Does anyone else noticed problems after updating openswan to openswan-2.6.32-27.2.el6_5.i686 ? In our case a connection to Cisco VPN 3000 Series would no longer work. I can see in the log an ASSERTION FAILED error and the connection would remain in Pending phase 2.
Mar 7 16:24:40 firewall pluto[7647]: "ciscovpntest" #2: discarding duplicate packet; already STATE_MAIN_I1 Mar 7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000] Mar 7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Mar 7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: ASSERTION FAILED at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/ikev1_main.c:1112: st->st_sec_in_use==FALSE Mar 7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: using kernel interface: netkey .... Mar 7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: #2: "ciscovpntest":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 39s; nodpd; idle; import:admin initiate Mar 7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: #2: pending Phase 2 for "ciscovpntest" replacing #0
Downgrading openswan to openswan-2.6.32-27.el6.i686 solves the problem. The problem is restricted to this VPN connection, other 2 VPNs continue to work fine with the new version.
Radu
From: Radu Radutiu rradutiu@gmail.com
Does anyone else noticed problems after updating openswan to openswan-2.6.32-27.2.el6_5.i686 ?
Not the solution but here is what was fixed:
# rpm -qp --changelog openswan-2.6.32-27.2.el6_5.x86_64.rpm * Thu Feb 06 2014 Paul Wouters pwouters@redhat.com - 2.6.32-27.2 - Resolves: rhbz#1050337 (CVE-2013-6466 refix for delete/notify code)
* Wed Jan 22 2014 Paul Wouters pwouters@redhat.com - 2.6.32-27.1 - Resolves: rhbz#1050337 (CVE-2013-6466)
https://access.redhat.com/security/cve/CVE-2013-6466
JD
On Fri, Mar 7, 2014 at 9:56 AM, Radu Radutiu rradutiu@gmail.com wrote:
Does anyone else noticed problems after updating openswan to openswan-2.6.32-27.2.el6_5.i686 ? In our case a connection to Cisco VPN
https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&content=open...
Bug 1070358 - openswan breaks NAT-T draft clients (and possibly ike fragmentation) [NEEDINFO] https://bugzilla.redhat.com/show_bug.cgi?id=1070358
Bug 1070356 - openswan breaks NAT-T draft clients (and possibly ike fragmentation) https://bugzilla.redhat.com/show_bug.cgi?id=1070356
Maybe you've been bitten by that bug.
Both servers are directly connected to Internet so NAT should not be enabled. I've tried to upgrade again and noticed that pluto keeps dying and restarting ervery 30 seconds (just enough for the other VPNs to connect).
Here is the log from the old (working) openswan version when connecting to Cisco VPN: Mar 10 10:00:09 firewall pluto[18894]: added connection description "ciscovpntest" Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: initiating Main Mode Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: STATE_MAIN_I2: sent MI2, expecting MR2 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [Cisco-Unity] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [XAUTH] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring unknown Vendor ID payload [9bad1e05974f138cfc1f0c2b58144a88] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring Vendor ID payload [Cisco VPN 3000 Series] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: I will NOT send an initial contact payload Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: Not sending INITIAL_CONTACT Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: STATE_MAIN_I3: sent MI3, expecting MR3 Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [Dead Peer Detection] Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx' Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
The openswan-2.6.32-27.2.el6_5 (not working) log: Mar 10 09:57:54 firewall pluto[17287]: added connection description "ciscovpntest" Mar 10 09:57:55 firewall pluto[17287]: "ciscovpntest" #2: initiating Main Mode Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000] Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: next payload type of ISAKMP NAT-D Payload has an unknown value: 130 Mar 10 09:58:04 firewall pluto[17287]: "ciscovpntest" #2: discarding duplicate packet; already STATE_MAIN_I1 Mar 10 09:58:05 firewall pluto[17287]: "ciscovpntest" #2: discarding duplicate packet; already STATE_MAIN_I1 Mar 10 09:58:13 firewall pluto[17287]: "ciscovpntest" #2: discarding duplicate packet; already STATE_MAIN_I1 Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000] Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: ASSERTION FAILED at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/ikev1_main.c:1112: st->st_sec_in_use==FALSE
and after 30 seconds pluto restarts. To me this looks like a regression. Where should I report this problem? Centos or Redhat Bugzilla?
Radu
On Mon, Mar 10, 2014 at 4:48 AM, Radu Radutiu rradutiu@gmail.com wrote:
Both servers are directly connected to Internet so NAT should not be enabled. I've tried to upgrade again and noticed that pluto keeps dying and restarting ervery 30 seconds (just enough for the other VPNs to connect).
Correct, they do not need NAT-T since they're both directly connected.
I do see NAT-T in the logs below, which is why I replied as I did. But I could have read a second time before replying (lazy Friday behavior). Maybe then I would have caught the "no NAT detected" message. :-S
Here is the log from the old (working) openswan version when connecting to Cisco VPN: Mar 10 10:00:09 firewall pluto[18894]: added connection description "ciscovpntest" Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: initiating Main Mode Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
^ NAT-T
Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: STATE_MAIN_I2: sent MI2, expecting MR2 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [Cisco-Unity] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [XAUTH] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring unknown Vendor ID payload [9bad1e05974f138cfc1f0c2b58144a88] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring Vendor ID payload [Cisco VPN 3000 Series] Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: I will NOT send an initial contact payload Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
^ NAT-T not detected
Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: Not sending INITIAL_CONTACT Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: STATE_MAIN_I3: sent MI3, expecting MR3 Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: received Vendor ID payload [Dead Peer Detection] Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx' Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
The openswan-2.6.32-27.2.el6_5 (not working) log: Mar 10 09:57:54 firewall pluto[17287]: added connection description "ciscovpntest" Mar 10 09:57:55 firewall pluto[17287]: "ciscovpntest" #2: initiating Main Mode Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000] Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
^ NAT-T
Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: next payload type of ISAKMP NAT-D Payload has an unknown value: 130 Mar 10 09:58:04 firewall pluto[17287]: "ciscovpntest" #2: discarding duplicate packet; already STATE_MAIN_I1 Mar 10 09:58:05 firewall pluto[17287]: "ciscovpntest" #2: discarding duplicate packet; already STATE_MAIN_I1 Mar 10 09:58:13 firewall pluto[17287]: "ciscovpntest" #2: discarding duplicate packet; already STATE_MAIN_I1 Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000] Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: ASSERTION FAILED at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/ikev1_main.c:1112: st->st_sec_in_use==FALSE
and after 30 seconds pluto restarts. To me this looks like a regression. Where should I report this problem? Centos or Redhat Bugzilla?
First, you might consider hitting up the Openswan list and possibly even Libreswan. That way someone that knows the code can test and confirm. (Around the time Paul Wouters forked Openswan as Libreswan, he secured a position with Red Hat. He's rather responsive, so I'd expect he'd help sort this out.)
https://lists.openswan.org/mailman/listinfo/users https://lists.libreswan.org/mailman/listinfo/swan
-
John Doe -
Radu Radutiu -
SilverTip257