Hi there, I can confirm that this issue exists in Linux as well... the same certificate/VPN setup shows the following;
adamwork ike # iked -F ii : created ike socket 0.0.0.0:500 ii : created natt socket 0.0.0.0:4500 ## : IKE Daemon, ver 2.2.0 ## : Copyright 2009 Shrew Soft Inc. ## : This product linked OpenSSL 1.0.0e 6 Sep 2011 ii : opened '/var/log/iked.log' ii : network process thread begin ... ii : pfkey process thread begin ... ii : ipc server process thread begin ... K< : recv pfkey REGISTER AH message K< : recv pfkey REGISTER ESP message K< : recv pfkey REGISTER IPCOMP message K! : recv X_SPDDUMP message failure ( errno = 2 ) ii : ipc client process thread begin ... <A : peer config add message <A : proposal config message <A : proposal config message <A : client config message <A : local id '[email protected]' message <A : remote id 'test.cert.vpn' message <A : remote certificate data message ii : remote certificate read complete ( 1481 bytes ) <A : local certificate data message ii : local certificate read complete ( 1356 bytes ) <A : local key data message ii : local key read complete ( 2350 bytes ) <A : remote resource message <A : peer tunnel enable message DB : peer added ( obj count = 1 ) ii : local address 10.250.0.243 selected for peer DB : tunnel added ( obj count = 1 ) DB : new phase1 ( ISAKMP initiator ) DB : exchange type is aggressive DB : 10.250.0.243:500 <-> 10.250.0.241:500 DB : 374969c9314c3af4:0000000000000000 DB : phase1 added ( obj count = 1 ) >> : security association payload >> : - proposal #1 payload >> : -- transform #1 payload >> : key exchange payload >> : nonce payload >> : cert request payload >> : identification payload >> : vendor id payload ii : local supports nat-t ( draft v00 ) >> : vendor id payload ii : local supports nat-t ( draft v01 ) >> : vendor id payload ii : local supports nat-t ( draft v02 ) >> : vendor id payload ii : local supports nat-t ( draft v03 ) >> : vendor id payload ii : local supports nat-t ( rfc ) >> : vendor id payload ii : local supports FRAGMENTATION >> : vendor id payload >> : vendor id payload ii : local supports DPDv1 >> : vendor id payload ii : local is SHREW SOFT compatible >> : vendor id payload ii : local is NETSCREEN compatible >> : vendor id payload ii : local is SIDEWINDER compatible >> : vendor id payload ii : local is CISCO UNITY compatible >= : cookies 374969c9314c3af4:0000000000000000 >= : message 00000000 -> : send IKE packet 10.250.0.243:500 -> 10.250.0.241:500 ( 547 bytes ) DB : phase1 resend event scheduled ( ref count = 2 ) <- : recv IKE packet 10.250.0.241:500 -> 10.250.0.243:500 ( 1673 bytes ) DB : phase1 found ii : processing phase1 packet ( 1673 bytes ) =< : cookies 374969c9314c3af4:8382478cf00cb7a1 =< : message 00000000 << : security association payload << : - propsal #1 payload << : -- transform #1 payload ii : matched isakmp proposal #1 transform #1 ii : - transform = ike ii : - cipher type = 3des ii : - key length = default ii : - hash type = sha1 ii : - dh group = group2 ( modp-1024 ) ii : - auth type = sig-rsa ii : - life seconds = 86400 ii : - life kbytes = 0 << : vendor id payload ii : unknown vendor id ( 28 bytes ) 0x : e7a811cf 8de6140e 3adc82fd 7855ff8f f1eadb8f 00000013 0000061e << : vendor id payload ii : peer supports DPDv1 << : vendor id payload ii : peer supports HEARTBEAT-NOTIFY << : key exchange payload << : nonce payload << : identification payload ii : phase1 id match ii : received = fqdn test.cert.vpn << : certificate payload << : cert request payload << : vendor id payload ii : peer supports nat-t ( draft v02 ) << : nat discovery payload << : nat discovery payload << : signature payload ii : disabled nat-t ( no nat detected ) == : DH shared secret ( 128 bytes ) == : SETKEYID ( 20 bytes ) == : SETKEYID_d ( 20 bytes ) == : SETKEYID_a ( 20 bytes ) == : SETKEYID_e ( 20 bytes ) == : cipher key ( 40 bytes ) == : cipher iv ( 8 bytes ) >> : certificate payload == : phase1 hash_i ( computed ) ( 20 bytes ) >> : signature payload >> : nat discovery payload >> : nat discovery payload >= : cookies 374969c9314c3af4:8382478cf00cb7a1 >= : message 00000000 >= : encrypt iv ( 8 bytes ) == : encrypt packet ( 1953 bytes ) == : stored iv ( 8 bytes ) DB : phase1 resend event canceled ( ref count = 1 ) -> : send IKE packet 10.250.0.243:500 -> 10.250.0.241:500 ( 1984 bytes ) ii : unable to get certificate CRL(3) at depth:0 ii : subject :/ST=British Columbia/L=Kamloops/O=SuperTestzing/OU=IPSec VPN/CN=0162072007000231/CN=(250) 434-8700/CN=ecdsa-key/CN=test.cert.vpn/CN=Adam Clark ii : unable to get certificate CRL(3) at depth:1 ii : subject :/C=CA/ST=British Columbia/L=Kamloops/O=Testzing/OU=StaffVPN/CN=test.cert.vpn Segmentation fault I'm not sure if/why iked might be having issues with no CRL setup (as there's no place to put a CRL setup), or if it's just coincidence that that's the last thing it logs before it crashes. Thanks, _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
