|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: [Users] pluto error - restarting but not removing old hold connection for DPD
Date: Mon Oct 13 2003 - 16:34:17 EDT
Alright,
Assuming that v1.99.8 from the webpage is later than 1.99.8.1rc6, I downloaded it and installed on the embedded box I'm testing. Pluto is no longer crashing (thanks!) but I am seeing errors still when testing the DPD detection by either unplugging the ethernet, or black holing the routes:
pluto[1270]: ERROR: pfkey write() of SADB_X_DELFLOW message 19 for flow %hold failed. Errno 22: Invalid argument
Not sure what they mean. What could cause the invalid arg? "ipsec eroute" also shows the old connection in a %hold state, and the new is established, but I am back to not being able to get traffic out due to the old (same) tunnel in a hold state.
Below is a snip from my log.
Any help is appreciated.
Thanks!
-Brian
Oct 13 15:27:11 ipsec_setup: Starting FreeS/WAN IPsec
super-freeswan-1.99.8...
Oct 13 15:27:12 ipsec_setup: Using
/lib/modules/2.4.20/kernel/net/ipsec/ipsec.o
Oct 13 15:27:12 klogd: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec
version: super-freeswan-1.99.8
Oct 13 15:27:12 ipsec_setup: KLIPS debug `none'
Oct 13 15:27:12 ipsec_setup: KLIPS ipsec0 on eth0 e.f.g.151/255.255.255.0
broadcast e.f.g.255
Oct 13 15:27:13 ipsec__plutorun: Starting Pluto subsystem...
Oct 13 15:27:13 pluto[1270]: Starting Pluto (FreeS/WAN Version
super-freeswan-1.99.8)
Oct 13 15:27:13 ipsec_setup: ...FreeS/WAN IPsec started
Oct 13 15:27:13 pluto[1270]: including X.509 patch with traffic selectors
(Version 0.9.32)
Oct 13 15:27:13 pluto[1270]: including NAT-Traversal patch (Version 0.6)
[disabled]
Oct 13 15:27:13 pluto[1270]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: ike_alg_register_enc(): Activating
OAKLEY_CAST_CBC: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: ike_alg_register_enc(): Activating
OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Oct 13 15:27:13 pluto[1270]: Changing to directory '/etc/ipsec.d/cacerts' Oct 13 15:27:13 pluto[1270]: Warning: empty directory Oct 13 15:27:13 pluto[1270]: Changing to directory '/etc/ipsec.d/crls' Oct 13 15:27:13 pluto[1270]: Warning: empty directory Oct 13 15:27:13 pluto[1270]: OpenPGP certificate file '/etc/pgpcert.pgp' notfound
Oct 13 15:27:16 pluto[1270]: | from whack: got --esp=3des-md5-96 Oct 13 15:27:16 pluto[1270]: | from whack: got --ike=3des Oct 13 15:27:16 pluto[1270]: added connection description "ciscogate" Oct 13 15:27:16 pluto[1270]: listening for IKE messages Oct 13 15:27:16 pluto[1270]: adding interface ipsec0/eth0 e.f.g.151 Oct 13 15:27:16 pluto[1270]: loading secrets from "/etc/ipsec/ipsec.secrets" Oct 13 15:27:17 pluto[1270]: "ciscogate" #1: initiating Main Mode Oct 13 15:27:18 pluto[1270]: "ciscogate" #1: ignoring Vendor ID payload
[Cisco-Unity]
Oct 13 15:27:18 pluto[1270]: "ciscogate" #1: received Vendor ID payload
[Dead Peer Detection]
Oct 13 15:27:18 pluto[1270]: "ciscogate" #1: ignoring Vendor ID payload
[878bd649b39fde98...]
Oct 13 15:27:18 pluto[1270]: "ciscogate" #1: ignoring Vendor ID payload
[XAUTH]
Oct 13 15:27:18 pluto[1270]: "ciscogate" #1: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1024 took 411305 usec
Oct 13 15:27:18 pluto[1270]: "ciscogate" #1: Main mode peer ID is ID_IPV4_ADDR: 'a.b.c.204' Oct 13 15:27:18 pluto[1270]: "ciscogate" #1: ISAKMP SA established Oct 13 15:27:18 pluto[1270]: "ciscogate" #2: initiating Quick ModePSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK Oct 13 15:27:19 pluto[1270]: "ciscogate" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Oct 13 15:27:20 pluto[1270]: "ciscogate" #2: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1024 took 415607 usec Oct 13 15:27:20 pluto[1270]: "ciscogate" #2: Dead Peer Detection (draft-ietf-ipsec-dpd-02) enabled
Oct 13 15:27:20 pluto[1270]: "ciscogate" #2: sent QI2, IPsec SA established Oct 13 15:27:20 ipsec__plutorun: 104 "ciscogate" #1: STATE_MAIN_I1: initiate Oct 13 15:27:20 ipsec__plutorun: 106 "ciscogate" #1: STATE_MAIN_I2: sentMI2, expecting MR2
Oct 13 15:27:20 ipsec__plutorun: 003 "ciscogate" #1: ignoring Vendor ID payload [Cisco-Unity]
Oct 13 15:27:20 ipsec__plutorun: 003 "ciscogate" #1: received Vendor ID payload [Dead Peer Detection]
Oct 13 15:27:20 ipsec__plutorun: 003 "ciscogate" #1: ignoring Vendor ID payload [878bd649b39fde98...]
