Menu
▾
▴
[Devil-Linux-discuss] FW: IPSec Problems : 1.4 RC3
|
From: Scott S. <Sc...@pb...> - 2010-05-04 13:52:37
|
I replaced my 7-year old LRP-based firewall with Devil Linux two days
ago. I am quite pleased, with one exception ... I am having difficulty
with IPSEC.
I am an oldster, trying to understanad this modern stuff, so my problems
are likely user error. It seems, however, that the implementation is in
rapid transition, and I am unsure of what components and/or
configurations are being used; e.g. is pluto daemon still used, or does
setkey + racoon + newer kernel capabilities suffice ?? