Hi, Try with O2, not O3.
Kind regards Noel On 05.06.2018 22:11, Sven Anders wrote: > Hello! > > I'm experiencing a segmentation fault, if I set charondebug = cfg to a value > greater than 2. > I'm using Strongwan 5.6.2 on Linux kernel 4.1.39 on a 32 bit system. > > Strongswan was compiled with: > > ./configure CFLAGS="-g -march=core2 -O3 -fstack-protector" > LDFLAGS="-D_FORTIFY_SOURCE=2 -fPIE -pie -Wl,-z,relro,-z,now" --prefix=/usr > --sysconfdir=/etc --enable-aes --enable-bliss --enable-blowfish --enable-ccm > --enable-chapoly --enable-cmac --enable-ctr --enable-des > --enable-fips-prf --enable-gcm --enable-gcrypt --enable-hmac --enable-md4 > --enable-md5 --enable-mgf1 --enable-newhope --enable-nonce --enable-ntru > --enable-openssl --enable-padlock --enable-random --enable-rc2 > --enable-rdrand --enable-aesni --enable-sha1 --enable-sha2 --enable-sha3 > --enable-xcbc > --enable-dnskey --enable-pem --enable-pgp --enable-pkcs1 --enable-pkcs7 > --enable-pkcs8 --enable-pkcs12 --enable-pubkey --enable-sshkey --enable-x509 > --enable-curl --enable-files --enable-ldap --enable-soup --enable-unbound > --disable-winhttp --disable-mysql --enable-sqlite --enable-addrblock > --enable-acert --disable-af-alg --enable-agent --enable-constraints > --enable-coupling --enable-dnscert --enable-eap-sim --enable-eap-sim-file > --disable-eap-sim-pcsc --enable-eap-aka --enable-eap-aka-3gpp > --enable-eap-aka-3gpp2 --enable-eap-simaka-sql --enable-eap-simaka-pseudonym > --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 > --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls > --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius > --enable-ext-auth --enable-ipseckey --disable-keychain --enable-pkcs11 > --enable-revocation --enable-whitelist --enable-xauth-generic > --enable-xauth-eap --enable-xauth-pam --enable-xauth-noauth > --enable-kernel-netlink > --enable-kernel-pfkey --disable-kernel-iph --enable-kernel-libipsec > --disable-kernel-wfp --enable-socket-default --enable-socket-dynamic > --disable-socket-win --enable-stroke --enable-smp --enable-sql --disable-uci > --enable-vici --disable-android-dns --enable-attr --enable-attr-sql > --enable-bypass-lan --enable-counters --enable-dhcp --disable-osx-attr > --disable-p-cscf --enable-resolve --enable-unity --disable-imc-test > --disable-imv-test --enable-imc-scanner --enable-imv-scanner --enable-imc-os > --enable-imv-os --enable-imc-attestation --enable-imv-attestation > --enable-imc-swid --disable-imv-swid --enable-imc-hcd --enable-imv-hcd > --enable-tnc-ifmap --enable-tnc-imc --enable-tnc-imv --enable-tnc-pdp > --enable-tnccs-11 --enable-tnccs-20 --enable-tnccs-dynamic > --disable-android-log --enable-certexpire --enable-connmark --enable-forecast > --enable-duplicheck --enable-error-notify --enable-farp --enable-ha > --enable-led --enable-load-tester --enable-lookip --enable-radattr > --enable-systime-fix --enable-test-vectors --enable-updown --enable-aikgen > --enable-charon --enable-cmd --disable-conftest --disable-dumm > --disable-fast --enable-libipsec --disable-manager --disable-medcli > --disable-medsrv --disable-nm --disable-pki --disable-scepclient > --disable-scripts > --disable-svc --enable-swanctl --disable-tkm --disable-bfd-backtraces > --disable-dbghelp-backtraces --enable-ikev1 --enable-ikev2 > --enable-integrity-test --enable-load-warning --enable-mediation > --disable-unwind-backtraces --disable-ruby-gems --disable-ruby-gems-install > --disable-python-eggs --disable-python-eggs-install --disable-perl-cpan > --disable-perl-cpan-install --enable-tss-trousers --enable-tss-tss2 > --disable-coverage --disable-leak-detective --disable-lock-profiler > --enable-log-thread-ids > > > with "gcc version 4.5.1" (sorry, cannot use a newer compiler on this > system... :-( ) > > > Can anybody reproduce