-12-31 19:14:50: DEBUG: succeed. 2002-12-31 19:14:50: [192.168.49.249] DEBUG: delete payload for protocol ISAKMP 2002-12-31 19:14:50: INFO: purging ISAKMP-SA spi=07a4c408638f6792:a8b94d65dfa22339. 2002-12-31 19:14:50: DEBUG2: getph1: start 2002-12-31 19:14:50: DEBUG2: local: 192.168.49.248[500] 2002-12-31 19:14:50: DEBUG2: remote: 192.168.49.249[500] 2002-12-31 19:14:50: DEBUG2: no match 2002-12-31 19:14:50: DEBUG: call pfkey_send_dump 2002-12-31 19:14:50: DEBUG: pk_recv: retry[0] recv() 2002-12-31 19:14:50: DEBUG: pk_recv: retry[0] recv() 2002-12-31 19:14:50: INFO: purged IPsec-SA spi=0. 2002-12-31 19:14:50: INFO: purged IPsec-SA spi=47065714. 2002-12-31 19:14:50: INFO: purged ISAKMP-SA spi=07a4c408638f6792:a8b94d65dfa22339. 2002-12-31 19:14:50: DEBUG2: getph1: start 2002-12-31 19:14:50: DEBUG2: local: 192.168.49.248[500] 2002-12-31 19:14:50: DEBUG2: remote: 192.168.49.249[500] 2002-12-31 19:14:50: DEBUG2: no match 2002-12-31 19:14:50: INFO: ISAKMP-SA deleted 192.168.49.248[500]-192.168.49.249[500] spi:07a4c408638f6792:a8b94d65dfa22339 2002-12-31 19:14:50: DEBUG: IV freed 2002-12-31 19:14:50: DEBUG: purged SAs. 2002-12-31 19:14:50: DEBUG: pk_recv: retry[0] recv() 2002-12-31 19:14:50: DEBUG: got pfkey ACQUIRE message 2002-12-31 19:14:50: DEBUG2: 02060003 0b000000 03000000 00000000 03000500 00200000 02000000 c0a831f8 00000000 00000000 03000600 00200000 02000000 c0a831f9 00000000 00000000 02001200 02000270 f9010000 320a0000 01000d00 20000000 2002-12-31 19:14:52: DEBUG: suitable outbound SP found: 192.168.49.248/32[0] 10.10.90.0/24[0] proto=any dir=out. 2002-12-31 19:14:52: DEBUG: sub:0xbfbec908: 10.10.90.0/24[0] 192.168.49.248/32[0] proto=any dir=in 2002-12-31 19:14:52: DEBUG: db :0x80e6568: 192.168.3.0/24[0] 192.168.3.0/24[0] proto=any dir=in 2002-12-31 19:14:52: DEBUG: sub:0xbfbec908: 10.10.90.0/24[0] 192.168.49.248/32[0] proto=any dir=in 2002-12-31 19:14:52: DEBUG: db :0x80e66a0: 192.168.3.0/24[0] 192.168.3.0/24[0] proto=any dir=fwd 2002-12-31 19:14:52: DEBUG: sub:0xbfbec908: 10.10.90.0/24[0] 192.168.49.248/32[0] proto=any dir=in 2002-12-31 19:14:52: DEBUG: db :0x80e70e8: 192.168.3.0/24[0] 192.168.3.0/24[0] proto=any dir=out 2002-12-31 19:14:52: DEBUG: sub:0xbfbec908: 10.10.90.0/24[0] 192.168.49.248/32[0] proto=any dir=in 2002-12-31 19:14:52: DEBUG: db :0x80e7220: 10.10.90.0/24[0] 192.168.49.248/32[0] proto=any dir=in 2002-12-31 19:14:52: DEBUG: suitable inbound SP found: 10.10.90.0/24[0] 192.168.49.248/32[0] proto=any dir=in. 2002-12-31 19:14:52: DEBUG: new acquire 192.168.49.248/32[0] 10.10.90.0/24[0] proto=any dir=out 2002-12-31 19:14:52: [192.168.49.249] DEBUG2: Checking remote conf "192.168.49.249[500]" 192.168.49.249[500]. 2002-12-31 19:14:52: DEBUG2: enumrmconf: "192.168.49.249[500]" matches. 2002-12-31 19:14:52: [192.168.49.249] DEBUG: configuration "192.168.49.249[500]" selected. 2002-12-31 19:14:52: DEBUG: getsainfo params: loc='192.168.49.248' rmt='10.10.90.0/24' peer='NULL' client='NULL' id=0 2002-12-31 19:14:52: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2002-12-31 19:14:52: DEBUG: check and compare ids : values matched (ANONYMOUS) 2002-12-31 19:14:52: DEBUG: check and compare ids : values matched (ANONYMOUS) 2002-12-31 19:14:52: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2002-12-31 19:14:52: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=16400:16401) 2002-12-31 19:14:52: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha) 2002-12-31 19:14:52: DEBUG: in post_acquire 2002-12-31 19:14:52: [192.168.49.249] DEBUG2: Checking remote conf "192.168.49.249[500]" 192.168.49.249[500]. 2002-12-31 19:14:52: DEBUG2: enumrmconf: "192.168.49.249[500]" matches. 2002-12-31 19:14:52: [192.168.49.249] DEBUG: configuration "192.168.49.249[500]" selected. 2002-12-31 19:14:52: DEBUG2: getph1: start 2002-12-31 19:14:52: DEBUG2: local: 192.168.49.248[0] 2002-12-31 19:14:52: DEBUG2: remote: 192.168.49.249[0] 2002-12-31 19:14:52: DEBUG2: no match 2002-12-31 19:14:52: INFO: IPsec-SA request for 192.168.49.249 queued due to no phase1 found. 2002-12-31 19:14:52: DEBUG: === 2002-12-31 19:14:52: INFO: initiate new phase 1 negotiation: 192.168.49.248[500]<=>192.168.49.249[500] 2002-12-31 19:14:52: INFO: begin Identity Protection mode. 2002-12-31 19:14:52: DEBUG: new cookie: dc438fdbc2e27761 2002-12-31 19:14:52: DEBUG: add payload of len 56, next type 13 2002-12-31 19:14:52: DEBUG: add payload of len 16, next type 0 2002-12-31 19:14:52: DEBUG: 108 bytes from 192.168.49.248[500] to 192.168.49.249[500] 2002-12-31 19:14:52: DEBUG: sockname 192.168.49.248[500] 2002-12-31 19:14:52: DEBUG: send packet from 192.168.49.248[500] 2002-12-31 19:14:52: DEBUG: send packet to 192.168.49.249[500] 2002-12-31 19:14:52: DEBUG: src4 192.168.49.248[500] 2002-12-31 19:14:52: DEBUG: dst4 192.168.49.249[500] 2002-12-31 19:14:52: DEBUG: 1 times of 108 bytes message will be sent to 192.168.49.249[500] 2002-12-31 19:14:52: DEBUG: dc438fdb c2e27761 00000000 00000000 01100200 00000000 0000006c 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 2002-12-31 19:14:52: DEBUG: resend phase1 packet dc438fdbc2e27761:0000000000000000 2002-12-31 19:14:54: DEBUG2: getph1: start 2002-12-31 19:14:54: DEBUG2: local: 192.168.49.248[0] 2002-12-31 19:14:54: DEBUG2: remote: 192.168.49.249[0] 2002-12-31 19:14:54: DEBUG2: p->local: 192.168.49.248[500] 2002-12-31 19:14:54: DEBUG2: p->remote: 192.168.49.249[500] 2002-12-31 19:14:54: DEBUG2: matched 2002-12-31 19:14:54: DEBUG2: CHKPH1THERE: no established ph1 handler found 2002-12-31 19:14:54: DEBUG: pk_recv: retry[0] recv() 2002-12-31 19:14:54: DEBUG: got pfkey DELETE message 2002-12-31 19:14:54: DEBUG2: 02040303 02000000 00000000 a7400000 2002-12-31 19:14:54: ERROR: pfkey DELETE failed: No such process 2002-12-31 19:14:54: DEBUG: pk_recv: retry[0] recv() 2002-12-31 19:14:54: DEBUG: got pfkey DELETE message 2002-12-31 19:14:54: DEBUG2: 02040003 24000000 00000000 a7400000 02000100 02ce2a72 0403030c 00000000 04000300 00000000 00000000 00000000 80510100 00000000 00000000 00000000 04000400 00000000 00000000 00000000 000e0100 00000000 00000000 00000000 04000200 16000000 38070000 00000000 e032123e 00000000 e032123e 00000000 03000500 00200000 02000000 c0a831f9 00000000 00000000 03000600 00200000 02000000 c0a831f8 00000000 00000000 03000700 ff000000 02000000 00000000 00000000 00000000 04000800 a0000000 8340490d fc1fc032 8be1c836 ea24bf91 b82eed2b 00000000 05000900 00010000 a8fe4b10 59f0f6c5 b70f69e0 fe37367e 0eba13b7 a071b753 ecd4dfd3 79eb7d80 02001300 02000000 