When I try to establish a tunnel from a Netgear DGG834 ADSL router, Pluto crashes with this error: Dec 24 18:13:36 [pluto] packet from 88.96.137.49:500: #1: "mcnally-top":500 STAT E_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3330s; newest I SAKMP; lastdpd=-1s(seq in:0 out:0) Dec 24 18:13:36 [pluto] packet from 88.96.137.49:500: Dec 24 18:13:36 [ipsec__plutorun] /usr/lib/ipsec/_plutorun: line 237: 28890 Abor ted /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/i psec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-control --debug-parsing --use -auto --uniqueids --nat_traversal --nhelpers 0 Dec 24 18:13:36 [ipsec__plutorun] !pluto failure!: exited with error status 134 (signal 6) Dec 24 18:13:36 [ipsec__plutorun] restarting IPsec after pause... Dec 24 18:13:47 [rc-scripts] ERROR: wrong args ( _autorestart ) Dec 24 18:13:47 [rc-scripts] Usage: ipsec { start|stop|restart } Dec 24 18:13:47 [rc-scripts] ipsec without arguments for full help After upgrading to 2.6.31, I get this instead, and it seems to work: Dec 24 18:15:52 [pluto] "mcnally-top" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Dec 24 18:15:52 [pluto] "mcnally-top" #1: Dead Peer Detection (RFC 3706): enabled Dec 24 18:15:52 [pluto] "mcnally-top" #1: the peer proposed: 80.248.178.234/32:0/0 -> 192.168.0.0/24:0/0 Dec 24 18:15:52 [pluto] "mcnally-top" #2: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION But 2.4.15 is the current default ebuild, even if it is masked. Would 2.6.31 be a better default? It could be related to these bug reports, although the developers claim that #267 was fixed in 2.4.0, and this is 2.4.15: https://gsoc.xelerance.com/issues/341 https://gsoc.xelerance.com/issues/267 However I think it happens when the state of Perfect Forward Secrecy doesn't match between ends, as shown by the error message in the upgraded version. If I enable PFS in 2.4.15 then Pluto doesn't crash. If I disable it then it does. In 2.6.31 I get the error message above if PFS is disabled, and no crash. Reproducible: Always Steps to Reproduce: 1. Install openswan-2.4.15-r2 2. Configure (on both sides) a tunnel from a Netgear DG-834 with auto establishment and PFS disabled on the Netgear and left enabled (default) on openswan 3. Bring up the tunnel from the Netgear and watch Pluto crash. Actual Results: Dec 24 18:13:36 [ipsec__plutorun] !pluto failure!: exited with error status 134 (signal 6) Expected Results: Dec 24 18:15:52 [pluto] "mcnally-top" #2: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
I guess I would interpret this as a STABLEREQ for 2.6.31.
Arch teams, please mark net-misc/openswan-2.6.31 as stable.
Not very useful to stable vulnerable version. PLease bump last version as I said in bug 389097
Since =net-misc/openswan-2.6.37 fixes a security bug, I ask you guys to mark this version as stable instead.
No needs arches here, all version < of 2.6.37 should be cleaned after stabilization in security bug. No need arches here. Make as depend.
openswan-2.6.37 was marked as stable.