could you create a bug? it will make it easier to track
On Mon, 20 Jan 2025 at 23:37, Mamta Gambhir via Swan <[email protected]> wrote: > > Thank you so much Paul for your prompt response. Couple questions > > I am not understanding the issue very well. In my setup 1 source ip > negotiates with multiple destination ips and also probably loopback on same > host. If you see below all highlighted SA pairs are unique. > This is a blocker issue for us and looking for a workaround and a fix. > Because in my case as you say dpd isn’t enabled so connection doesn’t get > reestablished. Would you kindly suggest if adding > > dpdaction=restart below in my conf file suffice? > > Is there a ETA for the SEGV fix? We will be very interested in helping test > the fix whenever patch is available or support the fix for this issue any > other ways? > > > > > > > > Jan 20 20:26:21 scaqat33adm04vm01.oracle.local pluto[392092]: addconn: > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[1] ...192.200.7.10: initiate on-demand for packet > 192.200.7.49:8-ICMP->192.200.7.10:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[1] ...192.200.7.10: initiate on-demand for packet > 192.200.7.50:8-ICMP->192.200.7.10:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[2] ...192.200.7.49: initiate on-demand for packet > 192.200.7.50:8-ICMP->192.200.7.49:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[3] ...192.200.7.5: initiate on-demand for packet > 192.200.7.50:8-ICMP->192.200.7.5:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[2] ...192.200.7.5: initiate on-demand for packet > 192.200.7.49:8-ICMP->192.200.7.5:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[4] ...192.200.7.6: initiate on-demand for packet > 192.200.7.50:8-ICMP->192.200.7.6:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[3] ...192.200.7.50: initiate on-demand for packet > 192.200.7.49:8-ICMP->192.200.7.50:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[5] ...192.200.7.7: initiate on-demand for packet > 192.200.7.50:8-ICMP->192.200.7.7:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[4] ...192.200.7.6: initiate on-demand for packet > 192.200.7.49:8-ICMP->192.200.7.6:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[6] ...192.200.7.8: initiate on-demand for packet > 192.200.7.50:8-ICMP->192.200.7.8:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[5] ...192.200.7.7: initiate on-demand for packet > 192.200.7.49:8-ICMP->192.200.7.7:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for packet > 192.200.7.50:8-ICMP->192.200.7.9:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[6] ...192.200.7.8: initiate on-demand for packet > 192.200.7.49:8-ICMP->192.200.7.8:0 > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for packet > 192.200.7.49:8-ICMP->192.200.7.9:0 > > > > an 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private#192.200.7.0/24"[3] ...192.200.7.50 #7: processed IKE_SA_INIT > response from 192.200.7.50:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf> > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[2] ...192.200.7.49 #3: processed IKE_SA_INIT > response from 192.200.7.49:UDP/500 {cipher=AES_GCM_16_256 integ=n/a p> > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: processing decrypted > IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_MODE)} > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: responder established IKE > SA; authenticated peer using authby=null and ID_NULL 'ID_NULL' > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different > IP's cannot replace each other > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different > IP's cannot replace each other > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different > IP's cannot replace each other > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different > IP's cannot replace each other > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[8] ...192.200.7.49 #15: NULL auth ID for different > IP's cannot replace each other > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[2] ...192.200.7.49: terminating SAs using this > connection > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local pluto[392092]: > "private-2#192.200.7.0/24"[2] ...192.200.7.49 #3: deleting IKE SA (sent > IKE_AUTH request) > > Jan 20 20:26:22 scaqat33adm04vm01.oracle.local systemd[1]: ipsec.service: > Main process exited, code=dumped, status=11/SEGV > > J > > > > > > From: Paul Wouters <[email protected]> > Date: Monday, January 20, 2025 at 6:31 PM > To: Mamta Gambhir <[email protected]> > Cc: [email protected] <[email protected]> > Subject: [External] : Re: [Swan] SEGV using NULL authentication with multiple > peers > > > > On Jan 20, 2025, at 20:40, Mamta Gambhir via Swan <[email protected]> > wrote: > > > > I have been using NULL authentication method with opportunistic connection, > but now increased # peers and I see this error message and SEGV.Is it known > issue with libreswan or related to multiple peers using NULL authentication > or opportunistic connection? > > > > I see message like – > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for > different IP's cannot replace each other > > And then SEGV coredump. > > > > The segfault is a new bug we need to fix. > > > > The root cause is that you have a connection with an IP and that same IP is > trying again to build one. It is not allowed to replace because it cannot > proof it is the same entity because of null auth. When you have dpd enabled > though, the current connection should get marked as dead and taken down and > things will be able to establish again. > > > > We will add a test case and fix the segfault > > > > > > > > > > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface stre1 192.200.7.6:500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface stre1 192.200.7.6:4500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface stre0 192.200.7.5:500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface stre0 192.200.7.5:4500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface