On sze, szept 25, 2013 at 14:57:13 +0200, Mike Belopuhov wrote:
> On 25 September 2013 14:41, LEVAI Daniel <[email protected]> wrote:
> > Hi!
> >
> > I'm trying to setup StrongSwan (oh, the pain...) to iked(8) IPsec. When
> > trying to bring up the connection from the Linux end (ipsec up
> > <connection>), the iked(8) at the OpenBSD (5.3-stable) endpoint
> > segfaults. I'm trying to use certs and public keys for authentication
> > for this host-to-host ESP tunnel connection.
> > For the life of me I can not get a coredump from the ikev2 program, but
> > attaching gdb to its PID won't give me a bt either because it can't seem
> > to load the symbol table. I've recompiled iked from sources with
> > CFLAGS=-g and without stripping, but still, no luck.
> >
>
> use "CFLAGS=-g -DDEBUG" to disable chroot and generate a core dump.
Thanks! Here is gdb's output:
# gdb /sbin/iked iked.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd5.3"...
Core was generated by `iked'.
Program terminated with signal 11, Segmentation fault.
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
296 m->msg_exchange = hdr->ike_exchange;
(gdb) list
291
292 if ((m = ikev2_msg_copy(env, msg)) == NULL) {
293 log_debug("%s: failed to copy a message", __func__);
294 return (-1);
295 }
296 m->msg_exchange = hdr->ike_exchange;
297
298 if (hdr->ike_flags & IKEV2_FLAG_RESPONSE) {
299 TAILQ_INSERT_TAIL(&sa->sa_responses, m, msg_entry);
300 timer_initialize(env, &m->msg_timer,
(gdb) bt
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
#1 0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed0000,
ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at
/usr/src/sbin/iked/ikev2_msg.c:625
#2 0x1c0106c2 in ikev2_resp_ike_auth (env=0x86e6b000, sa=0x89ed0000) at
/usr/src/sbin/iked/ikev2.c:1993
#3 0x1c00bdef in ikev2_ike_auth (env=0x86e6b000, sa=0x89ed0000, msg=0x0) at
/usr/src/sbin/iked/ikev2.c:566
#4 0x1c00ab98 in ikev2_dispatch_cert (fd=32, p=0x3c03e558, imsg=0xcfbef644) at
/usr/src/sbin/iked/ikev2.c:234
#5 0x1c0282b9 in proc_dispatch (fd=32, event=2, arg=0x3c03e558) at
/usr/src/sbin/iked/proc.c:324
#6 0x1c032885 in event_base_loop (base=0x7cfd0c00, flags=0) at
/usr/src/lib/libevent/event.c:402
#7 0x1c032b2a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
#8 0x1c032b42 in event_dispatch () at /usr/src/lib/libevent/event.c:416
#9 0x1c028180 in proc_run (ps=0x86e6b4e0, p=0x3c03e47c, procs=0x3c03e520,
nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
#10 0x1c00a69c in ikev2 (ps=0x86e6b4e0, p=0x3c03e47c) at
/usr/src/sbin/iked/ikev2.c:114
#11 0x1c027976 in proc_init (ps=0x86e6b4e0, p=0x3c03e47c, nproc=3) at
/usr/src/sbin/iked/proc.c:61
#12 0x1c00955a in main (argc=2, argv=0xcfbefc18) at
/usr/src/sbin/iked/iked.c:157
(gdb) bt full
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
sa = (struct iked_sa *) 0x89ed0000
buf = (struct ibuf *) 0x7eda8500
natt = 0
isnatt = 1
hdr = (struct ike_header *) 0x818dc000
m = (struct iked_message *) 0x87268c00
__func__ = "ikev2_msg_send"
#1 0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed0000,
ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at
/usr/src/sbin/iked/ikev2_msg.c:625
resp = {msg_data = 0x7eda8500, msg_offset = 4, msg_local = {ss_len = 16
'\020', ss_family = 2 '\002', __ss_pad1 = "\021\224N\203WÃ", __ss_pad2 = 0,
__ss_pad3 = '\0' <repeats 239 times>}, msg_locallen = 16, msg_peer =
{ss_len = 16 '\020', ss_family = 2 '\002', __ss_pad1 = "\022\231[Rj\202",
__ss_pad2 = 0,
__ss_pad3 = '\0' <repeats 239 times>}, msg_peerlen = 16, msg_sock = 0x0,
msg_fd = 12, msg_response = 1, msg_natt = 0, msg_error = 0, msg_e = 0,
msg_parent = 0xcfbeee10,
msg_policy = 0x0, msg_sa = 0x89ed0000, msg_msgid = 1, msg_exchange = 0 '\0',
msg_proposals = {tqh_first = 0x0, tqh_last = 0xcfbef050}, msg_rekey = {spi = 0,
spi_size = 0 '\0',
