[strongSwan] received netlink error: No such file or directory

2011-02-15 Thread Barry G 
Hello,

In November of 2008 I had an issue with Strongswan
being unable to add SAD entries in my IPv4 only kernel.
Martin made me a snazzy patch that fixed all my woes:
(https://lists.strongswan.org/pipermail/users/2008-November/002925.html)

I just upgraded from Strongswan 4.3.4 to 4.5.1 and my issue
is back.  I did not upgrade the kernel (We are running 2.6.29.3).

When I try to bring the connections up I get the output at the end
of this email.

I have everything we need to do IPsec connections in the kernel
(since it worked great with Strongswan 4.3.4).  I do not have IPv6 turned
on in the kernel since we are trying to keep things small and limit
our attack surface.

I modified the patch Martin gave me in 2008 to be as follows:
diff -Nauwr 
strongswan.orig/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
--- strongswan.orig/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c  
2011-02-14
14:43:24.0 -0800
+++ strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c   
2011-02-15
11:00:10.0 -0800
@@ -916,9 +916,6 @@
sa->mode = mode2kernel(mode);
switch (mode)
{
-   case MODE_TUNNEL:
-   sa->flags |= XFRM_STATE_AF_UNSPEC;
-   break;
case MODE_BEET:
case MODE_TRANSPORT:
if(src_ts && dst_ts)

I applied this patch, recompiled, and I get the same output.

Is IPv6 now required?  If not, thoughts on what I can do to fix this?

Thanks!

Barry



Output follows (charon KNL debug of 2):
# ipsec start --nofork
Starting strongSwan 4.5.1 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.1)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL] 10.201.98.1
00[KNL]   eth1
00[KNL] 192.168.1.1
00[KNL]   eth2
00[KNL] 10.203.42.1
00[KNL] received netlink error: Address family not supported by
protocol (97)
00[KNL] unable to create IPv6 routing table rule
00[NET] unable to create raw socket: Address family not supported by
protocol
00[NET] could not open IPv6 receive socket, IPv6 disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 192.168.1.1 192.168.1.2
00[DMN] loaded plugins: curl aes des sha1 sha2 md5 random x509
revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac
attr kernel-netlink resolve socket-raw stroke updow
00[JOB] spawning 16 worker threads
charon (2273) started after 40 ms
04[CFG] received stroke: add connection 'host-host-1'
04[KNL] getting interface name for 192.168.1.2
04[KNL] 192.168.1.2 is not a local address
04[KNL] getting interface name for 192.168.1.1
04[KNL] 192.168.1.1 is on interface eth1
04[CFG] added configuration 'host-host-1'
04[CFG] received stroke: add connection 'net-net-1-2-1'
04[KNL] getting interface name for 192.168.1.2
04[KNL] 192.168.1.2 is not a local address
04[KNL] getting interface name for 192.168.1.1
04[KNL] 192.168.1.1 is on interface eth1
04[CFG] added child to existing configuration 'host-host-1'
07[CFG] received stroke: add connection 'net-host-1-2'
07[KNL] getting interface name for 192.168.1.2
07[KNL] 192.168.1.2 is not a local address
07[KNL] getting interface name for 192.168.1.1
07[KNL] 192.168.1.1 is on interface eth1
07[CFG] added child to existing configuration 'host-host-1'
08[CFG] received stroke: add connection 'host-net-1-1'
08[KNL] getting interface name for 192.168.1.2
08[KNL] 192.168.1.2 is not a local address
08[KNL] getting interface name for 192.168.1.1
08[KNL] 192.168.1.1 is on interface eth1
08[CFG] added child to existing configuration 'host-host-1'
11[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
11[IKE] 192.168.1.2 is initiating an IKE_SA
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
12[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
12[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MULT_AUTH) ]
12[CFG] looking for peer configs matching
192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
12[CFG] selected peer config 'host-host-1'
12[IKE] authentication of '192.168.1.2' with pre-shared key successful
12[IKE] authentication of '192.168.1.1' (myself) with pre-shared key
12[IKE] IKE_SA host-host-1[1] established between
192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
12[IKE] scheduling reauthentication in 10063s
12[IKE] maximum IKE_SA lifetime 10603s
12[KNL] getting SPI for reqid {1}
12[KNL]

Re: [strongSwan] received netlink error: No such file or directory

2011-02-16 Thread Barry G 
On Wed, Feb 16, 2011 at 12:41 AM, Martin Willi  wrote:
> I couldn't find a ENOENT return value in the kernel XFRM code path for
> adding SAs, nor could I reproduce the issue here with a non-IPv6 kernel.
>
> You may try to track down that ENOENT in the XFRM code by debugging the
> kernel.