this? > > > > Starting strongSwan 5.6.2 IPsec [starter]... > 2205[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.1.39-core2, > i686) > 2205[LIB] plugin 'test-vectors': loaded successfully > 2205[LIB] plugin 'unbound': loaded successfully > 2205[LIB] plugin 'ldap': loaded successfully > 2205[CFG] PKCS11 module '<name>' lacks library path > 2205[LIB] plugin 'pkcs11': loaded successfully > 2205[LIB] plugin 'aesni': loaded successfully > 2205[LIB] plugin 'aes': loaded successfully > 2205[LIB] plugin 'des': loaded successfully > 2205[LIB] plugin 'blowfish': loaded successfully > 2205[LIB] plugin 'rc2': loaded successfully > 2205[LIB] plugin 'sha2': loaded successfully > 2205[LIB] plugin 'sha3': loaded successfully > 2205[LIB] plugin 'sha1': loaded successfully > 2205[LIB] plugin 'md4': loaded successfully > 2205[LIB] plugin 'md5': loaded successfully > 2205[LIB] plugin 'mgf1': loaded successfully > 2205[LIB] plugin 'rdrand': loaded successfully > 2205[LIB] detected RDRAND support, enabled > 2205[LIB] plugin 'random': loaded successfully > 2205[LIB] plugin 'nonce': loaded successfully > 2205[LIB] plugin 'x509': loaded successfully > 2205[LIB] plugin 'revocation': loaded successfully > 2205[LIB] plugin 'constraints': loaded successfully > 2205[LIB] plugin 'acert': loaded successfully > 2205[LIB] plugin 'pubkey': loaded successfully > 2205[LIB] plugin 'pkcs1': loaded successfully > 2205[LIB] plugin 'pkcs7': loaded successfully > 2205[LIB] plugin 'pkcs8': loaded successfully > 2205[LIB] plugin 'pkcs12': loaded successfully > 2205[LIB] plugin 'pgp': loaded successfully > 2205[LIB] plugin 'dnskey': loaded successfully > 2205[LIB] plugin 'sshkey': loaded successfully > 2205[LIB] plugin 'dnscert': loaded successfully > 2205[LIB] plugin 'pem': loaded successfully > 2205[LIB] Padlock features supported:, enabled: > 2205[LIB] plugin 'padlock': loaded successfully > 2205[LIB] plugin 'openssl': loaded successfully > 2205[LIB] plugin 'fips-prf': loaded successfully > 2205[LIB] plugin 'gmp': loaded successfully > 2205[LIB] plugin 'curve25519': loaded successfully > 2205[LIB] plugin 'agent': loaded successfully > 2205[LIB] plugin 'chapoly': loaded successfully > 2205[LIB] plugin 'xcbc': loaded successfully > 2205[LIB] plugin 'cmac': loaded successfully > 2205[LIB] plugin 'hmac': loaded successfully > 2205[LIB] plugin 'ctr': loaded successfully > 2205[LIB] plugin 'ccm': loaded successfully > 2205[LIB] plugin 'gcm': loaded successfully > 2205[LIB] plugin 'ntru': loaded successfully > 2205[LIB] plugin 'newhope': loaded successfully > 2205[LIB] plugin 'bliss': loaded successfully > 2205[LIB] plugin 'curl': loaded successfully > 2205[LIB] plugin 'files': loaded successfully > 2205[LIB] using SQLite 3.7.15.2, thread safety 1 > 2205[LIB] plugin 'sqlite': loaded successfully > 2205[CFG] loaded attribute INTERNAL_IP4_DNS: 0a:01:03:0a > 2205[CFG] loaded attribute INTERNAL_IP4_DNS: 0a:01:03:0b > 2205[CFG] loaded attribute (25): 6d:65:2d:67:72:6f:75:70:2e:6c:6f:63:61:6c > 2205[LIB] plugin 'attr': loaded successfully > 2205[LIB] plugin 'attr-sql': loaded successfully > 2205[CFG] disabling load-tester plugin, not configured > 2205[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create > returned NULL > 2205[LIB] plugin 'kernel-netlink': loaded successfully > 2205[LIB] plugin 'socket-default': loaded successfully > 2205[LIB] plugin 'connmark': loaded successfully > 2205[LIB] plugin 'stroke': loaded successfully > 2205[LIB] plugin 'vici': loaded successfully > 2205[LIB] plugin 'updown': loaded successfully > 2205[LIB] plugin 'eap-identity': loaded successfully > 2205[LIB] plugin 'eap-sim': loaded successfully > 2205[LIB] plugin 'eap-sim-file': loaded successfully > 2205[LIB] plugin 'eap-aka': loaded successfully > 2205[LIB] plugin 'eap-aka-3gpp': loaded successfully > 2205[LIB] plugin 'eap-aka-3gpp2': loaded successfully > 2205[LIB] plugin 'eap-simaka-sql': loaded successfully > 2205[LIB] plugin 'eap-simaka-pseudonym': loaded successfully > 2205[LIB] plugin 'eap-simaka-reauth': loaded successfully > 2205[LIB] plugin 'eap-md5': loaded successfully > 2205[LIB] plugin 'eap-gtc': loaded successfully > 2205[LIB] plugin 'eap-mschapv2': loaded successfully > 2205[LIB] plugin 'eap-dynamic': loaded successfully > 2205[LIB] plugin 'eap-radius': loaded successfully > 2205[LIB] plugin 'eap-tls': loaded successfully > 2205[LIB] plugin 'eap-ttls': loaded successfully > 2205[LIB] plugin 'eap-peap': loaded successfully > 2205[LIB] plugin 'eap-tnc': loaded successfully > 2205[LIB] plugin 'xauth-generic': loaded successfully > 2205[LIB] plugin 'xauth-eap': loaded successfully > 2205[LIB] plugin 'xauth-pam': loaded successfully > 2205[LIB] plugin 'xauth-noauth': loaded successfully > 2205[LIB] plugin 'tnc-ifmap': loaded successfully > 2205[LIB] plugin 'tnc-pdp': loaded successfully > 2205[LIB] plugin 'tnc-imc': loaded successfully > 2205[LIB] plugin 'tnc-imv': loaded successfully > 2205[LIB] plugin 'tnc-tnccs': loaded successfully > 2205[LIB] plugin 'tnccs-20': loaded successfully > 2205[LIB] plugin 'tnccs-11': loaded successfully > 2205[LIB] plugin 'tnccs-dynamic': loaded successfully > 2205[LIB] plugin 'dhcp': loaded successfully > 2205[LIB] plugin 'ha': loaded successfully > 2205[LIB] plugin 'whitelist': loaded successfully > 2205[LIB] plugin 'ext-auth': loaded successfully > 2205[LIB] plugin 'lookip': loaded successfully > 2205[LIB] plugin 'error-notify': loaded successfully > 2205[LIB] plugin 'certexpire': loaded successfully > 2205[LIB] plugin 'systime-fix': loaded successfully > 2205[LIB] plugin 'led': loaded successfully > 2205[LIB] plugin 'duplicheck': loaded successfully > 2205[LIB] plugin 'coupling': loaded successfully > 2205[LIB] plugin 'addrblock': loaded successfully > 2205[LIB] plugin 'unity': loaded successfully > 2205[LIB] plugin 'counters': loaded successfully > 2205[KNL] known interfaces and IP addresses: > 2205[KNL] lo > 2205[KNL] 127.0.0.1 > 2205[KNL] ::1 > 2205[KNL] eth1 > 2205[KNL] fe80::20c:29ff:fede:e80a > 2205[KNL] eth2 > 2205[KNL] fe80::20c:29ff:fede:e832 > 2205[KNL] eth3 > 2205[KNL] fe80::20c:29ff:fede:e814 > 2205[KNL] eth4 > 2205[KNL] fe80::20c:29ff:fede:e8f6 > 2205[KNL] eth5 > 2205[KNL] fe80::20c:29ff:fede:e81e > 2205[KNL] eth6 > 2205[KNL] fe80::20c:29ff:fede:e800 > 2205[KNL] eth7 > 2205[KNL] fe80::20c:29ff:fede:e828 > 2205[KNL] eth0 > 2205[KNL] 10.10.133.2 > 2205[KNL] fe80::250:56ff:feaf:ae7a > 2205[KNL] bond0 > 2205[KNL] bond1 > 2205[KNL] bond2 > 2205[KNL] bond3 > 2205[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA > 2205[CFG] loading unbound resolver config from '/etc/resolv.conf' > 2205[CFG] failed to read the resolver config: error reading file (No such > file or directory) > 2205[CFG] failed to create a DNS resolver instance > 2205[LIB] feature CUSTOM:dnscert in plugin 'dnscert' failed to load > 2205[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: > PRIVKEY:DSA > 2205[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet > dependency: CERT_DECODE:OCSP_REQUEST > 2205[CFG] attr-sql plugin: database URI not set > 2205[LIB] feature CUSTOM:attr-sql in plugin 'attr-sql' failed to load > 2205[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > 2205[CFG] loaded ca certificate "C=DE, ST=Bavaria, L=Ortenburg, > O=Micro-Epsilon, OU=IT, DC=local, DC=me-group, CN=Micro-Epsilon CA" from > '/etc/ipsec.d/cacerts/me-ca.crt' > 2205[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' > 2205[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' > 2205[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' > 2205[CFG] loading crls from '/etc/ipsec.d/crls' > 2205[CFG] loading secrets