> On Jan 20, 2025, at 20:40, Mamta Gambhir via Swan <[email protected]>
> wrote:
>
>
> I have been using NULL authentication method with opportunistic connection,
> but now increased # peers and I see this error message and SEGV.Is it known
> issue with libreswan or related to multiple peers using NULL authentication
> or opportunistic connection?
>
> I see message like –
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for
> different IP's cannot replace each other
> And then SEGV coredump.
The segfault is a new bug we need to fix.
The root cause is that you have a connection with an IP and that same IP is
trying again to build one. It is not allowed to replace because it cannot proof
it is the same entity because of null auth. When you have dpd enabled though,
the current connection should get marked as dead and taken down and things will
be able to establish again.
We will add a test case and fix the segfault
>
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface stre1 192.200.7.6:500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface stre1 192.200.7.6:4500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface stre0 192.200.7.5:500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface stre0 192.200.7.5:4500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface eth0 10.106.16.43:500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface eth0 10.106.16.43:4500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface lo 127.0.0.1:500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface lo 127.0.0.1:4500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface lo [::1]:500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
> UDP interface lo [::1]:4500
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> "private-or-clear-2": oriented IKEv2 connec
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: tion
> (local: left=192.200.7.6 remote: right=0.0.0.0)
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> "private-or-clear": oriented IKEv2 connection (local: left=192.200.7.5
> remote: right=0.0.0.0)
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading
> secrets from "/etc/ipsec.secrets"
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading
> group "/etc/ipsec.d/policies/private-or-clear-2"
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading
> group "/etc/ipsec.d/policies/private-or-clear"
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> "private-or-clear#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> "private-or-clear#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> "private-or-clear-2#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> "private-or-clear-2#192.200.7.0/24": route-host output: need at least a
> destination address
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for
> packet 192.200.7.5:0-ICMP->192.200.7.7:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[2] ...192.200.7.8: initiate on-demand for
> packet 192.200.7.5:0-ICMP->192.200.7.8:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for
> packet 192.200.7.6:0-ICMP->192.200.7.7:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[3] ...192.200.7.10: initiate on-demand for
> packet 192.200.7.5:8-ICMP->192.200.7.10:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[4] ...192.200.7.47: initiate on-demand for
> packet 192.200.7.5:8-ICMP->192.200.7.47:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[5] ...192.200.7.48: initiate on-demand for
> packet 192.200.7.5:8-ICMP->192.200.7.48:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[2] ...192.200.7.47: initiate on-demand
> for packet 192.200.7.6:8-ICMP->192.200.7.47:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[6] ...192.200.7.6: initiate on-demand for
> packet 192.200.7.5:8-ICMP->192.200.7.6:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[3] ...192.200.7.48: initiate on-demand
> for packet 192.200.7.6:8-ICMP->192.200.7.48:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for
> packet 192.200.7.5:8-ICMP->192.200.7.9:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: initiate on-demand for
> packet 192.200.7.6:8-ICMP->192.200.7.5:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[5] ...192.200.7.9: initiate on-demand for
> packet 192.200.7.6:8-ICMP->192.200.7.9:0
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear#192.200.7.0/24"[6] ...192.200.7.6 #8: processed IKE_SA_INIT
> response from 192.200.7.6:UDP/500 {cipher=AES_GCM_16_256 integ=n>
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: processed
> IKE_SA_INIT response from 192.200.7.5:UDP/500 {cipher=AES_GCM_16_256 inte>
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: processing
> decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_M>
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: responder
> established IKE SA; authenticated peer using authby=null and ID_NULL 'ID_>
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for
> different IP's cannot replace each other
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: terminating SAs using
> this connection
> Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
> "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: deleting IKE SA
> (sent IKE_AUTH request)
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Main
> process exited, code=dumped, status=11/SEGV
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service:
> Failed with result 'core-dump'.
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service:
> Service RestartSec=100ms expired, scheduling restart.
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service:
> Scheduled restart job, restart counter is at 5.
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Stopped Internet
> Key Exchange (IKE) Protocol Daemon for IPsec.
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service:
> Start request repeated too quickly.
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service:
> Failed with result 'core-dump'.
> Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Failed to start
> Internet Key Exchange (IKE) Protocol Daemon for IPsec.
>
>
> Libreswan version used –
> # ipsec status
> ERROR: ipsec whack: connect(pluto_ctl) failed: Connection refused (errno 111)
> #rpm -qa | grep libreswan
> libreswan-5.0-1.0.1.el8.x86_64
>
> # rpm -qa | grep libreswan
> libreswan-5.0-1.0.1.el8.x86_64
>
> My .conf files are –
> conn private-or-clear
> authby=null
> leftid=%null
> rightid=%null
> left=192.200.7.5
> right=%opportunisticgroup
> negotiationshunt=passthrough
> failureshunt=passthrough
> ikev2=insist
> auto=route
> type=transport
> nic-offload=packet
> conn private-or-clear-2
> authby=null
> leftid=%null
> rightid=%null
> left=192.200.7.6
> right=%opportunisticgroup
> negotiationshunt=passthrough
> failureshunt=passthrough
> ikev2=insist
> auto=route
> type=transport
> nic-offload=packet
>
> Thanks for the pointers
> _______________________________________________
> Swan mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