spi_protoid = 0 '\0'}, msg_nonce = 0x0, msg_ke = 0x0, msg_auth = {id_type =
0 '\0', id_offset = 0 '\0', id_buf = 0x0}, msg_id = {id_type = 0 '\0',
id_offset = 0 '\0',
id_buf = 0x0}, msg_cert = {id_type = 0 '\0', id_offset = 0 '\0', id_buf =
0x0}, msg_prop = 0x0, msg_attrlength = 0, msg_timer = {tmr_ev = {ev_next =
{tqe_next = 0x0,
tqe_prev = 0x0}, ev_active_next = {tqe_next = 0x0, tqe_prev = 0x0},
ev_signal_next = {tqe_next = 0x0, tqe_prev = 0x0}, min_heap_idx = 0, ev_base =
0x0, ev_fd = 0,
ev_events = 0, ev_ncalls = 0, ev_pncalls = 0x0, ev_timeout = {tv_sec = 0,
tv_usec = 0}, ev_pri = 0, ev_callback = 0, ev_arg = 0x0, ev_res = 0, ev_flags =
0},
tmr_env = 0x0, tmr_cb = 0, tmr_cbarg = 0x0}, msg_entry = {tqe_next = 0x0,
tqe_prev = 0x0}, msg_tries = 0}
hdr = (struct ike_header *) 0x818dc000
pld = (struct ikev2_payload *) 0x818dc01c
buf = (struct ibuf *) 0x7eda8500
e = (struct ibuf *) 0x7eda8860
ret = -1
__func__ = "ikev2_msg_send_encrypt"
#2 0x1c0106c2 in ikev2_resp_ike_auth (env=0x86e6b000, sa=0x89ed0000) at
/usr/src/sbin/iked/ikev2.c:1993
pld = (struct ikev2_payload *) 0x82c784c7
n = (struct ikev2_notify *) 0x0
cert = (struct ikev2_cert *) 0x82c7801f
auth = (struct ikev2_auth *) 0x82c7837f
id = (struct iked_id *) 0x89ed03e0
certid = (struct iked_id *) 0x89ed03f0
e = (struct ibuf *) 0x7eda82e0
firstpayload = 36 '$'
ret = -1
len = 20
#3 0x1c00bdef in ikev2_ike_auth (env=0x86e6b000, sa=0x89ed0000, msg=0x0) at
/usr/src/sbin/iked/ikev2.c:566
id = (struct iked_id *) 0x0
certid = (struct iked_id *) 0x0
authmsg = (struct ibuf *) 0x0
ikeauth = {auth_method = 0 '\0', auth_eap = 0 '\0', auth_length = 0
'\0',
auth_data = '\0' <repeats 452 times>,
"ÿÿÿÿ\030õ¾ÏÏG\016\034\000Uî|\016\000\000\000(õ¾Ï", '\0' <repeats 16 times>,
"\rUî|\000\000\000\000r\000\000\000\bBÿÿ\000Uî|\177\000\000\000ÿÿÿÿXõ¾ÏÏG\016\034\000_î|\037\000\000\000hõ¾Ïøó¾Ï\000\000\000\000\004ô¾Ï\000\000\000\000\036_î|\000\000\000\000a\000\000\000\bBÿÿ\000_î|\177\000\000\000(õ¾Ï",
'\0' <repeats 212 times>,
"\020\000\000\000\200ëo|x\003\016\201\bõ¾Ï«ö\020\034À\216y|ß\000\000\000\020\000\000\000\020S\004<\000\000\000\000ð\215y|\030õ¾ÏÍ¿\020\034\020S"...}
policy = (struct iked_policy *) 0x881f9000
ret = -1
__func__ = "ikev2_ike_auth"
#4 0x1c00ab98 in ikev2_dispatch_cert (fd=32, p=0x3c03e558, imsg=0xcfbef644) at
/usr/src/sbin/iked/ikev2.c:234
env = (struct iked *) 0x86e6b000
sh = {sh_ispi = 9593918580251004300, sh_rspi = 10259927512637042501,
sh_initiator = 0}
sa = (struct iked_sa *) 0x89ed0000
type = 4 '\004'
---Type <return> to continue, or q <return> to quit---
ptr = (u_int8_t *) 0x0
len = 2116784128
id = (struct iked_id *) 0x0
__func__ = "ikev2_dispatch_cert"
#5 0x1c0282b9 in proc_dispatch (fd=32, event=2, arg=0x3c03e558) at
/usr/src/sbin/iked/proc.c:324
p = (struct privsep_proc *) 0x3c03e558
ps = (struct privsep *) 0x86e6b4e0
iev = (struct imsgev *) 0x86e9b6a0
ibuf = (struct imsgbuf *) 0x86e9b6a0
imsg = {hdr = {type = 19, len = 37, flags = 0, peerid = 4294967295, pid
= 24878}, fd = -1, data = 0x7eda8fe0}
n = 37
verbose = -2056474112
title = 0x3c0036c2 "ikev2"
__func__ = "proc_dispatch"
#6 0x1c032885 in event_base_loop (base=0x7cfd0c00, flags=0) at
/usr/src/lib/libevent/event.c:402
evsel = (const struct eventop *) 0x3c00a8bc
evbase = (void *) 0x856cb200
tv = {tv_sec = 25, tv_usec = 535181}
tv_p = Variable "tv_p" is not available.
> > The network looks like this:
> > [ Linux StrongSwan ] <--> [ NAT gw <remote_ip> ]O--Internetz--O[
> > <firefly_ip> ]
> > | |
> > `========================== IPsec IKEv2 ======================'
> >
> > Here is the output of iked -dvv from the start until the sig11.
> > I'm sorry about the "anonimization", if it confuses the reader I'll
> > gladly elaborate.
> >
>
> you can also try "iked -dvvT" and see if that works.
Yes, it doesn't crash if I disable NAT-Traversal.
Daniel
--
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