from '/etc/ipsec.secrets' > 2205[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file > or directory > 2205[LIB] feature CUSTOM:eap-sim-file-triplets in plugin 'eap-sim-file' > failed to load > 2205[LIB] feature CUSTOM:sim-card in plugin 'eap-sim-file' has unmet > dependency: CUSTOM:eap-sim-file-triplets > 2205[LIB] feature CUSTOM:sim-provider in plugin 'eap-sim-file' has unmet > dependency: CUSTOM:eap-sim-file-triplets > 2205[CFG] eap-simaka-sql database URI missing > 2205[LIB] feature CUSTOM:eap-simaka-sql-db in plugin 'eap-simaka-sql' failed > to load > 2205[LIB] feature CUSTOM:aka-card in plugin 'eap-simaka-sql' has unmet > dependency: CUSTOM:eap-simaka-sql-db > 2205[LIB] feature CUSTOM:sim-card in plugin 'eap-simaka-sql' has unmet > dependency: CUSTOM:eap-simaka-sql-db > 2205[LIB] feature CUSTOM:aka-provider in plugin 'eap-simaka-sql' has unmet > dependency: CUSTOM:eap-simaka-sql-db > 2205[LIB] feature CUSTOM:sim-provider in plugin 'eap-simaka-sql' has unmet > dependency: CUSTOM:eap-simaka-sql-db > 2205[CFG] loaded 0 RADIUS server configurations > 2205[TNC] MAP server certificate not defined > 2205[LIB] feature CUSTOM:tnc-ifmap-2.1 in plugin 'tnc-ifmap' failed to load > 2205[TNC] TNC recommendation policy is 'default' > 2205[TNC] loading IMVs from '/etc/tnc_config' > 2205[TNC] opening configuration file '/etc/tnc_config' failed: No such file > or directory > 2205[CFG] missing PDP server name, PDP disabled > 2205[LIB] feature CUSTOM:tnc-pdp in plugin 'tnc-pdp' failed to load > 2205[TNC] loading IMCs from '/etc/tnc_config' > 2205[TNC] opening configuration file '/etc/tnc_config' failed: No such file > or directory > 2205[CFG] HA config misses local/remote address > 2205[LIB] feature CUSTOM:ha in plugin 'ha' failed to load > 2205[CFG] no script for ext-auth script defined, disabled > 2205[LIB] feature CUSTOM:ext_auth in plugin 'ext-auth' failed to load > 2205[CFG] no threshold configured for systime-fix, disabled > 2205[LIB] feature CUSTOM:systime-fix in plugin 'systime-fix' failed to load > 2205[CFG] coupling file path unspecified > 2205[LIB] feature CUSTOM:coupling in plugin 'coupling' failed to load > 2205[LIB] unloading plugin 'dnscert' without loaded features > 2205[LIB] unloading plugin 'padlock' without loaded features > 2205[LIB] unloading plugin 'attr-sql' without loaded features > 2205[LIB] unloading plugin 'eap-sim-file' without loaded features > 2205[LIB] unloading plugin 'eap-simaka-sql' without loaded features > 2205[LIB] unloading plugin 'tnc-ifmap' without loaded features > 2205[LIB] unloading plugin 'tnc-pdp' without loaded features > 2205[LIB] unloading plugin 'ha' without loaded features > 2205[LIB] unloading plugin 'ext-auth' without loaded features > 2205[LIB] unloading plugin 'systime-fix' without loaded features > 2205[LIB] unloading plugin 'coupling' without loaded features > 2205[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aesni aes > des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 rdrand random nonce x509 > revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey > sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr > ccm gcm ntru newhope bliss curl files sqlite attr kernel-netlink > socket-default connmark stroke vici updown eap-identity eap-sim eap-aka > eap-aka-3gpp > eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc > eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc > xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs > tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire > led duplicheck addrblock unity counters > 2205[LIB] unable to load 19 plugin features (9 due to unmet dependencies) > 2205[JOB] spawning 16 worker threads > 2219[LIB] created thread 2219 [2219] > 2220[LIB] created thread 2220 [2220] > 2221[LIB] created thread 2221 [2221] > 2221[NET] waiting for data on sockets > 2211[LIB] created thread 2211 [2211] > 2212[LIB] created thread 2212 [2212] > 2216[LIB] created thread 2216 [2216] > 2213[LIB] created thread 2213 [2213] > 2214[LIB] created thread 2214 [2214] > 2215[LIB] created thread 2215 [2215] > 2217[LIB] created thread 2217 [2217] > 2218[LIB] created thread 2218 [2218] > 2210[LIB] created thread 2210 [2210] > 2209[LIB] created thread 2209 [2209] > 2208[LIB] created thread 2208 [2208] > 2207[LIB] created thread 2207 [2207] > 2206[LIB] created thread 2206 [2206] > charon (2205) started after 140 ms > 2212[DMN] thread 2212 received 11 > 2212[LIB] dumping 13 stack frame addresses: > 2212[LIB] /lib/libpthread.so.0 @ 0x40138000 [0x40146af8] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006d05e] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /lib/libc.so.6 @ 0x40157000 (_IO_vfprintf+0xa35) [0x40197c35] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /lib/libc.so.6 @ 0x40157000 (vsnprintf+0xbd) [0x401bfafd] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x40087838] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x4008799d] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/plugins/libstrongswan-stroke.so @ 0x40988000 > [0x4098b07e] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40051a64] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4005556a] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40055fc2] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006a739] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /lib/libpthread.so.0 @ 0x40138000 [0x4013daf5] > sh: addr2line: not found > 2212[LIB] -> > 2212[LIB] /lib/libc.so.6 @ 0x40157000 (clone+0x5e) [0x402334be] > sh: addr2line: not found > 2212[LIB] -> > dumping 13 stack frame addresses: > /lib/libpthread.so.0 @ 0x40138000 [0x40146af8] > sh: addr2line: not found > -> > /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006d05e] > sh: addr2line: not found > -> > /lib/libc.so.6 @ 0x40157000 (_IO_vfprintf+0xa35) [0x40197c35] > sh: addr2line: not found > -> > /lib/libc.so.6 @ 0x40157000 (vsnprintf+0xbd) [0x401bfafd] > sh: addr2line: not found > -> > /usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x40087838] > sh: addr2line: not found > -> > /usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x4008799d] > sh: addr2line: not found > -> > /usr/lib/ipsec/plugins/libstrongswan-stroke.so @ 0x40988000 [0x4098b07e] > sh: addr2line: not found > -> > /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40051a64] > sh: addr2line: not found > -> > /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4005556a] > sh: addr2line: not found > -> > /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40055fc2] > sh: addr2line: not found > -> > /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006a739] > sh: addr2line: not found > -> > /lib/libpthread.so.0 @ 0x40138000 [0x4013daf5] > sh: addr2line: not found > -> > /lib/libc.so.6 @ 0x40157000 (clone+0x5e) [0x402334be] > sh: addr2line: not found > -> > 2212[DMN] killing ourself, received critical signal > connecting to 'unix:///var/run/charon.ctl' failed: Connection refused > failed to connect to stroke socket 'unix:///var/run/charon.ctl' > charon has died -- restart scheduled (5sec) > ^Cipsec starter stopped > > > Here is the debug output: > > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x41873b70 (LWP 2004)] > 0x40069aed in mem_printf_hook (data=0x41871f40, spec=0x41871f30, > args=0x41871f70) at utils/utils/memory.c:224 > 224 utils/utils/memory.c: No such file or directory. > in utils/utils/memory.c > (gdb) bt > #0 0x40069aed in mem_printf_hook (data=0x41871f40, spec=0x41871f30, > args=0x41871f70) at utils/utils/memory.c:224 > #1 0x4006d05e in custom_print (stream=0x41872bdc, info=0x41871fe0, > args=0x41871f70) > at utils/printf_hook/printf_hook_glibc.c:117 > #2 0x40197c35 in vfprintf () from /lib/libc.so.6 > #3 0x401bfafd in vsnprintf () from /lib/libc.so.6 > #4 0x40087838 in vlog (this=0x8000cca8, group=DBG_CFG, level=LEVEL_RAW, > format=0x4099bc73 "stroke message %b", > args=0x41873190 "x*\006\200\264\002") at bus/bus.c:398 > #5 0x4008799d in log_ (this=0x8000cca8, group=DBG_CFG, level=LEVEL_RAW, > format=0x4099bc73 "stroke message %b") > at bus/bus.c:439 > #6 0x4098b07e in on_accept (this=0x8005ca60, stream=0x80062918) at > stroke_socket.c:647 > #7 0x40051a64 in accept_async (data=0x80062958) at > networking/streams/stream_service.c:189 > #8 0x4005556a in execute (this=0x80062a38) at > processing/jobs/callback_job.c:77 > #9 0x40055fc2 in process_job (worker=0x80055e40) at > processing/processor.c:235 > #10 process_jobs (worker=0x80055e40) at processing/processor.c:321 > #11 0x4006a739 in thread_main (this=0x80021100) at threading/thread.c:331 > #12 0x4013daf5 in start_thread (arg=0x41873b70) at pthread_create.c:297 > #13 0x402334be in clone () from /lib/libc.so.6 > > > ipsec.conf: > > #----------------------------------------------------------------------------- > # Global config > #----------------------------------------------------------------------------- > > config setup > > # Allows few simultaneous connections with one user account. > # By default only one active connection per user allowed. > # This option also usefull if you have limited rightsourceip pool and > want to kick your ghost connection while reconnecting. > uniqueids=no > > # Increase debug level > charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 2, knl 2 > # charondebug = ike 4, net 4, pts 4, lib 4, tls 2, cfg 3, knl 4, enc 4, > esp 4, tnc 4 > > #----------------------------------------------------------------------------- > # Basic configs > #----------------------------------------------------------------------------- > > conn rw-base > # enables IKE fragmentation > fragmentation=yes > > # dpdtimeout is not honored for ikev2. For IKEv2, every message is used > # to determine the timeout, so the generic timeout value for IKEv2 > messages > # is used. > dpdtimeout=90s > dpddelay=30s > dpdaction=clear > > # this is used in every conn in which the client is assigned a "virtual" IP or > # one or several DNS servers > # the cipher suits require the openssl plugin. > conn rw-config > also=rw-base > > # not possible with asymmetric authentication > reauth=no > rekey=no > > # secure cipher suits > > ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072 > esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072 > > # RECEIVED FROM THE CLIENT SIDE > leftsubnet=10.0.0.0/8 # Split tunnel config > leftid="vpn.mydom.net" > leftcert=server.crt > leftsendcert=always # not "never" > left=10.2.115.99 # External IP: 217.6.20.75 > lefthostaccess=yes > > # SEND FROM THE SERVER SIDE > rightdns=10.1.3.10, 10.1.3.11 > rightsourceip=%static, %dynamic > > #----------------------------------------------------------------------------- > # IKEv1 > #----------------------------------------------------------------------------- > > ## this conn is set up for l2tp support where the user authentication is > happening > ## in the l2tp control connection. With L2TP, clients are usually not assigned > ## a virtual IP in IKE. > ## Charon is not an l2tp server. You need to install xl2tp for that and > configure it correctly. > ## mark=%unique requires the connmark plugin. > #conn ikev1-l2tp-chap-auth-in-l2tp > # also=rw-base > # # reduce to the most secure combination the client can support, if > absolutely required. > # ike=aes128-sha1-modp3072 > # esp=aes128-sha1-modp3072 > # leftsubnet=%dynamic[/1701] > # rightsubnet=%dynamic > # mark=%unique > # leftauth=psk > # rightauth=psk > # type=transport > # auto=add > > ## this