00000000 10400000 2002-12-31 19:14:54: DEBUG: DELETE message is not interesting because the message was originated by me. 2002-12-31 19:14:55: DEBUG2: getph1: start 2002-12-31 19:14:55: DEBUG2: local: 192.168.49.248[0] 2002-12-31 19:14:55: DEBUG2: remote: 192.168.49.249[0] 2002-12-31 19:14:55: DEBUG2: p->local: 192.168.49.248[500] 2002-12-31 19:14:55: DEBUG2: p->remote: 192.168.49.249[500] 2002-12-31 19:14:55: DEBUG2: matched 2002-12-31 19:14:55: DEBUG2: CHKPH1THERE: no established ph1 handler found 2002-12-31 19:14:56: DEBUG2: getph1: start 2002-12-31 19:14:56: DEBUG2: local: 192.168.49.248[0] 2002-12-31 19:14:56: DEBUG2: remote: 192.168.49.249[0] 2002-12-31 19:14:56: DEBUG2: p->local: 192.168.49.248[500] 2002-12-31 19:14:56: DEBUG2: p->remote: 192.168.49.249[500] 2002-12-31 19:14:56: DEBUG2: matched 2002-12-31 19:14:56: DEBUG2: CHKPH1THERE: no established ph1 handler found 2002-12-31 19:14:57: DEBUG2: getph1: start 2002-12-31 19:14:57: DEBUG2: local: 192.168.49.248[0] 2002-12-31 19:14:57: DEBUG2: remote: 192.168.49.249[0] 2002-12-31 19:14:57: DEBUG2: p->local: 192.168.49.248[500] 2002-12-31 19:14:57: DEBUG2: p->remote: 192.168.49.249[500] 2002-12-31 19:14:57: DEBUG2: matched 2002-12-31 19:14:57: DEBUG2: CHKPH1THERE: no established ph1 handler found 2002-12-31 19:14:58: DEBUG2: getph1: start 2002-12-31 19:14:58: DEBUG2: local: 192.168.49.248[0] 2002-12-31 19:14:58: DEBUG2: remote: 192.168.49.249[0] 2002-12-31 19:14:58: DEBUG2: p->local: 192.168.49.248[500] 2002-12-31 19:14:58: DEBUG2: p->remote: 192.168.49.249[500] 2002-12-31 19:14:58: DEBUG2: matched 2002-12-31 19:14:58: DEBUG2: CHKPH1THERE: no established ph1 handler found 2002-12-31 19:14:59: DEBUG2: getph1: start 2002-12-31 19:14:59: DEBUG2: local: 192.168.49.248[0] 2002-12-31 19:14:59: DEBUG2: remote: 192.168.49.249[0] 2002-12-31 19:14:59: DEBUG2: p->local: 192.168.49.248[500] 2002-12-31 19:14:59: DEBUG2: p->remote: 192.168.49.249[500] 2002-12-31 19:14:59: DEBUG2: matched 2002-12-31 19:14:59: DEBUG2: CHKPH1THERE: no established ph1 handler found ^C2002-12-31 19:14:59: INFO: caught signal 2 2002-12-31 19:14:59: DEBUG2: flushing all ph2 handlers... 2002-12-31 19:14:59: DEBUG2: skipping ph2 handler (state 2) 2002-12-31 19:14:59: INFO: racoon process 16551 shutdown EVC-Router:/etc/racoon-client# [ 724.836089] BUG: unable to handle kernel paging request at 00200200 [ 724.837019] IP: [<c038b443>] nf_ct_delete_from_lists+0x32/0x92 [ 724.837019] *pde = 00000000 [ 724.837019] Oops: 0002 [#2] PREEMPT [ 724.837019] Modules linked in: 8021q garp stp llc xt_limit xt_conntrack xt_state ipt_MASQUERADE xt_LOG iptable_mangle iptable_filtex [ 724.837019] Pid: 0, comm: swapper Tainted: G D W 3.9.0-rc1-test #4 /AMD-GX3 [ 724.837019] EIP: 0060:[<c038b443>] EFLAGS: 00210202 CPU: 0 [ 724.837019] EIP is at nf_ct_delete_from_lists+0x32/0x92 [ 724.837019] EAX: 0000106f EBX: de967de8 ECX: de808000 EDX: 00200200 [ 724.837019] ESI: c0547594 EDI: ddf19a90 EBP: de809f70 ESP: de809f68 [ 724.837019] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 [ 724.837019] CR0: 8005003b CR2: 00200200 CR3: 1d987000 CR4: 00000090 [ 724.837019] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 724.837019] DR6: ffff0ff0 DR7: 00000400 [ 724.837019] Process swapper (pid: 0, ti=de808000 task=c0526498 task.ti=c051a000) [ 724.837019] Stack: [ 724.837019] de967de8 00000000 de809f98 c038b868 00000000 00000000 de967de8 00000000 [ 724.837019] 00000000 00000100 c038b720 de809fc0 de809fa8 c0126681 c05cd280 de967de8 [ 724.837019] de809fd4 c0126821 c05cdc90 c05cda90 c038b720 de809fc0 de809fc0 de809fc0 [ 724.837019] Call Trace: [ 724.837019] [<c038b868>] death_by_timeout+0x148/0x175 [ 724.837019] [<c038b720>] ? nf_ct_dying_timeout+0x78/0x78 [ 724.837019] [<c0126681>] call_timer_fn.isra.41+0x16/0x5f [ 724.837019] [<c0126821>] run_timer_softirq+0x157/0x1aa [ 724.837019] [<c038b720>] ? nf_ct_dying_timeout+0x78/0x78 [ 724.837019] [<c0122577>] __do_softirq+0x83/0x11f [ 724.837019] [<c01224f4>] ? send_remote_softirq+0x22/0x22 [ 724.837019] <IRQ> [ 724.837019] [<c01226c3>] ? irq_exit+0x34/0x8a [ 724.837019] [<c010333f>] ? do_IRQ+0x76/0x89 [ 724.837019] [<c04187ec>] ? common_interrupt+0x2c/0x31 [ 724.837019] [<c015007b>] ? audit_log_config_change+0x1a/0xc3 [ 724.837019] [<c01071f7>] ? default_idle+0x1c/0x31 [ 724.837019] [<c010782e>] ? cpu_idle+0x3f/0x72 [ 724.837019] [<c0411b1b>] ? rest_init+0x63/0x65 [ 724.837019] [<c05538b9>] ? start_kernel+0x297/0x29c [ 724.837019] [<c05532af>] ? i386_start_kernel+0x79/0x7d [ 724.837019] Code: 8b b0 94 00 00 00 e8 a7 34 00 00 e8 45 6d d9 ff b8 01 00 00 00 e8 3a bf da ff 8b 86 1c 04 00 00 ff 40 18 8b 43 048 [ 724.837019] EIP: [<c038b443>] nf_ct_delete_from_lists+0x32/0x92 SS:ESP 0068:de809f68 [ 724.837019] CR2: 0000000000200200 [ 726.547698] ---[ end trace cf709c205fa6ff35 ]--- [ 726.575349] Kernel panic - not syncing: Fatal exception in interrupt ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3612235&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-04-23 14:22:38
|
Bugs item #3603844, was opened at 2013-02-08 08:45 Message generated for change (Comment added) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 7 Private: No Submitted By: Todd Blum (ttblum) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools 0.8.0 racoon segfaults after losing connectivity Initial Comment: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least five remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- >Comment By: Todd Blum (ttblum) Date: 2013-04-23 07:22 Message: Today I've found that I had duplicate IPSec tunnels configured in pfSense, one disabled and the other enabled. I've moved this tunnel elsewhere, and I've removed both from the pfSense config to see if this improves my racoon stability. ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-22 10:31 Message: The error message 'failed to get sainfo' is usually appearing in the logs prior to the segfaults, then not at all afterwards: Apr 16 09:59:51 192.168.116.250 racoon: [xx.xx.xxx.xx] ERROR: unknown Informational exchange received. Apr 16 09:59:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 09:59:57 192.168.116.250 racoon: [yy.yy.yy.yyy] ERROR: unknown Informational exchange received. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:41 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:14 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:14 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:01:17 192.168.116.250 racoon: INFO: ISAKMP-SA established zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0 c Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=2201026904. Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3679806084. Apr 16 10:01:18 192.168.116.250 racoon: INFO: respond new phase 2 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=119993144(0x726f338) Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=2718404122(0xa2078e1a) Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA expired zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA deleted zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:30 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:40 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:41 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:02:41 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:02:42 192.168.116.250 kernel: pid 45397 (racoon), uid 0: exited on signal 11 (core dumped) Is there any relation to this error report? https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/913935 ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-10 11:57 Message: It seems like the more Phase1's not establishing, the more likely racoon is to segfault. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-04-22 17:31:54
|
Bugs item #3603844, was opened at 2013-02-08 08:45 Message generated for change (Comment added) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 7 Private: No Submitted By: Todd Blum (ttblum) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools 0.8.0 racoon segfaults after losing connectivity Initial Comment: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least five remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- >Comment By: Todd Blum (ttblum) Date: 2013-04-22 10:31 Message: The error message 'failed to get sainfo' is usually appearing in the logs prior to the segfaults, then not at all afterwards: Apr 16 09:59:51 192.168.116.250 racoon: [xx.xx.xxx.xx] ERROR: unknown Informational exchange received. Apr 16 09:59:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 09:59:57 192.168.116.250 racoon: [yy.yy.yy.yyy] ERROR: unknown Informational exchange received. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:23 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:41 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:00:44 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:02 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:06 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:14 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:14 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:01:17 192.168.116.250 racoon: INFO: ISAKMP-SA established zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0 c Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=2201026904. Apr 16 10:01:17 192.168.116.250 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3679806084. Apr 16 10:01:18 192.168.116.250 racoon: INFO: respond new phase 2 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=119993144(0x726f338) Apr 16 10:01:18 192.168.116.250 racoon: INFO: IPsec-SA established: ESP zz.zz.zz.zz[500]->hh.hh.hh.hh[500] spi=2718404122(0xa2078e1a) Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA expired zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:19 192.168.116.250 racoon: INFO: ISAKMP-SA deleted zz.zz.zz.zz[500]-hh.hh.hh.hh[500] spi:baa4c93e8c16198c:482ba6110eeabc0c Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:27 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:30 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:51 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:01:55 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:13 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:16 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:37 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:40 192.168.116.250 racoon: ERROR: failed to get sainfo. Apr 16 10:02:41 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: zz.zz.zz.zz[500]<=>hh.hh.hh.hh[500] Apr 16 10:02:41 192.168.116.250 racoon: INFO: begin Identity Protection mode. Apr 16 10:02:42 192.168.116.250 kernel: pid 45397 (racoon), uid 0: exited on signal 11 (core dumped) Is there any relation to this error report? https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/913935 ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-04-10 11:57 Message: It seems like the more Phase1's not establishing, the more likely racoon is to segfault. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-04-10 18:57:39
|
Bugs item #3603844, was opened at 2013-02-08 08:45 Message generated for change (Comment added) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 7 Private: No Submitted By: Todd Blum (ttblum) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools 0.8.0 racoon segfaults after losing connectivity Initial Comment: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least five remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- >Comment By: Todd Blum (ttblum) Date: 2013-04-10 11:57 Message: It seems like the more Phase1's not establishing, the more likely racoon is to segfault. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-02-16 07:52:11
|
Bugs item #3604970, was opened at 2013-02-15 23:51 Message generated for change (Tracker Item Submitted) made by liudalin You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3604970&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: liu dalin (liudalin) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec 0.8.1 OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I undeclare Initial Comment: ipsec_doi.c: in ‘check_attr_isakmp’: ipsec_doi.c:2100:9: error: ‘OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I’ undeclare OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I dependent on the ENABLE_HYBRID: #ifdef ENABLE_HYBRID /* Plain Xauth */ #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I 65001 #endif If configure is not open hybrid, this error occurs ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3604970&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-02-08 16:46:29
|
Bugs item #3603844, was opened at 2013-02-08 08:45 Message generated for change (Settings changed) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None >Priority: 7 Private: No Submitted By: Todd Blum (ttblum) Assigned to: Nobody/Anonymous (nobody) >Summary: ipsec-tools 0.8.0 racoon segfaults after losing connectivity Initial Comment: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least five remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-02-08 16:45:37