Oct 13 15:27:20 ipsec__plutorun: 003 "ciscogate" #1: ignoring Vendor ID payload [XAUTH]
Oct 13 15:27:20 ipsec__plutorun: 003 "ciscogate" #1: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1024 took 411305 usec Oct 13 15:27:20 ipsec__plutorun: 108 "ciscogate" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Oct 13 15:27:20 ipsec__plutorun: 004 "ciscogate" #1: STATE_MAIN_I4: ISAKMP SA established
Oct 13 15:27:20 ipsec__plutorun: 117 "ciscogate" #2: STATE_QUICK_I1: initiate
Oct 13 15:27:20 ipsec__plutorun: 003 "ciscogate" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Oct 13 15:27:20 ipsec__plutorun: 003 "ciscogate" #2: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1024 took 415607 usec Oct 13 15:27:20 ipsec__plutorun: 004 "ciscogate" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
...unplug ethernet.....
Oct 13 15:28:53 pluto[1270]: ERROR: asynchronous network error report on eth0 for message to a.b.c.204 port 500, complainant e.f.g.151: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)] Oct 13 15:29:20 pluto[1270]: "ciscogate" #1: DPD: No response from peer - declaring peer dead
Oct 13 15:29:20 pluto[1270]: "ciscogate" #2: deleting state (STATE_QUICK_I2) Oct 13 15:29:20 pluto[1270]: "ciscogate" #1: deleting state (STATE_MAIN_I4) Oct 13 15:29:23 pluto[1270]: ERROR: asynchronous network error report oneth0 for message to a.b.c.204 port 500, complainant e.f.g.151: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)] Oct 13 15:29:23 pluto[1270]: ERROR: asynchronous network error report on eth0 for message to a.b.c.204 port 500, complainant e.f.g.151: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)] Oct 13 15:29:23 pluto[1270]: ERROR: asynchronous network error report on eth0 for message to a.b.c.204 port 500, complainant e.f.g.151: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)] Oct 13 15:29:26 pluto[1270]: ERROR: pfkey write() of SADB_X_DELFLOW message 19 for flow %hold failed. Errno 22: Invalid argument Oct 13 15:29:26 pluto[1270]: | 02 0f 00 0b 0f 00 00 00 13 00 00 00 f6 04 00 00
Oct 13 15:29:26 pluto[1270]: | 03 00 15 00 00 00 00 00 02 00 00 00 42 5d c0 97
Oct 13 15:29:26 pluto[1270]: | 00 00 00 00 00 00 00 00 03 00 16 00 00 00 00 00
Oct 13 15:29:26 pluto[1270]: | 02 00 00 00 cc c2 7a cc 00 00 00 00 00 00 00 00
Oct 13 15:29:26 pluto[1270]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff ff
Oct 13 15:29:26 pluto[1270]: | e8 e4 ff bf c6 99 09 40 03 00 18 00 00 00 00 00
Oct 13 15:29:26 pluto[1270]: | 02 00 00 00 ff ff ff ff 84 a6 13 40 00 00 00 00
Oct 13 15:29:26 pluto[1270]: | 01 00 1e 00 2f c1 00 00 Oct 13 15:29:26 pluto[1270]: "ciscogate" #3: initiating Main Mode Oct 13 15:29:29 pluto[1270]: "ciscogate" #3: ERROR: asynchronous networkerror report on eth0 for message to a.b.c.204 port 500, complainant e.f.g.151: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
.....plug in ethernet ............
Oct 13 15:29:56 pluto[1270]: "ciscogate" #3: ignoring Vendor ID payload
[Cisco-Unity]
Oct 13 15:29:56 pluto[1270]: "ciscogate" #3: received Vendor ID payload
[Dead Peer Detection]
Oct 13 15:29:56 pluto[1270]: "ciscogate" #3: ignoring Vendor ID payload
[878bd64931e76ee6...]
Oct 13 15:29:56 pluto[1270]: "ciscogate" #3: ignoring Vendor ID payload
[XAUTH]
Oct 13 15:29:57 pluto[1270]: "ciscogate" #3: WARNING: compute_dh_shared():
for OAKLEY_GROUP_MODP1024 took 414037 usec
Oct 13 15:29:57 pluto[1270]: "ciscogate" #3: Main mode peer ID is ID_IPV4_ADDR: 'a.b.c.204' Oct 13 15:29:57 pluto[1270]: "ciscogate" #3: ISAKMP SA established Oct 13 15:29:57 pluto[1270]: "ciscogate" #4: initiating Quick ModePSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK Oct 13 15:29:58 pluto[1270]: "ciscogate" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Oct 13 15:29:58 pluto[1270]: "ciscogate" #4: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1024 took 414212 usec Oct 13 15:29:58 pluto[1270]: "ciscogate" #4: Dead Peer Detection (draft-ietf-ipsec-dpd-02) enabled
Oct 13 15:29:58 pluto[1270]: "ciscogate" #4: sent QI2, IPsec SA established
[root@embedded-v57 root]# ipsec eroute
0 e.f.g.151/32:0 -> a.b.c.204/32:0 => tun0x1004@a.b.c.204:0 0 e.f.g.151/32:0 -> a.b.c.204/32:0 => %hold:47
- Original Message ----- From: "Paul Wouters" <paul@xtdnet.nl> To: "Brian T." <btuch@usa.net> Cc: <users@lists.freeswan.org> Sent: Monday, October 13, 2003 10:43 AM Subject: Re: [Users] pluto error - restarting but not removing old hold connection for DPD
> On Mon, 13 Oct 2003, Brian T. wrote: > > > After doing some more testing with sfs 1.99.8.1rc6, I found that whenpluto
> > crashes (when trying to put a connection into %hold) here: > > Please update to the latest superfreeswan. This one has known dpdcrashers.
> > If the prolbem remains, define dumpdir= in ipsec.conf and run gdb over > the core file mail a trace to the list. > > Paul > > _______________________________________________FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Mon Oct 13 17:31:03 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:05 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |