Thank you so much Paul for your prompt response. Couple questions
* I am not understanding the issue very well. In my setup 1 source ip
negotiates with multiple destination ips and also probably loopback on same
host. If you see below all highlighted SA pairs are unique.
* This is a blocker issue for us and looking for a workaround and a fix.
Because in my case as you say dpd isn’t enabled so connection doesn’t get
reestablished. Would you kindly suggest if adding
dpdaction=restart below in my conf file suffice?
* Is there a ETA for the SEGV fix? We will be very interested in helping
test the fix whenever patch is available or support the fix for this issue any
other ways?
Jan 20 20:26:21 scaqat33adm04vm01.oracle.local pluto[392092]: addconn:
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[1] ...192.200.7.10: initiate on-demand for packet
192.200.7.49:8-ICMP->192.200.7.10:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[1] ...192.200.7.10: initiate on-demand for packet
192.200.7.50:8-ICMP->192.200.7.10:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[2] ...192.200.7.49: initiate on-demand for packet
192.200.7.50:8-ICMP->192.200.7.49:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[3] ...192.200.7.5: initiate on-demand for packet
192.200.7.50:8-ICMP->192.200.7.5:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[2] ...192.200.7.5: initiate on-demand for packet
192.200.7.49:8-ICMP->192.200.7.5:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[4] ...192.200.7.6: initiate on-demand for packet
192.200.7.50:8-ICMP->192.200.7.6:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[3] ...192.200.7.50: initiate on-demand for packet
192.200.7.49:8-ICMP->192.200.7.50:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[5] ...192.200.7.7: initiate on-demand for packet
192.200.7.50:8-ICMP->192.200.7.7:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[4] ...192.200.7.6: initiate on-demand for packet
192.200.7.49:8-ICMP->192.200.7.6:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[6] ...192.200.7.8: initiate on-demand for packet
192.200.7.50:8-ICMP->192.200.7.8:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[5] ...192.200.7.7: initiate on-demand for packet
192.200.7.49:8-ICMP->192.200.7.7:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for packet
192.200.7.50:8-ICMP->192.200.7.9:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[6] ...192.200.7.8: initiate on-demand for packet
192.200.7.49:8-ICMP->192.200.7.8:0
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for packet
192.200.7.49:8-ICMP->192.200.7.9:0
an 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private#192.200.7.0/24"[3] ...192.200.7.50 #7: processed IKE_SA_INIT response
from 192.200.7.50:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf>
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[2] ...192.200.7.49 #3: processed IKE_SA_INIT
response from 192.200.7.49:UDP/500 {cipher=AES_GCM_16_256 integ=n/a p>
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: processing decrypted
IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_MODE)}
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: responder established IKE
SA; authenticated peer using authby=null and ID_NULL 'ID_NULL'
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different
IP's cannot replace each other
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different
IP's cannot replace each other
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different
IP's cannot replace each other
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different
IP's cannot replace each other
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different
IP's cannot replace each other
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[2] ...192.200.7.49: terminating SAs using this
connection
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]:
"private-2#192.200.7.0/24"[2] ...192.200.7.49 #3: deleting IKE SA (sent
IKE_AUTH request)
Jan 20 20:26:22 scaqat33adm04vm01.oracle.local systemd[1]: ipsec.service: Main
process exited, code=dumped, status=11/SEGV
J
From: Paul Wouters <[email protected]>
Date: Monday, January 20, 2025 at 6:31 PM
To: Mamta Gambhir <[email protected]>
Cc: [email protected] <[email protected]>
Subject: [External] : Re: [Swan] SEGV using NULL authentication with multiple
peers
On Jan 20, 2025, at 20:40, Mamta Gambhir via Swan <[email protected]>
wrote:
I have been using NULL authentication method with opportunistic connection, but
now increased # peers and I see this error message and SEGV.Is it known issue
with libreswan or related to multiple peers using NULL authentication or
opportunistic connection?
I see message like –
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for
different IP's cannot replace each other
And then SEGV coredump.
The segfault is a new bug we need to fix.
The root cause is that you have a connection with an IP and that same IP is
trying again to build one. It is not allowed to replace because it cannot proof
it is the same entity because of null auth. When you have dpd enabled though,
the current connection should get marked as dead and taken down and things will
be able to establish again.