Thanks so much for taking the time to look into this.  I did
some digging today and figured out where my illusive -ENOENT
was coming from.  The stack trace looks like:
(gdb) bt
#0  crypto_alg_mod_lookup (name=, type=,
mask=) at crypto/api.c:275
#1  0xc0103e3c in crypto_lookup_aead (name=,
type=,
mask=) at crypto/aead.c:415
#2  0xc0104358 in crypto_alloc_aead (alg_name=0xdd8d3b70
"authenc(digest_null,cbc(aes))", type=3,
mask=15) at crypto/aead.c:462
#3  0xc02819c8 in esp_init_authenc (x=0xdf30e600) at net/ipv4/esp4.c:492
#4  esp_init_state (x=0xdf30e600) at net/ipv4/esp4.c:566
#5  0xc0294bbc in xfrm_init_state (x=0xdf30e600) at net/xfrm/xfrm_state.c:2079
#6  0xc0298be4 in xfrm_state_construct (skb=,
nlh=0xdd883800,
attrs=0xdd8d3c40) at net/xfrm/xfrm_user.c:362
#7  xfrm_add_sa (skb=, nlh=0xdd883800, attrs=0xdd8d3c40)
at net/xfrm/xfrm_user.c:408
#8  0xc0298200 in xfrm_user_rcv_msg (skb=0xdf1e49a0, nlh=0xdd883800)
at net/xfrm/xfrm_user.c:2028
#9  0xc022cf08 in netlink_rcv_skb (skb=0xdf1e49a0, cb=0xc02980f8
)
at net/netlink/af_netlink.c:1705
#10 0xc029776c in xfrm_netlink_rcv (skb=0xdf1e49a0) at net/xfrm/xfrm_user.c:2034
#11 0xc022cc40 in netlink_unicast_kernel (ssk=0xdf094000,
skb=0xdf1e49a0, pid=0,
nonblock=) at net/netlink/af_netlink.c:870
#12 netlink_unicast (ssk=0xdf094000, skb=0xdf1e49a0, pid=0,
nonblock=)
at net/netlink/af_netlink.c:894
#13 0xc022d714 in netlink_sendmsg (kiocb=,
sock=0xdf5761c0, msg=0xdd8d3e50,
len=452) at net/netlink/af_netlink.c:1293
#14 0xc01eac90 in __sock_sendmsg (sock=,
msg=,
size=) at net/socket.c:563
#15 sock_sendmsg (sock=, msg=,
size=) at net/socket.c:574
#16 0xc01eafd0 in sys_sendto (fd=,
buff=0xdd8d3e6c, len=452, flags=0,
addr=0x4d02e294, addr_len=12) at net/socket.c:1651
#17 0xc01eb8d4 in sys_socketcall (call=11, args=)
at net/socket.c:2101
#18 0xc00105e0 in syscall_dotrace_cont () at arch/powerpc/kernel/entry_32.S:268


The key was figuring out that on the old strongswan (4.3.4) I get:
Breakpoint 8, crypto_alloc_aead (alg_name=0xdd80bb70
"authenc(hmac(sha256),cbc(aes))", type=0, mask=0) at crypto/aead.c:454

and with the new strongswan (4.5.1) I get:
Breakpoint 8, crypto_alloc_aead (alg_name=0xdd867b70
"authenc(digest_null,cbc(aes))", type=0, mask=0) at crypto/aead.c:454

So crypto_alg_mod_lookup can't find the digest_null stuff
and returns -ENOENT.

Can't figure out why changing from 4.3.4->4.5.1 broke the algorithm
negotiation.  I haven't changed
the ipsec.conf (maybe thats my problem :-).
I have the following in my ipsec.conf:
[snip]
conn net-net-1-2-1
   
ike=aes256-sha2_256-modp1536,aes256-sha1-modp1536,aes128-sha2_256-modp1536,aes128-sha1-modp1536,3des-sha2_256-modp1536,3des-sha1-modp1536
   
esp=aes256-sha2_256-modp1536,aes256-sha1-modp1536,aes128-sha2_256-modp1536,aes128-sha1-modp1536,3des-sha2_256-modp1536,3des-sha1-modp1536
   mobike=no
   pfs=yes
   pfsgroup=modp1536
   leftupdown=/usr/lib/ipsec/sel_updown
   keyingtries=%forever
   dpdaction=clear
   dpddelay=60
   left=192.168.1.1
   right=192.168.1.2
   auto=add
   keyexchange=ikev2
   leftsubnet=10.201.0.0/16
   rightsubnet=192.168.2.0/24
   authby=secret

Both endpoints are symmetric in the ike/esp lines.

Today I noticed on the server:
14[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

So it looks like I spent a long time tracing down a failed
algo negotiation!  Has the format of the ike/esp lines changed and I missed
it or what?  Since this works with the same kernel on 4.3.4 I
don't think it is a kernel crypto thing.

What obvious thing am I missing?

Thanks,

Barry

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] received netlink error: No such file or directory

2011-02-17 Thread Barry G 
Martin,

> From whatever source this digest_null comes from, it is completely
> wrong. I'm in doubt that it comes from the IKE daemon.

Correct

> I'd suggest to check if the algorithm negotiation works as expected, and
> if so, if the algorithms arrive in kernel XFRM with the correct strings
> before the aead wrapper gets constructed.

   Thanks for your help.  I checked into the algorithm selection thing
but it hasn't
changed.

