Hi Aaron, strange, charon is *not* supposed to crash! I'm not aware that there were any issues with strongSwan 4.3.6 and ECP. Could you generate a core dump with ulimit -c unlimited and send me the debugger output:
gdb /usr/libexec/ipsec/charon core >where Regards Andreas On 28.03.2011 15:34, Aaron (Bo) Zhang wrote: > Hi Andreas, > > I input the command, > > > > ipsec statusal > > > > It show that: > > > > Status of IKEv2 charon daemon (strongSwan 4.3.6): > > uptime: 4 minutes, since Mar 28 20:00:20 2011 > > worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0 > > loaded plugins: aes des sha1 md5 sha2 hmac pkcs1 openssl pem gmp > random pubkey xcbc x509 stroke kernel-netlink eap-mschapv2 eap-identity > eap-md5 updown > > Virtual IP pools (size/online/offline): > > windows7: 255/0/0 > > Listening IP addresses: > > 10.103.49.148 > > 192.168.169.88 > > 3ffe:501:ffff::1 > > Connections: > > test: 10.103.49.148...10.103.49.142 > > test: local: [10.103.49.148] uses pre-shared key authentication > > test: remote: [10.103.49.142] uses any authentication > > test: child: 192.168.169.0/24 === 192.168.168.0/24 > > Security Associations: > > none > > > > Then I start the ipsec with the command > > > > ipsec stroke loglevel any 4 > > ipsec stroke up test > > > > It only show that: > > initiating IKE_SA test[1] to 10.103.49.142 > > > > The log is : > > > > Mar 28 20:00:15 Aaron charon: 15[CFG] stroke message => 313 bytes @ > 0xaf30e180 > > Mar 28 20:00:15 Aaron charon: 15[CFG] 0: 39 01 00 00 00 00 00 00 01 > 00 00 00 34 01 00 00 9...........4... > > Mar 28 20:00:15 Aaron charon: 15[CFG] 16: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 32: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 48: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 64: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 80: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 96: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 112: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 128: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 144: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 160: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 176: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 192: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 208: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 224: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 240: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 256: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 272: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 288: 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 ................ > > Mar 28 20:00:15 Aaron charon: 15[CFG] 304: 00 00 00 00 74 65 73 74 > 00 ....test. > > Mar 28 20:00:15 Aaron charon: 15[CFG] received stroke: initiate 'test' > > Mar 28 20:00:15 Aaron charon: 07[MGR] created IKE_SA > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_INIT task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_VENDOR task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_NATD task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_PRE task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTHENTICATE task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_POST task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CONFIG task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTH_LIFETIME task > > Mar 28 20:00:15 Aaron charon: 07[IKE] queueing CHILD_CREATE task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating new tasks > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_INIT task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_VENDOR task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_NATD task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_CERT_PRE task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_AUTHENTICATE task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_CERT_POST task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_CONFIG task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating CHILD_CREATE task > > Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_AUTH_LIFETIME task > > Mar 28 20:00:15 Aaron charon: 07[IKE] initiating IKE_SA test[1] to > 10.103.49.142 > > Mar 28 20:00:15 Aaron charon: 07[IKE] IKE_SA test[1] state change: > CREATED => CONNECTING > > Mar 28 20:00:15 Aaron ipsec_starter[26273]: charon has died -- restart > scheduled (5sec) > > Mar 28 20:00:20 Aaron ipsec_starter[26273]: charon (26347) started after > 20 ms > > > > My ipsec.conf is : > > > > config setup > > nat_traversal=yes > > charonstart=yes > > conn %default > > authby=secret > > keyexchange=ikev2 > > conn test > > ike=aes128-sha256-ecp224 > > esp=3des-sha1-ecp256 > > left=10.103.49.148 > > leftid=10.103.49.148 > > leftsubnet=192.168.169.0/24 > > right=10.103.49.142 > > rightid=10.103.49.142 > > rightsubnet=192.168.168.0/24 > > auto=add > > > > I capture the packet , but got nothing. It seems that it did not send > any IKEv2 packet. From the log above, it seems that the demon charon crash. > > But after I modify the configuration from ecp224 to modp1024, it works > fine. So I think there only may be some problems to use the EC group. I > am not sure what should I do? > > > > Thanks > > --Aaron > > > > > > > > -----Original Message----- > From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > Sent: 2011年3月28日18:30 > To: Aaron (Bo) Zhang > Cc: dev@lists.strongswan.org > Subject: Re: [strongSwan-dev] How to configure openssl > > > > Hello Aaron, > > > > the linking to the OpenSSL library should be done automatically. > > Just make sure that the strongSwan openssl plugin is loaded. > > You can verify this with the command > > > > ipsec statusall > > > > which should produce the following output: > > > > loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp x509 openssl > > revocation random hmac stroke kernel-netlink socket-default updown > > > > If you built strongSwan with the --enable-openssl in a source > > directory where you first built strongSwan with the default plugins, > > make sure to execute > > > > make clean > > > > before make and make install so that the implicit plugin load list > > will be updated and will include the openssl plugin. > > > > A configuration example can be found here: > > > > http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-ecp-high/ > > > > Regards > > > > Andreas > > > > On 28.03.2011 11:34, Aaron (Bo) Zhang wrote: > >> Hi all, > >> > >> > >> > >> I want to use the openssl lib to test the ECP group. It is highly > >> appreciated that anyone can give me a example. I have built the > >> strongswan with the configuration “--enable- openssl”and I also built > >> the openssl lib. But I do not know how to link the openssl lib to > >> strongswan. > >> > >> > >> > >> Thanks > >> > >> --Aaron ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
