Openswan gateway set up between two hosts, no OE used (it doesn't work right and that will be for another report, but most likely to openswan). We've got three connections. One is subnet-subnet, the other gateway-subnet and subnet-gateway. This is the ipsec.conf file: version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup myid=@angeldust.underwares.org #Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=all # plutodebug=dns # Add connections here. # sample VPN connection conn net-net left=66.11.179.1 leftsubnet=192.168.1.0/24 leftnexthop=66.11.190.1 leftrsasigkey=(KEY BLANKED OUT FOR PRIVACY) right=66.11.160.174 rightsubnet=192.168.0.0/24 rightnexthop=66.11.190.1 rightrsasigkey=(KEY BLANKED OUT FOR PRIVACY) auto=start conn gateway-rightnet left=66.11.179.1 leftnexthop=66.11.190.1 leftrsasigkey=(KEY BLANKED OUT FOR PRIVACY) right=66.11.160.174 rightnexthop=66.11.190.1 rightsubnet=192.168.0.0/24 rightfirewall=yes rightrsasigkey=(KEY BLANKED OUT FOR PRIVACY) auto=start conn rightnet-gateway left=66.11.179.1 leftnexthop=66.11.190.1 leftsubnet=192.168.1.0/24 leftfirewall=yes leftrsasigkey=(KEY BLANKED OUT FOR PRIVACY) right=66.11.160.174 rightnexthop=66.11.190.1 rightrsasigkey=(KEY BLANKED OUT FOR PRIVACY) auto=start #Disable Opportunistic Encryption include /etc/ipsec/ipsec.d/examples/no_oe.conf When initiating IPSEC pluto segfaults here: Sep 6 01:11:54 angeldust ipsec__plutorun: 104 "rightnet-gateway" #1: STATE_MAIN_I1: initiate Sep 6 01:11:54 angeldust ipsec__plutorun: ...could not start conn "rightnet-gateway" Sep 6 01:11:55 angeldust ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 1: 30422 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --uniqueids Sep 6 01:11:55 angeldust ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11) Sep 6 01:11:55 angeldust ipsec__plutorun: restarting IPsec after pause... That, plus using firewall=yes seems to invoke ipfwadm which is dreadfully obsolete. Sep 6 01:11:55 angeldust pluto[30422]: "rightnet-gateway" #4: up-client output: /usr/lib/ipsec/_updown: line 403: ipfwadm: command not found subnet-subnet worked fine for a while though. Reproducible: Always Steps to Reproduce: 1.Launch ipsec 2.See strange temporary ICMP failure 3.Check logs and cry. Cry alot from despair and exasperation. Actual Results: Segfault and strange ipfwadm reference, which was confirmed in the scripts. Expected Results: If my configs are not too clumsy, basically it should have allowd the ipsec'ed subnets to reach the gateways and vice versa. [721]angeldust:/usr/sbin # emerge info Portage 2.0.50-r10 (default-x86-2004.0, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.8-gentoo-r3) =============================================================== == System uname: 2.6.8-gentoo-r3 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.4.16 ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-tbird -mcpu=athlon-tbird -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/ bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-tbird -mcpu=athlon-tbird -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox strict usersandbox" GENTOO_MIRRORS="ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http:// gentoo.eliteitminds.com http://gentoo.llarian.net/ http://gentoo.mirror.sdv.fr" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl apache apm arts avi berkdb crypt docs encode foomaticdb gd gdbm gif gpm gtk2 imap imlib java jpeg jpg ldap libg++ libwww mad mailbox mikmod motif mpeg mysql ncurses nls oggvorbis opengl openssl oss pam pdf pdflib perl png python quicktime readline sdl slang spell ssl svga tcpd tiff truetype x86 xml2 xmms xv zlib" [722]angeldust:/usr/sbin #
Created attachment 39028 [details] ipsec barf This is an ipsec barf generated on my system.
I've assumed the maintainer position.
I will mark this as WORKSFORME, but a more apropriate resolution would be BUGOBSOLETE. 1) 2.4.4 works for me quite nicely 2) in the latest ipsec.conf man page, leftfirewall is considered obsolete - the default updown script don't have support for iptables. Users should use their own updown script if they wanna set custom firewall rules during up or down event.