I did some playing and found the following on both client
and server with the broken (4.5.1) strongswan build:
07[KNL] Adding SAD entry with SPI c6fd223a and reqid {1}
07[KNL]   using encryption algorithm AES_CBC with key size 128
07[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size 256
07[KNL] sending XFRM_MSG_UPDSA: => 436 bytes @ 0x4b82f43c
07[KNL]0: 00 00 01 B4 00 1A 00 05 00 00 00 CA 00 00 05 B6  
07[KNL]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]   64: 00 00 00 00 00 00 00 00 C0 A8 01 01 00 00 00 00  
07[KNL]   80: 00 00 00 00 00 00 00 00 C6 FD 22 3A 32 00 00 00  ..":2...
07[KNL]   96: C0 A8 01 02 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
07[KNL]  128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  
07[KNL]  144: 00 00 00 00 00 00 0B 95 00 00 00 00 00 00 0E 10  
07[KNL]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  224: 00 00 00 01 00 02 01 20 00 00 00 00 00 00 00 00  ... 
07[KNL]  240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00  .X..aes.
07[KNL]  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  304: 00 00 00 00 00 00 00 80 2B F2 32 E7 FD 3E F7 C7  +.2..>..
07[KNL]  320: 4B 28 E9 8B D3 76 70 D4 00 6C 00 14 68 6D 61 63  K(...vp..l..hmac
07[KNL]  336: 28 73 68 61 32 35 36 29 00 00 00 00 00 00 00 00  (sha256)
07[KNL]  352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
07[KNL]  384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00  
07[KNL]  400: 00 00 00 80 6B E7 E3 7B C0 00 41 34 F1 97 BB 22  k..{..A4..."
07[KNL]  416: AF BA 85 C3 DF 44 6B D8 ED C6 EC 39 9B 44 7D C8  .Dk9.D}.
07[KNL]  432: D3 04 C4 84  
07[KNL] received netlink error: No such file or directory (2)

I tracked the problem down to the 0x14 (byte 331 (rta_type for the int_alg))
of the packet.

When strongSwan sends the struct nlmsghdr into the kernel via
the netlink socket, it either has an auth payload of xfrm_algo_auth
or xfrm_algo based on changes to kernel_netlink_ipsec.c.  Unfortunately,
my old kernel doesn't know about the XFRMA_ALG_AUTH_TRUNC type.  As
such, when my kernel looked up that dude it didn't find it.  This
resulted in the struct nlattrs **attrs parameter to xfrm_add_sa
having a NULL value in attrs[XFRMA_ALG_AUTH].  This NULL value results
in digest_null in esp_init_authenc.  Applying the following
patch "fixed" it for me:
--- 
strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c@@/main/LATEST
2011-02-14 13:27:11.0 -0800
+++ strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
  2011-02-17 12:59:22.0 -0800
@@ -1036,29 +1036,6 @@
DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
 integrity_algorithm_names, int_alg, int_key.len * 8);

-   if (int_alg == AUTH_HMAC_SHA2_256_128)
-   {
-   struct xfrm_algo_auth* algo;
-
-   /* the kernel uses SHA256 with 96 bit
truncation by default,
-* use specified truncation size supported by
newer kernels */
-   rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
-   rthdr->rta_len = RTA_LENGTH(sizeof(struct
xfrm_algo_auth) + int_key.len);
-
-   hdr->nlmsg_len += rthdr->rta_len;
-   if (hdr->nlmsg_len > sizeof(request))
-   {
-   return FAILED;
-   }
-
-   algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
-   algo->alg_key_len = int_key.len * 8;
-

Re: [strongSwan] received netlink error: No such file or directory

2011-02-18 Thread Barry G 
> if you have an old Linux kernel then just define
>
>  esp=aes128-sha256_96
>
> and everything will be fine.

Drat!  It worked!  Thanks.  I do believe I went the long way about
diagnosing that issue, but it works now.

Thanks Andreas,

Barry

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan receive signal 11 on PPC even with mlongcall

2013-08-29 Thread Barry G 
Hello,

   I am having trouble with strongSwan 4.5.2 on the PowerPC platform.
Specifically I am getting a signal 11 in openssl_diffie_hellman_create.

Googling turned up
http://comments.gmane.org/gmane.network.vpn.strongswan.devel/610
which recommended I compile with -mlongcall.  I added that to the
compilation, verified
it was present, but it still dies when starting.  Attached is the GDB backtrace
and the disassembly of openssl_diffie_hellman_create.

Any thoughts or guidance would be appreciated.

Thanks,

   Barry

ipsec start --nofork
Starting strongSwan 4.5.2 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL] 192.168.3.2
00[KNL]   eth1
00[KNL] 192.168.1.2
00[KNL]   eth2
00[KNL] 10.203.16.190
00[KNL] received netlink error: Address family not supported by protocol (97)
00[KNL] unable to create IPv6 routing table rule
00[NET] unable to create raw socket: Address family not supported by protocol
00[NET] could not open IPv6 receive socket, IPv6 disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 192.168.3.2 192.168.3.3
00[CFG] sql plugin: database URI not set
00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5
random x509 revocation constraints pubkey pkcs1 pgp pem openssl
fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink
resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5
eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led
addrblock
00[JOB] spawning 16 worker threads
charon (6162) started after 3920 ms
08[CFG] received stroke: add connection 'host-host-2'
08[CFG] added configuration 'host-host-2'
12[CFG] received stroke: initiate 'host-host-2'
12[IKE] initiating IKE_SA host-host-2[1] to 192.168.3.3
12[DMN] thread 12 received 11
 dumping 17 stack frame addresses:
   @ 0x10 (__kernel_sigtramp32+0x0) [0x100364]

[snip missing addr2line comments]

12[DMN] killing ourself, received critical signal
charon has died -- restart scheduled (5sec)
ipsec starter stopped
# gdb /usr/lib/ipsec/charon core
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "powerpc-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/lib/ipsec/charon...Reading symbols from
/usr/lib/debug/usr/lib/ipsec/charon...done.
done.