|
Bugs item #3603844, was opened at 2013-02-08 08:45 Message generated for change (Tracker Item Submitted) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Todd Blum (ttblum) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools 0.80 racoon segfaults after losing connectivity Initial Comment: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least five remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3603844&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-02-08 16:40:37
|
Bugs item #3504260, was opened at 2012-03-14 03:50 Message generated for change (Comment added) made by ttblum You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3504260&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Chris Tucker (christucker) Assigned to: Nobody/Anonymous (nobody) Summary: segfault in version 0.8.0 Initial Comment: We can\'t see a pattern in when this segfault happens. Sometimes racoon runs for days with no problem, then we have two or three segfaults in five minutes. I have coredumps if these will help, but they are too large to upload as attachments. Here is a summary: Core was generated by `racoon'. Program terminated with signal 11, Segmentation fault. #0 0xb77ca918 in quick_timeover_stub () from /usr/sbin/racoon (gdb) bt #0 0xb77ca918 in quick_timeover_stub () from /usr/sbin/racoon #1 0xb77b36d5 in isakmp_ph2expire_stub () from /usr/sbin/racoon #2 0xb77b622e in isakmp_ph2expire_stub () from /usr/sbin/racoon #3 0xb77ad971 in main () from /usr/sbin/racoon (gdb) The segfault has always been in quick_timeover_stub(). ---------------------------------------------------------------------- Comment By: Todd Blum (ttblum) Date: 2013-02-08 08:40 Message: I just had two racoon core dumps, two nights in a row. They both seem to coincide with ISP outages, the first night on my side, and the second night an ISP outage that affected at least 5 remote routers. racoon magically restarted itself twice on the first night, and not at all on the second. I was using pfSense 2.0.1 (since upgraded to 2.0.2), both of which run on FreeBSD 8.1 and use: Feb 5 00:13:33 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Feb 5 00:13:33 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) --- Log exerpts are: Feb 5 00:09:36 192.168.116.250 racoon: [173.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c) seems to be dea d. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=194715026. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=66256580. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=2384af4f0ce1ea9c:98e4230c19058a5c. Feb 5 00:09:36 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-173.z.z.z[500] spi:2384af4f0ce1ea9c:98e4230c19058a5c Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 173.z.z.z queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>173.z.z.z[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: INFO: IPsec-SA request for 108.x.x.x queued due to no phase1 found. Feb 5 00:09:36 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>108.x.x.x[500] Feb 5 00:09:36 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 5 00:09:36 192.168.116.250 racoon: [70.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27) seems to be dead. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.116.250 racoon: INFO: purged IPsec-SA spi=133413478. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged IPsec-SA spi=74597912. Feb 5 00:09:36 192.168.x.x racoon: INFO: purged ISAKMP-SA spi=4723810f85f0bc34:099f2fc12d622f27. Feb 5 00:09:36 192.168.x.x racoon: INFO: IPsec-SA request for 70.z.z.z queued due to no phase1 found. Feb 5 00:09:42 192.168.x.x pf: 00:00:00.967728 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 168, offset 0, flags [none], proto TCP (6), length 40) Feb 5 00:09:42 192.168.x.x pf: 192.168.Y.x.80 > 192.168.x.H.58823: Flags [.], cksum 0x8b43 (correct), ack 1, win 0, length 0 Feb 5 00:09:42 192.168.x.x kernel: pid 38566 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 5 00:15:12 192.168.x.x racoon: [24.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.x.x.x[0]->204.x.x.x[0] Feb 5 00:15:12 192.168.x.x racoon: INFO: delete phase 2 handler. Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 168.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: NOTIFY: the packet is retransmitted by 72.x.x.x[500] (1). Feb 5 00:15:12 192.168.x.x racoon: ERROR: phase1 negotiation failed due to time up. 2922ae9fc607afdc:e8795f869a651ef4 Feb 5 00:15:12 192.168.x.x kernel: pid 57409 (racoon), uid 0: exited on signal 11 (core dumped) -- Feb 6 01:48:43 192.168.116.250 racoon: [107.z.z.z] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: IPsec-SA request for 209.z.z.z queued due to no phase1 found. Feb 6 01:48:43 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>209.z.z.z[500] Feb 6 01:48:43 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:43 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: [71.z.z.z] INFO: DPD: remote (ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546) seems to be dead. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purging ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=83395052. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged IPsec-SA spi=12868578. Feb 6 01:48:44 192.168.116.250 racoon: INFO: purged ISAKMP-SA spi=23c4c715caf74e95:73eaf2d5863eb546. Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA deleted 204.x.x.x[500]-71.z.z.z[500] spi:23c4c715caf74e95:73eaf2d5863eb546 Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-209.z.z.z[500] spi:c3de808313e44848:6f35e2474512d cfb Feb 6 01:48:44 192.168.116.250 racoon: INFO: IPsec-SA request for 64.z.z.z queued due to no phase1 found. Feb 6 01:48:44 192.168.116.250 racoon: INFO: initiate new phase 1 negotiation: 204.x.x.x[500]<=>64.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: [66.z.z.z] ERROR: unknown Informational exchange received. Feb 6 01:48:44 192.168.116.250 racoon: INFO: respond new phase 1 negotiation: 204.x.x.x[500]<=>66.z.z.z[500] Feb 6 01:48:44 192.168.116.250 racoon: INFO: begin Identity Protection mode. Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: received Vendor ID: DPD Feb 6 01:48:44 192.168.116.250 racoon: INFO: ISAKMP-SA established 204.x.x.x[500]-64.z.z.z[500] spi:7271dcd00ea0731f:61f4c99af2710cf5 Feb 6 01:48:44 192.168.116.250 pf: 00:00:00.949496 rule 1/0(match): block in on enc0: (tos 0x0, ttl 99, id 114, offset 0, flags [none], prot o TCP (6), length 40) Feb 6 01:48:44 192.168.x.x pf: 192.168.K.x.80 > 192.168.116.8.33150: Flags [.], cksum 0xf662 (correct), ack 1, win 0, length 0 Feb 6 01:48:44 192.168.x.x racoon: INFO: initiate new phase 2 negotiation: 204.x.x.x[500]<=>209.x.x.x[500] Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=234527522(0xdfa9b22) Feb 6 01:48:44 192.168.x.x racoon: INFO: IPsec-SA established: ESP 204.x.x.x[500]->209.x.x.x[500] spi=1266810441(0x4b81fe49) Feb 6 01:48:45 192.168.x.x racoon: [71.x.x.x] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 6 01:48:45 192.168.x.x kernel: pid 10622 (racoon), uid 0: exited on signal 11 (core dumped) -- Found these similar reports here: http://forum.pfsense.org/index.php/topic,39383.0.html ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3504260&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-02-08 15:05:06
