On 07/10/2014 12:07 PM, Paul Wouters wrote:
On Tue, 7 Oct 2014, Reuben Farrelly wrote:
I've recently set up an IPSec VPN between a VPS I run and a Cisco IOS
router. This seems to function just fine (initiates and passes traffic
as designed) however I'm seeing frequent crashes on the libreswan end,
which is causing disruptions in connectivity. The frequency of the
crashing is usually 1-2 times per day.
The Cisco end is an 800 series router running 15.4(3)M which acts as a
spoke, initiating connections. The VPS end is acting as a hub and is
a Gentoo x86_64 VM running on Linode, who use Xen. I am using the
kernel they supply as part of the VPS, which is currently 3.15.4. I
am running with libreswan-3.10 and nss-3.17.1 from Gentoo portage.
The IPSec connection uses IKEv2 and runs in tunnel mode, and I have
separate /32s on each end of the link and only encrypt data between
the two endpoints.
The libreswan config I have is:
conn reub.net
type=tunnel
left=106.187.48.126
[email protected]
leftsubnet=192.168.6.1/32
leftsourceip=192.168.6.1
right=%any
[email protected]
rightsubnet=192.168.6.2/32
authby=secret
ikev2=insist
ike=aes256-sha1;modp1536
esp=aes128-sha1;modp1536
mtu=1438
dpddelay=15
dpdtimeout=45
dpdaction=restart
auto=add
Can you try adding ikelifetime=15m and salifetime=30m ? It seems like
the cisco is giving a message we don't like.
Sure - done.
Frequently the libreswan end seems to just die. Pluto crashes out
entirely and the VPN goes down.
At the time of this the following is logged in the kernel log:
Oct 6 14:52:06 lightning kernel: pluto[23223]: segfault at 58 ip
00007f8f85f0c8d0 sp 00007fffb30275b8 error 4 in
libnss3.so[7f8f85ebc000+11f000]
And in the auth.log the lines preceding this are:
Oct 6 14:50:12 lightning pluto[23223]: | V2 microcode entry (R2:
process INFORMATIONAL) has unspecified timeout_event
It would be useful to have the full debug log for that with more
history.
Now set - so waiting for it to fail again. I have set debugging to all
this time too.
There are two other possible issues that are probably unrelated that
I've observed:
1. "ipsec verify" spits out errors and fails with python-3.4:
ightning log # ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.10 (netkey) on 3.15.4-x86_64-linode45
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax Traceback (most
recent call last):
File "/usr/libexec/ipsec/verify", line 476, in <module>
main()
File "/usr/libexec/ipsec/verify", line 465, in main
plutocheck()
File "/usr/libexec/ipsec/verify", line 121, in plutocheck
ipsecsecretcheck()
File "/usr/libexec/ipsec/verify", line 374, in ipsecsecretcheck
output = output.decode(prefencoding)
AttributeError: 'str' object has no attribute 'decode'
lightning log #
Seems to be OK with python-2.7 though:
lightning log # python2.7 /usr/libexec/ipsec/verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.10 (netkey) on 3.15.4-x86_64-linode45
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [FAILED]
[OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 35 errors - see 'man ipsec_verify' for help
lightning log #
Note the IP command result, particularly.
2. When the link is torn down, the MTU command is failing:
2014-10-06 19:28:06 "reub.net": unroute-client output:
/usr/libexec/ipsec/_updown.netkey: doroute "ip route del 192.168.6.2/32
dev eth0 mtu 1438PLUTO_ADDTIME=0 " failed (Error: argument
"1438PLUTO_ADDTIME=0" is wrong: "mtu" value is invalid)
(the spacing is shown as logged - it seems there may be a space missing
after the MTU value...?)
Thanks,
Reuben
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