[New LWP 6176]
[New LWP 6174]
[New LWP 6179]
[New LWP 6165]
[New LWP 6173]
[New LWP 6172]
[New LWP 6180]
[New LWP 6167]
[New LWP 6178]
[New LWP 6162]
[New LWP 6171]
[New LWP 6170]
[New LWP 6169]
[New LWP 6168]
[New LWP 6166]
[New LWP 6177]
[New LWP 6175]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/powerpc-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/lib/ipsec/charon'.
Program terminated with signal 6, Aborted.
#0  0x204211e0 in raise () from /lib/powerpc-linux-gnu/libc.so.6
(gdb) thread apply all bt 10

Thread 17 (Thread 0x4d827490 (LWP 6175)):
#0  0x2057e2c4 in accept () from /lib/powerpc-linux-gnu/libpthread.so.0
#1  0x1f9b8898 in receive (this=0x209e6440) at stroke_socket.c:598
#2  0x20669358 in execute (this=0x209e6b60)
at processing/jobs/callback_job.c:199
#3  0x20669c50 in process_jobs (this=0x209d4dd0) at processing/processor.c:136
#4  0x2066c920 in thread_main (this=0x209ec150) at threading/thread.c:291
#5  0x20575864 in start_thread () from /lib/powerpc-linux-gnu/libpthread.so.0
#6  0x204d1198 in clone () from /lib/powerpc-linux-gnu/libc.so.6

Thread 16 (Thread 0x4e827490 (LWP 6177)):
#0  0x2057a1d8 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/powerpc-linux-gnu/libpthread.so.0
#1  0x2066d914 in _wait (this=, mutex=0x209d4ed0)
at threading/mutex.c:252
#2  0x20669ba8 in process_jobs (this=0x209d4dd0) at processing/processor.c:128
#3  0x2066c920 in thread_main (this=0x209ec430) at threading/thread.c:291
#4  0x20575864 in start_thread () from /lib/powerpc-linux-gnu/libpthread.so.0
#5  0x204d1198 in clone () from /lib/powerpc-linux-gnu/libc.so.6

Thread 15 (Thread

Re: [strongSwan] Strongswan receive signal 11 on PPC even with mlongcall

2013-08-30 Thread Barry G 
Hi Tobias,

Thanks for the information.  That is an interesting bug.

> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=11d6bc3e

I applied the patch (which did apply cleanly) and everything started working.

Thanks again for all the help,

Barry

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan Protocol not supported

2008-11-24 Thread Barry G 
Hello,

I just upgraded from strongSwan 4.1.10 to 4.2.9 on my Linux 2.6.27.3 device.

Tunnels are no longer established (due to kernel problems.  I get SA though).

I get the following output:
# ipsec start --nofork
Starting strongSwan 4.2.9 IPsec [starter]...
01[DMN] starting charon (strongSwan Version 4.2.9)
01[NET] unable to create raw socket: Address family not supported by protocol
01[NET] could not open IPv6 receive socket, IPv6 disabled
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG]   loaded IKE secret for 192.168.1.1 192.168.1.2
01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc h
mac gmp kernel-netlink stroke updown
01[KNL] listening on interfaces:
01[KNL]   eth0
01[KNL] 192.168.1.1
01[KNL]   eth1
01[KNL] 10.201.98.1
01[JOB] spawning 16 worker threads
charon (1773) started after 20 ms
08[CFG] received stroke: add connection 'net-net-1'
08[KNL] getting interface name for 192.168.1.2
08[KNL] 192.168.1.2 is not a local address
08[KNL] getting interface name for 192.168.1.1
08[KNL] 192.168.1.1 is on interface eth0
08[CFG] added configuration 'net-net-1': 192.168.1.1[192.168.1.1]...192.168.1.2[
192.168.1.2]
10[CFG] received stroke: initiate 'net-net-1'
10[IKE] initiating IKE_SA net-net-1[1] to 192.168.1.2
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
10[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
12[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
12[IKE] authentication of '192.168.1.1' (myself) with pre-shared key
12[IKE] establishing CHILD_SA net-net-1
12[KNL] getting SPI for reqid {1}
12[KNL] got SPI cf421d12 for reqid {1}
12[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CP SA TSi TSr ]
12[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
13[IKE] authentication of '192.168.1.2' with pre-shared key successful
13[IKE] scheduling reauthentication in 10197s
13[IKE] maximum IKE_SA lifetime 10737s
13[IKE] IKE_SA net-net-1[1] established between 192.168.1.1[192.168.1.1]...192.1
68.1.2[192.168.1.2]
13[IKE] installing new virtual IP 10.201.98.1
13[KNL] adding virtual IP 10.201.98.1
13[KNL] adding SAD entry with SPI c8245bff and reqid {1}
13[KNL]   using encryption algorithm AES_CBC with key size 256
13[KNL]   using integrity algorithm AUTH_HMAC_SHA2_256_128 with key size 256
13[KNL] received netlink error: Protocol not supported (93)
13[KNL] unable to add SAD entry with SPI c8245bff
13[IKE] unable to install IPsec SA (SAD) in kernel
13[KNL] deleting SAD entry with SPI cf421d12
13[KNL] deleted SAD entry with SPI cf421d12
13[KNL] deleting SAD entry with SPI c8245bff
13[KNL] received netlink error: No such process (3)
13[KNL] unable to delete SAD entry with SPI c8245bff
13[IKE] received AUTH_LIFETIME of 10202s, scheduling reauthentication in 9662s

This is the same kernel that works fine with 4.1.10.  I found a post
that seems similar to
this problem which pointed to IPv6 requirements:
https://lists.strongswan.org/pipermail/users/2008-October/002782.html

Is IPv6 required for strongSwan now?  If not, any ideas on what is wrong?

Thanks,

Barry
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Protocol not supported

2008-11-25 Thread Barry G 
Martin,

> The attached strongSwan patch fixes installation on v4 only hosts, but
> will break mixed tunnels on others. I think the right place to fix this
> is in the kernel, I'll try to push a patch upstream.

Thanks!  I tested your patch on our IPv4 kernel only and it does fix
the problem.
Since we aren't using mixed tunnels, I will run with your patch.
I would really like to avoid turning on IPv6 in the kernel until we
are fully ready
for it.

Thanks,

Barry
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Best way to automatically restart IPsec connections

2009-01-02 Thread Barry G 
Hello,

We have a few IPsec connections setup between a server and a few clients.
The clients initiates the connections (auto=start) and the server listens
(auto=add).

The connections works fine, and normally everything is happy.  However,
when the Internet/network connection goes down and IPsec connections
eventually get dropped, the system doesn't bring the IPsec connections
back up automatically after the network is restored.

>From my reading about DPD, it looks like DPD only tries to bring the connection
back for some amount of time right after the connection is lost.  I am
looking for a way to continuously try to make certain that the IPsec
connections are up, even if it is days or weeks since the loss of
communications.

What is the best method of attack for this?  Should I write a script that runs
ipsec status and looks for defined but not-established connections in
the ipsec.conf and "ipsec up" them?  Is there something about DPD I
don't understand?

It would also be a bonus if the solutions worked for IKEv1 and v2 connections,
as we have a heterogeneous environment.

Thanks,

Barry
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Cisco rejects requests if first esp algo not supported

2009-02-18 Thread Barry G 
Hello,

We have an IPsec connection between a Cisco 2800 series and a
strongSwan Linux box.  Everything works fine when the Cisco
box initiates the connection, but when the strongSwan box
initiates the connection and the first algorithm in the
esp= line isn't supported by the Cisco we get
NO_PROPOSAL_CHOSEN.

I realize that without the '!' on the esp= line, strongSwan
will accept any algorithm it knows about and it will
propose the list of algorithms specified in ipsec.conf.
This nicely explains why the strongSwan box always accepts
Cisco requests.

If I have esp=aes256-sha in my strongSwan config file,
the Cisco box accepts my phase 2 negotiations for connections
I initiate and I can successfully establish a connection.
If I have esp=aes256-sha2_256,aes256-sha in my config file,
I get a NO_PROPOSAL_CHOSEN on boths ends of the connection.

I was hoping to be able to allow both strongSwan clients
and Cisco boxes to use the came configuration (with strongSwan
using a stronger integrity algorithm).

I am pretty confused as to why the Cisco box would reject
my initiation request when there is a valid Cisco-supported
algorithm later in the list.  I expected the Cisco box
to respond that it couldn't do aes256-sha2_256 and would
agree to aes256-sha instead, but all it does is puke at
the request.

Has anyone else ran into this?  If so, anyone know how to
work around it?

Thanks,

Barry
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] ESP algorithms: Pluto vs Charon

2009-04-08 Thread Barry G 
Hello,

I am looking into performance using various ESP algorithms
and I am curious as to why charon and pluto seem to support
different ESP algorithms.

With just charon running, ipsec listalgs shows:
encryption: AES_CBC 3DES DES

My guess is these are the supported encryption
protocols for IKEv2 (not the ESP protocols).
There are no algorithms shown that are marked explicitly
as ESP encryption algorithms as there is in the
pluto listalgs output.

With just pluto running, ipsec listalgs shows:
[snip]
000 List of registered ESP Encryption Algorithms:
000
000 #2 ESP_DES, blocksize: 8, keylen: 64-64
000 #3 ESP_3DES, blocksize: 8, keylen: 192-192
000 #7 ESP_BLOWFISH, blocksize: 8, keylen: 40-448
000 #12ESP_AES, blocksize: 8, keylen: 128-256
000 #13ESP_AES-CTR, blocksize: 8, keylen: 128-256
000 #252   ESP_SERPENT, blocksize: 8, keylen: 128-256
000 #253   ESP_TWOFISH, blocksize: 8, keylen: 128-256
[snip]

Trying to use charon with an esp line of:
esp=aes256-sha2_256,aes128-sha1,blowfish256-sha2_256,blowfish256-sha1,serpent256-sha2_512,serpent256-sha1,3des-sha2_256,3des-sha1,twofish256-sha2_512,twofish256-sha1

I get:
07[CFG] skipped invalid proposal string: serpent256-sha2_512
07[CFG] skipped invalid proposal string: serpent256-sha1
07[CFG] skipped invalid proposal string: twofish256-sha2_512
07[CFG] skipped invalid proposal string: twofish256-sha1

Pluto seems to support the esp line fine (it doesn't complain).