|
Support Requests item #3603452, was opened at 2013-02-05 12:18 Message generated for change (Settings changed) made by cficik You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3603452&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Building and installation Group: None >Status: Deleted Priority: 5 Private: No Submitted By: Craig Ficik (cficik) Assigned to: Nobody/Anonymous (nobody) Summary: configure issue Initial Comment: Having issues with 0.8.1 during configure reporting openssl needs to be version 0.9.8s or higher. The version I have installed is OpenSSL 1.0.1, complied with the FIPS 2.0.1 core. ---------------------------------------------------------------------- >Comment By: Craig Ficik (cficik) Date: 2013-02-08 07:05 Message: Found work around for issue. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3603452&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-02-05 20:18:44
|
Support Requests item #3603452, was opened at 2013-02-05 12:18 Message generated for change (Tracker Item Submitted) made by cficik You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3603452&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Building and installation Group: None Status: Open Priority: 5 Private: No Submitted By: Craig Ficik (cficik) Assigned to: Nobody/Anonymous (nobody) Summary: configure issue Initial Comment: Having issues with 0.8.1 during configure reporting openssl needs to be version 0.9.8s or higher. The version I have installed is OpenSSL 1.0.1, complied with the FIPS 2.0.1 core. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3603452&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-01-24 10:07:26
|
Bugs item #3601972, was opened at 2013-01-24 02:05 Message generated for change (Comment added) made by avbohemen You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3601972&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Compilation Group: CVS snapshot Status: Open Resolution: None Priority: 5 Private: No Submitted By: Anton (avbohemen) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools does not build with kernel 3.7+ Initial Comment: In kernel 3.7+, several header files used by ipsec-tools have moved from {linux}/include/linux to {linux}/include/uapi/linux. This breaks the 'configure' script, and also the symlink created in the src directory. ---------------------------------------------------------------------- >Comment By: Anton (avbohemen) Date: 2013-01-24 02:07 Message: Also see https://dev.openwrt.org/ticket/12813 ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3601972&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-01-24 10:05:58
|
Bugs item #3601972, was opened at 2013-01-24 02:05 Message generated for change (Tracker Item Submitted) made by avbohemen You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3601972&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Compilation Group: CVS snapshot Status: Open Resolution: None Priority: 5 Private: No Submitted By: Anton (avbohemen) Assigned to: Nobody/Anonymous (nobody) Summary: ipsec-tools does not build with kernel 3.7+ Initial Comment: In kernel 3.7+, several header files used by ipsec-tools have moved from {linux}/include/linux to {linux}/include/uapi/linux. This breaks the 'configure' script, and also the symlink created in the src directory. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3601972&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2013-01-03 22:11:43
|
Patches item #3599374, was opened at 2013-01-03 14:11 Message generated for change (Tracker Item Submitted) made by pef83 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3599374&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Loic Pefferkorn (pef83) Assigned to: Nobody/Anonymous (nobody) Summary: Correction to racoon.conf.5 Initial Comment: In man page racoon.conf(5), correct an error in supported authentication algorithms Thanks for racoon ! ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3599374&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-11-29 08:51:33
|
Patches item #3555065, was opened at 2012-08-07 02:56 Message generated for change (Comment added) made by dsliwa01 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3555065&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Dominik Sliwa (dsliwa01) Assigned to: Nobody/Anonymous (nobody) Summary: remove trailing null character from XAuth password reply Initial Comment: It seams that some VPN servers have problem with null characted added to XAuth password` in IPsec Xauth PSK mode. This patch removes it. ---------------------------------------------------------------------- Comment By: Dominik Sliwa (dsliwa01) Date: 2012-11-29 00:51 Message: Change is only in client side code. I hoped that google would take it from here, but I probably need to upload it to AOSP gerrit for them to notice. ---------------------------------------------------------------------- Comment By: miceliux (miceliux) Date: 2012-11-29 00:41 Message: I've tried this patch in OpenWrt 12.09-beta2, but it doesn't work for me. I've got it working with Strongswan, they have addressed the same issue in this commit: http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7d85bebc ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3555065&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-11-29 08:41:27
|