We will add a test case and fix the segfault
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface stre1 192.200.7.6:500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface stre1 192.200.7.6:4500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface stre0 192.200.7.5:500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface stre0 192.200.7.5:4500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface eth0 10.106.16.43:500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface eth0 10.106.16.43:4500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface lo 127.0.0.1:500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface lo 127.0.0.1:4500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface lo [::1]:500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding
UDP interface lo [::1]:4500
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
"private-or-clear-2": oriented IKEv2 connec
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: tion
(local: left=192.200.7.6 remote: right=0.0.0.0)
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
"private-or-clear": oriented IKEv2 connection (local: left=192.200.7.5 remote:
right=0.0.0.0)
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading
secrets from "/etc/ipsec.secrets"
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading
group "/etc/ipsec.d/policies/private-or-clear-2"
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading
group "/etc/ipsec.d/policies/private-or-clear"
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
"private-or-clear#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
"private-or-clear#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
"private-or-clear-2#192.200.7.0/24": route-host output: need at least a
destination address
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn:
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for
packet 192.200.7.5:0-ICMP->192.200.7.7:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[2] ...192.200.7.8: initiate on-demand for
packet 192.200.7.5:0-ICMP->192.200.7.8:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for
packet 192.200.7.6:0-ICMP->192.200.7.7:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[3] ...192.200.7.10: initiate on-demand for
packet 192.200.7.5:8-ICMP->192.200.7.10:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[4] ...192.200.7.47: initiate on-demand for
packet 192.200.7.5:8-ICMP->192.200.7.47:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[5] ...192.200.7.48: initiate on-demand for
packet 192.200.7.5:8-ICMP->192.200.7.48:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[2] ...192.200.7.47: initiate on-demand for
packet 192.200.7.6:8-ICMP->192.200.7.47:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[6] ...192.200.7.6: initiate on-demand for
packet 192.200.7.5:8-ICMP->192.200.7.6:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[3] ...192.200.7.48: initiate on-demand for
packet 192.200.7.6:8-ICMP->192.200.7.48:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for
packet 192.200.7.5:8-ICMP->192.200.7.9:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: initiate on-demand for
packet 192.200.7.6:8-ICMP->192.200.7.5:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[5] ...192.200.7.9: initiate on-demand for
packet 192.200.7.6:8-ICMP->192.200.7.9:0
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear#192.200.7.0/24"[6] ...192.200.7.6 #8: processed IKE_SA_INIT
response from 192.200.7.6:UDP/500 {cipher=AES_GCM_16_256 integ=n>
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: processed
IKE_SA_INIT response from 192.200.7.5:UDP/500 {cipher=AES_GCM_16_256 inte>
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: processing decrypted
IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_M>
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: responder
established IKE SA; authenticated peer using authby=null and ID_NULL 'ID_>
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for
different IP's cannot replace each other
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: terminating SAs using
this connection
Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]:
"private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: deleting IKE SA
(sent IKE_AUTH request)
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Main
process exited, code=dumped, status=11/SEGV
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Failed
with result 'core-dump'.
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service:
Service RestartSec=100ms expired, scheduling restart.
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service:
Scheduled restart job, restart counter is at 5.
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Stopped Internet Key
Exchange (IKE) Protocol Daemon for IPsec.
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Start
request repeated too quickly.
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Failed
with result 'core-dump'.
Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Failed to start
Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Libreswan version used –
# ipsec status
ERROR: ipsec whack: connect(pluto_ctl) failed: Connection refused (errno 111)
#rpm -qa | grep libreswan
libreswan-5.0-1.0.1.el8.x86_64
# rpm -qa | grep libreswan
libreswan-5.0-1.0.1.el8.x86_64
My .conf files are –
conn private-or-clear
authby=null
leftid=%null
rightid=%null
left=192.200.7.5
right=%opportunisticgroup
negotiationshunt=passthrough
failureshunt=passthrough
ikev2=insist
auto=route
type=transport
nic-offload=packet
conn private-or-clear-2
authby=null
leftid=%null
rightid=%null
left=192.200.7.6
right=%opportunisticgroup
negotiationshunt=passthrough
failureshunt=passthrough
ikev2=insist
auto=route
type=transport
nic-offload=packet
Thanks for the pointers
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