What do I need to do to have serpent and twofish supported
as ESP cyphers that can be proposed by charon?

Thanks,

Barry
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] StrongSwan stops trying to restart a dpd'd connection

2009-09-23 Thread Barry G 
Hello all,

A little background.  I am still trying to get a robust
solution for restarting IPsec connections.  I asked this
a while ago:
https://lists.strongswan.org/pipermail/users/2009-January/003058.html

Martin helped out by pointing out the keyingtries=%forever
configuration parameter.  This works much better, and in theory should
solve my problems.

Reality is a little harsher.  What I am currently seeing is that
most of the time things work properly, but I am still running into
situations where lost connections do not recover.  I have been working
on debugging this and it appears I am hitting some sort of hang or
deadlock in charon/kernel.

Most of the time my connections restart fine, but sometimes charon
decides it doesn't want to send out IKE_SA_INIT requests any more
after a dpd timeout.

My ipsec.conf looks like:
conn host-host-1
   
ike=aes256-sha2_256-modp1536,aes256-sha1-modp1536,aes128-sha2_256-modp1536,aes128-sha1-modp1536,3des-sha2_256-modp1536,3des-sha1-modp1536
   
esp=aes256-sha2_256-modp1536,aes256-sha1-modp1536,aes128-sha2_256-modp1536,aes128-sha1-modp1536,3des-sha2_256-modp1536,3des-sha1-modp1536
   mobike=no
   pfs=yes
   pfsgroup=modp1536
   leftupdown=/usr/lib/ipsec/my_updown
   keyingtries=%forever
   dpdaction=restart
   dpddelay=60
   left=192.168.1.1
   right=192.168.1.2
   auto=start
   authby=secret
   keyexchange=ikev2

conn net-net-1-2-2
   leftsubnet=10.201.0.0/16
   rightsubnet=192.167.1.0/24
   also=host-host-1

conn net-net-1-2-1
   leftsubnet=10.201.0.0/16
   rightsubnet=192.168.2.0/24
   also=host-host-1

conn net-host-1-2
   leftsubnet=10.201.0.0/16
   also=host-host-1

conn host-net-1-2
   rightsubnet=192.167.1.0/24
   also=host-host-1

conn host-net-1-1
   rightsubnet=192.168.2.0/24
   also=host-host-1

Here is an example output:

# ipsec start --nofork
Starting strongSwan 4.3.4 IPsec [starter]...
01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4)
01[NET] unable to create raw socket: Address family not supported by protocol
01[NET] could not open IPv6 receive socket, IPv6 disabled
01[KNL] listening on interfaces:
01[KNL]   eth0
01[KNL] 192.168.1.1
01[KNL]   eth1
01[KNL] 10.201.98.1
01[KNL]   eth2
01[KNL] 10.203.42.1
01[KNL]   sl0
01[KNL] 192.166.1.1
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG]   loaded IKE secret for 192.168.1.1 192.168.1.2
01[DMN] loaded plugins: curl aes des sha1 sha2 md5 fips-prf random
x509 pubkey xcbc hmac gmp kernel-
netlink stroke updown attr resolv-conf
01[JOB] spawning 16 worker threads
charon (25611) started after 40 ms
05[CFG] received stroke: add connection 'host-host-1'
05[CFG] added configuration 'host-host-1'
05[CFG] received stroke: initiate 'host-host-1'
05[IKE] initiating IKE_SA host-host-1[1] to 192.168.1.2
05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
09[CFG] received stroke: add connection 'net-net-1-2-2'
09[CFG] added child to existing configuration 'host-host-1'
09[CFG] received stroke: initiate 'net-net-1-2-2'
09[CFG] received stroke: add connection 'net-net-1-2-1'
09[CFG] added child to existing configuration 'host-host-1'
10[CFG] received stroke: initiate 'net-net-1-2-1'
11[CFG] received stroke: add connection 'net-host-1-2'
11[CFG] added child to existing configuration 'host-host-1'
11[CFG] received stroke: initiate 'net-host-1-2'
11[CFG] received stroke: add connection 'host-net-1-2'
11[CFG] added child to existing configuration 'host-host-1'
17[CFG] received stroke: initiate 'host-net-1-2'
08[CFG] received stroke: add connection 'host-net-1-1'
08[CFG] added child to existing configuration 'host-host-1'
15[CFG] received stroke: initiate 'host-net-1-1'
10[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
10[IKE] authentication of '192.168.1.1' (myself) with pre-shared key
10[IKE] establishing CHILD_SA host-host-1
10[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ]
10[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
09[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
09[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
09[IKE] authentication of '192.168.1.2' with pre-shared key successful
09[IKE] scheduling reauthentication in 9854s
09[IKE] maximum IKE_SA lifetime 10394s
09[IKE] IKE_SA host-host-1[1] established between
192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2
]
09[IKE] CHILD_SA host-host-1{1} established with SPIs ce767b0c_i
ca796555_o and TS 192.168.1.1/32 ==
= 192.168.1.2/32
09[IKE] received AUTH_LIFETIM

[strongSwan] Strongswan - Linux Route Interaction Part 2

2009-10-02 Thread Barry G 
Hello,

A while ago I asked about Linux Ipsec/Route interactions
(https://lists.strongswan.org/pipermail/users/2008-March/002320.html).
 Andreas's response was very informative and I have put it under my
pillow at night and think I understand most of it.

