Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62970 - Openswan Segfault with mutiple tunnels and refers to ipfwadm
Summary: Openswan Segfault with mutiple tunnels and refers to ipfwadm
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High major (vote)
Assignee: Alin Năstac (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-05 22:51 UTC by Alexandre Gauthier
Modified: 2006-12-06 13:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ipsec barf (ipsecbarf.txt,88.98 KB, text/plain)
2004-09-05 22:52 UTC, Alexandre Gauthier
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandre Gauthier 2004-09-05 22:51:04 UTC
Openswan gateway set up between two hosts, no OE used (it doesn't work right and that will be for another report, but most likely to openswan). We've got three connections. One is subnet-subnet, the other gateway-subnet and subnet-gateway.

This is the ipsec.conf file:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        myid=@angeldust.underwares.org
        #Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=all
        # plutodebug=dns


# Add connections here.

# sample VPN connection
conn net-net
        left=66.11.179.1
        leftsubnet=192.168.1.0/24
        leftnexthop=66.11.190.1
        leftrsasigkey=(KEY BLANKED OUT FOR PRIVACY)
        right=66.11.160.174
        rightsubnet=192.168.0.0/24
        rightnexthop=66.11.190.1
        rightrsasigkey=(KEY BLANKED OUT FOR PRIVACY)
        auto=start

conn gateway-rightnet
        left=66.11.179.1
        leftnexthop=66.11.190.1
        leftrsasigkey=(KEY BLANKED OUT FOR PRIVACY)
        right=66.11.160.174
        rightnexthop=66.11.190.1
        rightsubnet=192.168.0.0/24
        rightfirewall=yes
        rightrsasigkey=(KEY BLANKED OUT FOR PRIVACY)
        auto=start

conn rightnet-gateway
        left=66.11.179.1
        leftnexthop=66.11.190.1
        leftsubnet=192.168.1.0/24
        leftfirewall=yes
        leftrsasigkey=(KEY BLANKED OUT FOR PRIVACY)
        right=66.11.160.174
        rightnexthop=66.11.190.1
        rightrsasigkey=(KEY BLANKED OUT FOR PRIVACY)
        auto=start


#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

When initiating IPSEC pluto segfaults here:

Sep  6 01:11:54 angeldust ipsec__plutorun: 104 "rightnet-gateway" #1: STATE_MAIN_I1: initiate
Sep  6 01:11:54 angeldust ipsec__plutorun: ...could not start conn "rightnet-gateway"
Sep  6 01:11:55 angeldust ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 1: 30422 Segmentation fault      /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --uniqueids
Sep  6 01:11:55 angeldust ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
Sep  6 01:11:55 angeldust ipsec__plutorun: restarting IPsec after pause...


That, plus using firewall=yes seems to invoke ipfwadm which is dreadfully obsolete.

Sep  6 01:11:55 angeldust pluto[30422]: "rightnet-gateway" #4: up-client output: /usr/lib/ipsec/_updown: line 403: ipfwadm: command not found


subnet-subnet worked fine for a while though.

Reproducible: Always
Steps to Reproduce:
1.Launch ipsec
2.See strange temporary ICMP failure
3.Check logs and cry. Cry alot from despair and exasperation.
Actual Results:  
Segfault and strange ipfwadm reference, which was confirmed in the scripts.

Expected Results:  
If my configs are not too clumsy, basically it should have allowd the ipsec'ed subnets to reach the 
gateways and vice versa.

[721]angeldust:/usr/sbin # emerge info
Portage 2.0.50-r10 (default-x86-2004.0, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.8-gentoo-r3)
===============================================================
==
System uname: 2.6.8-gentoo-r3 i686 AMD Athlon(tm) Processor
Gentoo Base System version 1.4.16
ccache version 2.3 [enabled]
Autoconf: sys-devel/autoconf-2.59-r4
Automake: sys-devel/automake-1.8.5-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=athlon-tbird -mcpu=athlon-tbird -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/
bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-tbird -mcpu=athlon-tbird -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox strict usersandbox"
GENTOO_MIRRORS="ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://
gentoo.eliteitminds.com http://gentoo.llarian.net/ http://gentoo.mirror.sdv.fr"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl apache apm arts avi berkdb crypt docs encode foomaticdb gd gdbm gif gpm gtk2 imap imlib 
java jpeg jpg ldap libg++ libwww mad mailbox mikmod motif mpeg mysql ncurses nls oggvorbis 
opengl openssl oss pam pdf pdflib perl png python quicktime readline sdl slang spell ssl svga tcpd tiff 
truetype x86 xml2 xmms xv zlib"

[722]angeldust:/usr/sbin #
Comment 1 Alexandre Gauthier 2004-09-05 22:52:29 UTC
Created attachment 39028 [details]
ipsec barf

This is an ipsec barf generated on my system.
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2006-12-06 12:10:17 UTC
I've assumed the maintainer position. 
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2006-12-06 13:43:20 UTC
I will mark this as WORKSFORME, but a more apropriate resolution would be BUGOBSOLETE.

1) 2.4.4  works for me quite nicely
2) in the latest ipsec.conf man page, leftfirewall is considered obsolete - the default updown script don't have support for iptables. Users should use their own updown script if they wanna set custom firewall rules during up or down event.