Patches item #3555065, was opened at 2012-08-07 02:56 Message generated for change (Comment added) made by miceliux You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3555065&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Dominik Sliwa (dsliwa01) Assigned to: Nobody/Anonymous (nobody) Summary: remove trailing null character from XAuth password reply Initial Comment: It seams that some VPN servers have problem with null characted added to XAuth password` in IPsec Xauth PSK mode. This patch removes it. ---------------------------------------------------------------------- Comment By: miceliux (miceliux) Date: 2012-11-29 00:41 Message: I've tried this patch in OpenWrt 12.09-beta2, but it doesn't work for me. I've got it working with Strongswan, they have addressed the same issue in this commit: http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7d85bebc ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3555065&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-11-07 13:39:38
|
Support Requests item #3585149, was opened at 2012-11-07 05:39 Message generated for change (Tracker Item Submitted) made by kishlorn You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3585149&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: racoon Status: Open Priority: 5 Private: No Submitted By: KishlorN (kishlorn) Assigned to: Nobody/Anonymous (nobody) Summary: Centos 6 L2TP Ipsec Initial Comment: Hello, I'm trying to set up something like this http://wiki.nikoforge.org/L2TP/IPSec_VPN_Setup_on_Centos_6_(64-bit)_for_use_with_Android_ICS_and_iOS_5_Clients I have about everything configured the same way, except that in my case I'm trying to reach my vpn server(LAN IP 192.168.1.3) through a firewall/router (Internet IP + 192.168.1.1) from an Android device on the internet It's not working and here is the message I found in the system log: Nov 7 14:34:25 microproliant racoon: ERROR: no policy found: 10.82.16.254/32[0] 86.205.73.95/32[1701] proto=udp dir=in Nov 7 14:34:25 microproliant racoon: ERROR: failed to get proposal for responder. Nov 7 14:34:25 microproliant racoon: [90.84.144.254] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). I'm a bit lost here so any help would be appreciated... Thanks in advance! ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3585149&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-08-12 09:35:32
|
Support Requests item #3556611, was opened at 2012-08-12 02:35 Message generated for change (Tracker Item Submitted) made by dkorzhevin You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3556611&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: None Status: Open Priority: 5 Private: No Submitted By: dkorzhevin (dkorzhevin) Assigned to: Nobody/Anonymous (nobody) Summary: FreeBSD 9 L2TPD ipsec (racoon) and mpd5 Initial Comment: Hello, i configured FreeBSD 9.0 release using http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD tutorial. I am able to connect to server from mac os x, but i have 2 problems: 1. Internet is not working 2. I am not able to make more than 1 connection from one IP, even with separate usernames. Here is my information: dkorzhevin# cat /etc/sysctl.conf # $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. #security.bsd.see_other_uids=0 net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 net.inet.ip.fw.one_pass=1 net.key.prefered_oldsa=0 net.key.blockacq_count=0 dkorzhevin# kernel compiled with options: options IPSEC options IPSEC_NAT_T device crypto options IPSEC_FILTERTUNNEL device enc options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPFIREWALL_FORWARD options IPFIREWALL_NAT options LIBALIAS options IPDIVERT patch /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff applied to ipsec-tools dkorzhevin# cat /usr/local/etc/racoon.conf path pre_shared_key "/usr/local/etc/racoon/psk.txt"; listen { # REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP) isakmp MYIP [500]; isakmp_natt MYIP [4500]; # NOTE, you can specify multiple IPs to listen on # isakmp p.q.r.s [500]; # isakmp_natt p.q.r.s [4500]; # strict_address; } remote anonymous { exchange_mode main; passive on; proposal_check obey; support_proxy on; nat_traversal on; ike_frag on; dpd_delay 20; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo anonymous { encryption_algorithm aes,3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group modp1024; } dkorzhevin# dkorzhevin# cat setkey.conf flush; spdflush; spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require; spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require; dkorzhevin# dkorzhevin# cat psk.txt * stidia MYIP MYPASS dkorzhevin# dkorzhevin# ls -la total 20 drwxr-xr-x 2 root wheel 512 Aug 10 15:02 . drwxr-xr-x 8 root wheel 512 Aug 10 09:16 .. -rw------- 1 root wheel 30 Aug 10 11:34 psk.txt -rw-r--r-- 1 root wheel 1308 Aug 10 14:42 racoon.conf -rw-r--r-- 1 root wheel 171 Aug 10 14:18 setkey.conf dkorzhevin# dkorzhevin# cat /usr/local/etc/mpd5/mpd.conf startup: # configure mpd users set user super pwSuper admin # configure the console set console self 127.0.0.1 5005 set console open # configure the web server set web self 0.0.0.0 5006 set web open default: load l2tp_server l2tp_server: # Define dynamic IP address pool. set ippool add pool_l2tp 192.168.0.150 192.168.0.199 # Create clonable bundle template named B_l2tp create bundle template B_l2tp set iface enable proxy-arp set iface enable tcpmssfix set ipcp yes vjcomp # Specify IP address pool for dynamic assigment. set ipcp ranges 192.168.0.1/24 ippool pool_l2tp set ipcp dns 192.168.0.1 # Create clonable link template named L_l2tp create link template L_l2tp l2tp # Set bundle template to use set link action bundle B_l2tp # Multilink adds some overhead, but gives full 1500 MTU. set link enable multilink set link no pap chap eap set link enable chap set link keep-alive 0 0 # We reducing link mtu to avoid ESP packet fragmentation. set link mtu 1280 # Configure L2TP set l2tp self MYIP set l2tp enable length # Allow to accept calls set link enable incoming dkorzhevin# dkorzhevin# cat /etc/rc.conf hostname="dkorzhevin.mirohost.net" ifconfig_nfe0=" inet MYIP netmask 255.255.254.0" defaultrouter="GATEWAYIP" sshd_enable="YES" ntpd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" racoon_enable="YES" racoon_flags="-l /var/log/racoon.log" mpd_enable="YES" firewall_enable="YES" firewall_nat_enable="YES" firewall_type="/etc/firewall" gateway_enable="YES" natd_enable="YES" natd_interface="nfe0" natd_flags="" dkorzhevin# Please help ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=3556611&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-08-07 09:56:33
|