eth0 10.106.16.43:500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface eth0 10.106.16.43:4500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface lo 127.0.0.1:500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface lo 127.0.0.1:4500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface lo [::1]:500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: adding > UDP interface lo [::1]:4500 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > "private-or-clear-2": oriented IKEv2 connec > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: tion > (local: left=192.200.7.6 remote: right=0.0.0.0) > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > "private-or-clear": oriented IKEv2 connection (local: left=192.200.7.5 > remote: right=0.0.0.0) > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading > secrets from "/etc/ipsec.secrets" > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading > group "/etc/ipsec.d/policies/private-or-clear-2" > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: loading > group "/etc/ipsec.d/policies/private-or-clear" > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > "private-or-clear#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > "private-or-clear#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > "private-or-clear-2#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > "private-or-clear-2#192.200.7.0/24": route-host output: need at least a > destination address > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: addconn: > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for > packet 192.200.7.5:0-ICMP->192.200.7.7:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[2] ...192.200.7.8: initiate on-demand for > packet 192.200.7.5:0-ICMP->192.200.7.8:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[1] ...192.200.7.7: initiate on-demand for > packet 192.200.7.6:0-ICMP->192.200.7.7:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[3] ...192.200.7.10: initiate on-demand for > packet 192.200.7.5:8-ICMP->192.200.7.10:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[4] ...192.200.7.47: initiate on-demand for > packet 192.200.7.5:8-ICMP->192.200.7.47:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[5] ...192.200.7.48: initiate on-demand for > packet 192.200.7.5:8-ICMP->192.200.7.48:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[2] ...192.200.7.47: initiate on-demand > for packet 192.200.7.6:8-ICMP->192.200.7.47:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[6] ...192.200.7.6: initiate on-demand for > packet 192.200.7.5:8-ICMP->192.200.7.6:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[3] ...192.200.7.48: initiate on-demand > for packet 192.200.7.6:8-ICMP->192.200.7.48:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[7] ...192.200.7.9: initiate on-demand for > packet 192.200.7.5:8-ICMP->192.200.7.9:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: initiate on-demand for > packet 192.200.7.6:8-ICMP->192.200.7.5:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[5] ...192.200.7.9: initiate on-demand for > packet 192.200.7.6:8-ICMP->192.200.7.9:0 > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear#192.200.7.0/24"[6] ...192.200.7.6 #8: processed IKE_SA_INIT > response from 192.200.7.6:UDP/500 {cipher=AES_GCM_16_256 integ=n> > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: processed > IKE_SA_INIT response from 192.200.7.5:UDP/500 {cipher=AES_GCM_16_256 inte> > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: processing > decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_M> > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: responder > established IKE SA; authenticated peer using authby=null and ID_NULL 'ID_> > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[6] ...192.200.7.5 #13: NULL auth ID for > different IP's cannot replace each other > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5: terminating SAs using > this connection > > Jan 20 16:36:31 scaqat33celadm04.oracle.local pluto[335818]: > "private-or-clear-2#192.200.7.0/24"[4] ...192.200.7.5 #11: deleting IKE SA > (sent IKE_AUTH request) > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: Main > process exited, code=dumped, status=11/SEGV > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: > Failed with result 'core-dump'. > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: > Service RestartSec=100ms expired, scheduling restart. > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: > Scheduled restart job, restart counter is at 5. > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Stopped Internet > Key Exchange (IKE) Protocol Daemon for IPsec. > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: > Start request repeated too quickly. > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: ipsec.service: > Failed with result 'core-dump'. > > Jan 20 16:36:31 scaqat33celadm04.oracle.local systemd[1]: Failed to start > Internet Key Exchange (IKE) Protocol Daemon for IPsec. > > > > > > Libreswan version used – > > # ipsec status > > ERROR: ipsec whack: connect(pluto_ctl) failed: Connection refused (errno 111) > > #rpm -qa | grep libreswan > > libreswan-5.0-1.0.1.el8.x86_64 > > > > # rpm -qa | grep libreswan > > libreswan-5.0-1.0.1.el8.x86_64 > > > > My .conf files are – > > conn private-or-clear > > authby=null > > leftid=%null > > rightid=%null > > left=192.200.7.5 > > right=%opportunisticgroup > > negotiationshunt=passthrough > > failureshunt=passthrough > > ikev2=insist > > auto=route > > type=transport > > nic-offload=packet > > conn private-or-clear-2 > > authby=null > > leftid=%null > > rightid=%null > > left=192.200.7.6 > > right=%opportunisticgroup > > negotiationshunt=passthrough > > failureshunt=passthrough > > ikev2=insist > > auto=route > > type=transport > > nic-offload=packet > > > > Thanks for the pointers > > _______________________________________________ > Swan mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > Swan mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