One thing really doesn't make sense yet.  My lack of knowledge is best
illustrated with the following example (based off of
http://www.strongswan.org/uml/testresults43/ikev1/net2net-psk/).

I have the following setup:
10.201.0.0/16===192.168.1.1...192.168.1.2===192.168.2.0/24

Using ipsec.conf:
version 2.0



config setup

   plutostart=yes

   charonstart=no

   strictcrlpolicy=no



conn host-host-1

   leftupdown=/usr/lib/ipsec/sel_updown

   keyingtries=%forever

   right=192.168.1.2

   left=192.168.1.1

   auto=start

   authby=secret

   keyexchange=ikev1

   rightsubnet=192.168.2.0/24

   leftsubnet=10.201.0.0/16


# ip route show table all

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1

10.201.0.0/16 dev eth1  proto kernel  scope link  src 10.201.98.1

local 192.168.1.1 dev eth0  table local  proto kernel  scope host  src
192.168.1.1

broadcast 192.168.1.0 dev eth0  table local  proto kernel  scope link
src 192.168.1.1

broadcast 127.255.255.255 dev lo  table local  proto kernel  scope
link  src 127.0.0.1

local 10.201.98.1 dev eth1  table local  proto kernel  scope host  src
10.201.98.1

broadcast 10.201.255.255 dev eth1  table local  proto kernel  scope
link  src 10.201.98.1

broadcast 192.168.1.255 dev eth0  table local  proto kernel  scope
link  src 192.168.1.1

broadcast 10.201.0.0 dev eth1  table local  proto kernel  scope link
src 10.201.98.1

broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src
127.0.0.1

local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1

local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1

# ip xfrm state

src 192.168.1.1 dst 192.168.1.2

proto esp spi 0x5192db71 reqid 16385 mode tunnel

replay-window 32

auth hmac(sha1) 0x178f5e50afcef5a62894b0594dfc5415f6b97836

enc cbc(aes) 0xb6d64b000b6e6d7ba284efa82a8f955c

sel src 0.0.0.0/0 dst 0.0.0.0/0

src 192.168.1.2 dst 192.168.1.1

proto esp spi 0x1f4bcfb7 reqid 16385 mode tunnel

replay-window 32

auth hmac(sha1) 0x1abb5c546b50c2237ad1c08790fbf94356138617

enc cbc(aes) 0xb47f5395b93137961e627cef9d28636f

sel src 0.0.0.0/0 dst 0.0.0.0/0


# ip x p

src 10.201.0.0/16 dst 192.168.2.0/24

dir out priority 2600

tmpl src 192.168.1.1 dst 192.168.1.2

proto esp reqid 16385 mode tunnel

src 192.168.2.0/24 dst 10.201.0.0/16

dir fwd priority 2600

tmpl src 192.168.1.2 dst 192.168.1.1

proto esp reqid 16385 mode tunnel

src 192.168.2.0/24 dst 10.201.0.0/16

dir in priority 2600

tmpl src 192.168.1.2 dst 192.168.1.1

proto esp reqid 16385 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

dir 4 priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

dir 3 priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

dir 4 priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

dir 3 priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

dir 4 priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

dir 3 priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

dir 4 priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

dir 3 priority 0


#uname -a
Linux box 2.6.29.3 #1 PREEMPT Tue Aug 25 02:11:35 UTC 2009 ppc GNU/Linux

The peer is a clone setup (left<->right, auto=add, etc).  Iptables is
turned off everywhere.  It would seem from the previous communications
referenced above that this should be sufficient for 10.201.98.2 to
reach 192.168.2.3.  Packets would leave 10.201.98.2, hit the router on
10.201.98.1, match the policy of src 10.201.0.0/16 dst 192.168.2.0/24,
get associated with the appropriate security association, get wrapped
in a new ESP packet with a source of 192.168.1.1 and a destination of
192.168.1.2, and fly out to the peer to be decrypted.

Unfortunately this doesn't work.  However, if I add a route to the gateway like:
ip route add 192.168.2.0/24 via 192.168.1.2 (and a symmetric on the
other gateway)
packets start flowing.

Or if I add a default route on the gateway packets start flowing.  The
interesting thing is, the default gateway doesn't have to exist nor do
packets ever get sent to it!  IE I can add a default gateway of
192.168.1.50 (no such device on my network) and packets start flowing.

It appears that the Linux kernel rejects the packets (Destination Net
Unreachable) before they reach the policy if the destination address
is not reachable (even though policy template destination would be
reachable).  Has anyone else seen this?

http://www.strongswan.org/uml/testresults43/ikev1/net2net-psk/ lists
the output of ip route list table 220, but not ip route list table
all, so I am not sure if this test contains any static or default
routes that would make t

[strongSwan] Some possible strongSwan bugs

2009-11-17 Thread Barry G 
Hello all,

I have been running strongSwan for a while on some of my
networks and have been having a few stability issues.  I am
working on getting to root cause on a few of them and was
wondering if other people are having these issues:

1.)  DPD'd connections with dpaction=restart sometimes stop
and never come back.  The most common form of this is
the CHILD_SA going away and never being re-established.
I am working on getting better debug messages from charon and
figuring out if charon is missing kernel notifications or if
it just isn't establishing CHILD_SA's correctly.  This problem
seems to be worse over lower bandwidth connections.