conn is set up for l2tp support where the user authentication is > happening > ## during the IKEv1 authentication. With L2TP, clients are usually not > assigned > ## a virtual IP in IKE. > ## mark=%unique requires the connmark plugin. > ## this requires the xauth-generic plugin. > #conn ikev1-l2tp-xauth-in-ike > # also=rw-base > # # reduce to the most secure combination the client can support, if > absolutely required. > # ike=aes128-sha1-modp3072 > # esp=aes128-sha1-modp3072 > # leftsubnet=%dynamic[/1701] > # rightsubnet=%dynamic > # mark=%unique > # leftauth=psk > # rightauth=psk > # rightauth2=xauth-generic > # xauth=server > # # not possible with asymmetric authentication > # reauth=no > # rekey=no > # type=transport > # auto=add > > # this requires the xauth-generic plugin. > # (for iPhones mit IKEv1 und Shared Secret) > #conn ikev1-psk-xauth > # also=rw-config > # keyexchange=ikev1 > # leftauth=psk > # rightauth=psk > # rightauth2=xauth-generic > # xauth=server > # auto=add > > # leftauth and rightauth default to "pubkey", so no change necessary. > #conn ikev1-pubkey > # also=rw-config > # keyexchange=ikev1 > # auto=add > > # this requires the xauth-generic plugin. > # (for iPhones with IKEv1 and local stored passwords) > #conn ikev1-pubkey-xauth > # also=rw-config > # keyexchange=ikev1 > # #rightauth=pubkey > # rightauth2=xauth-generic > # xauth=server > # auto=add > > # this requires the xauth-noauth plugin. > # (for iPhones with IKEv1 WITHOUT password querying) > conn ikev1-pubkey-xauth-noauth > also=rw-config > keyexchange=ikev1 > #rightauth=pubkey > rightauth2=xauth-noauth > xauth=server > auto=add > > # this requires the xauth-pam plugin. > # (for iPhones with IKEv1 and passwords via PAM) > #conn ikev1-pubkey-xauth-radius > # also=rw-config > # keyexchange=ikev1 > # #rightauth=pubkey > # rightauth2=xauth-pam > # xauth=server > # auto=add > > # this requires the eap-radius plugin. > # (for iPhones with IKEv1 and passwords on radius/DC) > #conn ikev1-pubkey-xauth-radius > # also=rw-config > # keyexchange=ikev1 > # #rightauth=pubkey > # rightauth2=eap-radius > # xauth=server > # auto=add > > # this requires the xauth-generic plugin. > #conn ikev1-hybrid > # also=rw-config > # keyexchange=ikev1 > # rightauth=xauth-generic > # xauth=server > > #----------------------------------------------------------------------------- > # IKEv2 > #----------------------------------------------------------------------------- > > # use IKEv2 with client certificate only > conn ikev2-pubkey > also=rw-config > keyexchange=ikev2 > auto=add > > ## IF you need to support several EAP methods at the same time, you need to > ## use eap-dynamic and not use any other conn with eap settings. > ## Add the settings for the eap-dynamic plugin to your strongswan.conf file. > # > #conn ikev2-eap > # also=rw-config > # keyexchange=ikev2 > # rightauth=eap-dynamic > # eap_identity=%identity > # auto=add > # > > # this requires the eap-tls plugin. > #conn ikev2-eap-tls > # also=rw-base > # keyexchange=ikev2 > # rightauth=eap-tls > # eap_identity=%identity > # auto=add > > > ## this requires the eap-gtc plugin. > #conn ikev2-eap-gtc > # also=rw-config > # keyexchange=ikev2 > # rightauth=eap-gtc > # eap_identity=%identity > # auto=add > > # this requires the eap-mschapv2 plugin. > # (Apple clients with cert+password usually goes here) > #conn ikev2-eap-mschapv2 > # also=rw-config > # keyexchange=ikev2 > # auto=add > # # right - remote (client) side > # rightauth=eap-mschapv2 > # eap_identity=%identity > > # Use RADIUS EAP plugin > #conn ikev2-eap-radius > # also=rw-config > # keyexchange=ikev2 > # auto=add > # # right - remote (client) side > # rightauth=eap-radius > # eap_identity=%identity > > > > Regards > Sven Anders >
signature.asc
Description: OpenPGP digital signature