Patches item #3555065, was opened at 2012-08-07 02:56 Message generated for change (Tracker Item Submitted) made by dsliwa01 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3555065&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Dominik Sliwa (dsliwa01) Assigned to: Nobody/Anonymous (nobody) Summary: remove trailing null character from XAuth password reply Initial Comment: It seams that some VPN servers have problem with null characted added to XAuth password` in IPsec Xauth PSK mode. This patch removes it. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3555065&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-07-19 01:09:13
|
Bugs item #3530148, was opened at 2012-05-27 15:40 Message generated for change (Comment added) made by bircoph You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Andrew (bircoph) Assigned to: Nobody/Anonymous (nobody) Summary: racoon-0.8.0 segfaults if privsep is used Initial Comment: Hello, I have a following setup: racoon from ipsec-tools-0.8.0, privsep is enabled, on *any* new incoming connection (INITIAL-CONTACT) racoon segfaults: May 27 16:44:13 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_ May 27 16:44:13 [racoon] INFO: begin Identity Protection mode._ May 27 16:44:13 [racoon] INFO: received Vendor ID: DPD_ May 27 16:44:13 [racoon] WARNING: CERT validation disabled by configuration_ May 27 16:44:13 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:e018f61cc1ff7c11:894fe14faf0969f2_ May 27 16:44:13 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_ May 27 16:44:13 [racoon] ERROR: privsep_socket: unauthorized domain (15)_ May 27 16:44:13 [racoon] INFO: racoon privileged process 29659 terminated_ May 27 16:44:13 [kernel] racoon[29686]: segfault at 10 ip 0000000000423ab6 sp 00007fffefd5a010 error 4 in racoon[400000+94000] Config file is attached, even without chroot this crash is reproducible, with privsep completely disabled racoon works normally. My distribution is Gentoo, running 3.2.14 kernel. I use only AH tunelling for this connection. Older racoon from ipsec-tools-0.7.3 works fine under the same conditions. ---------------------------------------------------------------------- >Comment By: Andrew (bircoph) Date: 2012-07-18 18:09 Message: Ignore my previous post: racoon was tested with privsep disabled. With privsep enabled racoon crashes regardles to mode set. ---------------------------------------------------------------------- Comment By: Andrew (bircoph) Date: 2012-07-18 18:02 Message: This bug happens only in the tunnel ipsec mode and can't be reproduced for the transport mode. The following setkey is an example required to reproduce a crash on the host A: #!/usr/sbin/setkey -f flush; spdflush; spdadd B A any -P in ipsec ah/tunnel/B-A/require; spdadd A B any -P out ipsec ah/tunnel/A-B/require; ---------------------------------------------------------------------- Comment By: Andrew (bircoph) Date: 2012-07-18 17:23 Message: Steps to reproduce: 0) You need either third host C with non-ipsec access to A and B hosts or direct physical/kvm/ilo access to both A and B host. 1) Stop racoon on both sides (A and B) of ipsec connection. 2) rc-config start racoon on A. 3) rc-config start racoon on B. 4) on B: ping A 5) Segfault on A! I recompiled racoon with CFLAGS="-ggdb" and managed to get gdb backtrace on host A: #0 0x000000000042ee8a in rec_fd (s=11) at privsep.c:1574 #1 0x000000000042df41 in privsep_socket (domain=15, type=3, protocol=2) at privsep.c:1144 #2 0x000000000042fa96 in pfkey_dump_sadb (satype=0) at pfkey.c:312 #3 0x0000000000427d63 in isakmp_info_recv_initialcontact (iph1=0x19f4f20, protectedph2=0x0) at isakmp_inf.c:1305 #4 0x0000000000425fbe in isakmp_info_recv_n (iph1=0x19f4f20, notify=0x19ebc40, msgid=2587936451, encrypted=1) at isakmp_inf.c:411 #5 0x0000000000425af2 in isakmp_info_recv (iph1=0x19f4f20, msg0=0x19f54c0) at isakmp_inf.c:294 #6 0x000000000040980c in isakmp_main (msg=0x19f54c0, remote=0x7fff56e3dc90, local=0x7fff56e3dc10) at isakmp.c:652 #7 0x0000000000408dbd in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377 #8 0x0000000000408021 in session () at session.c:325 #9 0x000000000040757b in main (ac=4, av=0x7fff56e3ef18) at main.c:345 ---------------------------------------------------------------------- Comment By: Andrew (bircoph) Date: 2012-05-27 15:42 Message: I found a very similar bugreport made 10 months ago: https://sourceforge.net/mailarchive/message.php?msg_id=27864382 though, with no reply... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-07-19 01:02:27
|
Bugs item #3530148, was opened at 2012-05-27 15:40 Message generated for change (Comment added) made by bircoph You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Andrew (bircoph) Assigned to: Nobody/Anonymous (nobody) Summary: racoon-0.8.0 segfaults if privsep is used Initial Comment: Hello, I have a following setup: racoon from ipsec-tools-0.8.0, privsep is enabled, on *any* new incoming connection (INITIAL-CONTACT) racoon segfaults: May 27 16:44:13 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_ May 27 16:44:13 [racoon] INFO: begin Identity Protection mode._ May 27 16:44:13 [racoon] INFO: received Vendor ID: DPD_ May 27 16:44:13 [racoon] WARNING: CERT validation disabled by configuration_ May 27 16:44:13 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:e018f61cc1ff7c11:894fe14faf0969f2_ May 27 16:44:13 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_ May 27 16:44:13 [racoon] ERROR: privsep_socket: unauthorized domain (15)_ May 27 16:44:13 [racoon] INFO: racoon privileged process 29659 terminated_ May 27 16:44:13 [kernel] racoon[29686]: segfault at 10 ip 0000000000423ab6 sp 00007fffefd5a010 error 4 in racoon[400000+94000] Config file is attached, even without chroot this crash is reproducible, with privsep completely disabled racoon works normally. My distribution is Gentoo, running 3.2.14 kernel. I use only AH tunelling for this connection. Older racoon from ipsec-tools-0.7.3 works fine under the same conditions. ---------------------------------------------------------------------- >Comment By: Andrew (bircoph) Date: 2012-07-18 18:02 Message: This bug happens only in the tunnel ipsec mode and can't be reproduced for the transport mode. The following setkey is an example required to reproduce a crash on the host A: #!