Most of the time this bug takes a while to hit.  The first
time I saw this bug was after ~ 57 hours of a tunnel working.
The fastest I have hit this bug yet is ~ 19 hours.  Some
of my connections haven't hit this problem in the weeks they
have been up.

Some of these problems may be documented in:
https://lists.strongswan.org/pipermail/users/2009-June/003516.html

2.)  Sometimes connections will get into rekeying wars where
both ends start displaying:
deleting duplicate IKE_SA for peer 'w.x.y.z' due to uniqueness policy

which causes a rekey, which causes a duplicate, which causes a rekey,...
Note that only one end is configured to initiate the connection (auto=start,
dpdaction=restart.  The other end is (auto=add, dpdaction=clear)).
This bug can also take hours/days to hit.  This bug is pretty rare
as I have only hit it twice in all my testing.

3.)  Sometimes charon locks up.  I have seen this happen in many
different forms.  I hit this style of bug maybe once a week.  Unfortunately
this bug family is really nasty as I have to kill process, restart
processes, etc.
Here is one such trace:
gdb) thread apply all bt 15
Thread 6 (Thread 0x488304d0 (LWP 15785)):
#0  0x0ff8df60 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
  from /lib/libpthread.so.0
#1  0x0ffd7360 in ?? () from /usr/lib/libstrongswan.so.0
#2  0x10023884 in schedule (this=0x10067f28) at processing/scheduler.c:223
#3  0x100219d8 in execute (this=0x100680e0)
  at processing/jobs/callback_job.c:145
#4  0x100242e4 in process_jobs (this=0x1006a0b8) at processing/processor.c:123
#5  0x0ff87b34 in start_thread () from /lib/libpthread.so.0
#6  0x0fdf8b94 in clone () from /lib/libc.so.6
  Backtrace stopped: previous frame inner to this frame (corrupt stack?)

   Thread 5 (Thread 0x490304d0 (LWP 15786)):
#0  0x0ff92594 in recvfrom () from /lib/libpthread.so.0
#1  0x0f811720 in receive_events (this=)
  at kernel_netlink_ipsec.c:748
#2  0x100219d8 in execute (this=0x1006e550)
  at processing/jobs/callback_job.c:145
#3  0x100242e4 in process_jobs (this=0x1006a0b8) at processing/processor.c:123
#4  0x0ff87b34 in start_thread () from /lib/libpthread.so.0
#5  0x0fdf8b94 in clone () from /lib/libc.so.6
  Backtrace stopped: previous frame inner to this frame
(corrupt stack?)

   Thread 4 (Thread 0x498304d0 (LWP 15787)):
#0  0x0ff92594 in recvfrom () from /lib/libpthread.so.0
#1  0x0f8175c0 in receive_events (this=0x1006e620) at kernel_netlink_net.c:498
#2  0x100219d8 in execute (this=0x1006e7a8)
  at processing/jobs/callback_job.c:145
#3  0x100242e4 in process_jobs (this=0x1006a0b8) at processing/processor.c:123
#4  0x0ff87b34 in start_thread () from /lib/libpthread.so.0
#5  0x0fdf8b94 in clone () from /lib/libc.so.6
  Backtrace stopped: previous frame inner to this frame (corrupt stack?)

   Thread 3 (Thread 0x4a0304d0 (LWP 15788)):
#0  0x0ff8d930 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#1  0x0ffd74ec in ?? () from /usr/lib/libstrongswan.so.0
#2  0x100213f4 in send_packets (this=0x10070888) at network/sender.c:97
#3  0x100219d8 in execute (this=0x100709d8)
  at processing/jobs/callback_job.c:145
#4  0x100242e4 in process_jobs (this=0x1006a0b8) at processing/processor.c:123
#5  0x0ff87b34 in start_thread () from /lib/libpthread.so.0
#6  0x0fdf8b94 in clone () from /lib/libc.so.6
  Backtrace stopped: previous frame inner to this frame (corrupt stack?)

   Thread 2 (Thread 0x4a8304d0 (LWP 15791)):
#0  0x0fdf0798 in select () from /lib/libc.so.6
#1  0x1004b5f8 in receiver (this=0x10069020, packet=0x4a82f93c)
  at network/socket-raw.c:148
#2  0x10020b7c in receive_packets (this=0x10070aa8) at network/receiver.c:266
#3  0x100219d8 in execute (this=0x10070b88)
  at processing/jobs/callback_job.c:145
#4  0x100242e4 in process_jobs (this=0x1006a0b8) at processing/processor.c:123
#5  0x0ff87b34 in start_thread () from /lib/libpthread.so.0
#6  0x0fdf8b94 in clone () from /lib/libc.so.6
  Backtrace stopped: previous frame inner to this frame
(corrupt stack?)

   Thread 1 (Thread 0x48022110 (LWP 15780)):
#0  0x0ff8d930 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#1  0x0ffd74b8 in ?? () from /usr/lib/libstrongswan.so.0
#2  0x10030a5c in flush (this=0xfff701c) at sa/ike_sa_manager.c:1552
#