/usr/sbin/setkey -f flush; spdflush; spdadd B A any -P in ipsec ah/tunnel/B-A/require; spdadd A B any -P out ipsec ah/tunnel/A-B/require; ---------------------------------------------------------------------- Comment By: Andrew (bircoph) Date: 2012-07-18 17:23 Message: Steps to reproduce: 0) You need either third host C with non-ipsec access to A and B hosts or direct physical/kvm/ilo access to both A and B host. 1) Stop racoon on both sides (A and B) of ipsec connection. 2) rc-config start racoon on A. 3) rc-config start racoon on B. 4) on B: ping A 5) Segfault on A! I recompiled racoon with CFLAGS="-ggdb" and managed to get gdb backtrace on host A: #0 0x000000000042ee8a in rec_fd (s=11) at privsep.c:1574 #1 0x000000000042df41 in privsep_socket (domain=15, type=3, protocol=2) at privsep.c:1144 #2 0x000000000042fa96 in pfkey_dump_sadb (satype=0) at pfkey.c:312 #3 0x0000000000427d63 in isakmp_info_recv_initialcontact (iph1=0x19f4f20, protectedph2=0x0) at isakmp_inf.c:1305 #4 0x0000000000425fbe in isakmp_info_recv_n (iph1=0x19f4f20, notify=0x19ebc40, msgid=2587936451, encrypted=1) at isakmp_inf.c:411 #5 0x0000000000425af2 in isakmp_info_recv (iph1=0x19f4f20, msg0=0x19f54c0) at isakmp_inf.c:294 #6 0x000000000040980c in isakmp_main (msg=0x19f54c0, remote=0x7fff56e3dc90, local=0x7fff56e3dc10) at isakmp.c:652 #7 0x0000000000408dbd in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377 #8 0x0000000000408021 in session () at session.c:325 #9 0x000000000040757b in main (ac=4, av=0x7fff56e3ef18) at main.c:345 ---------------------------------------------------------------------- Comment By: Andrew (bircoph) Date: 2012-05-27 15:42 Message: I found a very similar bugreport made 10 months ago: https://sourceforge.net/mailarchive/message.php?msg_id=27864382 though, with no reply... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-07-19 00:23:58
|
Bugs item #3530148, was opened at 2012-05-27 15:40 Message generated for change (Comment added) made by bircoph You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Andrew (bircoph) Assigned to: Nobody/Anonymous (nobody) Summary: racoon-0.8.0 segfaults if privsep is used Initial Comment: Hello, I have a following setup: racoon from ipsec-tools-0.8.0, privsep is enabled, on *any* new incoming connection (INITIAL-CONTACT) racoon segfaults: May 27 16:44:13 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_ May 27 16:44:13 [racoon] INFO: begin Identity Protection mode._ May 27 16:44:13 [racoon] INFO: received Vendor ID: DPD_ May 27 16:44:13 [racoon] WARNING: CERT validation disabled by configuration_ May 27 16:44:13 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:e018f61cc1ff7c11:894fe14faf0969f2_ May 27 16:44:13 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_ May 27 16:44:13 [racoon] ERROR: privsep_socket: unauthorized domain (15)_ May 27 16:44:13 [racoon] INFO: racoon privileged process 29659 terminated_ May 27 16:44:13 [kernel] racoon[29686]: segfault at 10 ip 0000000000423ab6 sp 00007fffefd5a010 error 4 in racoon[400000+94000] Config file is attached, even without chroot this crash is reproducible, with privsep completely disabled racoon works normally. My distribution is Gentoo, running 3.2.14 kernel. I use only AH tunelling for this connection. Older racoon from ipsec-tools-0.7.3 works fine under the same conditions. ---------------------------------------------------------------------- >Comment By: Andrew (bircoph) Date: 2012-07-18 17:23 Message: Steps to reproduce: 0) You need either third host C with non-ipsec access to A and B hosts or direct physical/kvm/ilo access to both A and B host. 1) Stop racoon on both sides (A and B) of ipsec connection. 2) rc-config start racoon on A. 3) rc-config start racoon on B. 4) on B: ping A 5) Segfault on A! I recompiled racoon with CFLAGS="-ggdb" and managed to get gdb backtrace on host A: #0 0x000000000042ee8a in rec_fd (s=11) at privsep.c:1574 #1 0x000000000042df41 in privsep_socket (domain=15, type=3, protocol=2) at privsep.c:1144 #2 0x000000000042fa96 in pfkey_dump_sadb (satype=0) at pfkey.c:312 #3 0x0000000000427d63 in isakmp_info_recv_initialcontact (iph1=0x19f4f20, protectedph2=0x0) at isakmp_inf.c:1305 #4 0x0000000000425fbe in isakmp_info_recv_n (iph1=0x19f4f20, notify=0x19ebc40, msgid=2587936451, encrypted=1) at isakmp_inf.c:411 #5 0x0000000000425af2 in isakmp_info_recv (iph1=0x19f4f20, msg0=0x19f54c0) at isakmp_inf.c:294 #6 0x000000000040980c in isakmp_main (msg=0x19f54c0, remote=0x7fff56e3dc90, local=0x7fff56e3dc10) at isakmp.c:652 #7 0x0000000000408dbd in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377 #8 0x0000000000408021 in session () at session.c:325 #9 0x000000000040757b in main (ac=4, av=0x7fff56e3ef18) at main.c:345 ---------------------------------------------------------------------- Comment By: Andrew (bircoph) Date: 2012-05-27 15:42 Message: I found a very similar bugreport made 10 months ago: https://sourceforge.net/mailarchive/message.php?msg_id=27864382 though, with no reply... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=3530148&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-05-27 23:51:44
|
Patches item #3530159, was opened at 2012-05-27 16:51 Message generated for change (Tracker Item Submitted) made by nnobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3530159&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Alex Fedorov (nnobody) Assigned to: Nobody/Anonymous (nobody) Summary: couple fixes to privsep.c Initial Comment: First hunk fixes termination of privileged process due to "ERROR: privsep_socket: unauthorized domain (15)" and SIGSEGV in child. Second eliminates "ERROR: privsep_setsockopt (Operation not permitted)" due to setsockopt sets errno to EPERM instead of EACCES on insufficient rights in Linux ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3530159&group_id=74601 |
|
From: SourceForge.net <no...@so...> - 2012-05-27 23:10:24
|
Patches item #3530156, was opened at 2012-05-27 16:10 Message generated for change (Tracker Item Submitted) made by nnobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3530156&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Alex Fedorov (nnobody) Assigned to: Nobody/Anonymous (nobody) Summary: NAT-T delete_spd addresses Initial Comment: memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); produces double src<>dst inversion due to earlier iph2->src = dst; which produces the same addresses for source and destination in spd delete message and error message "ERROR: pfkey X_SPDDELETE failed: No such file or directory" in log. The same for source address . ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541484&aid=3530156&group_id=74601 |
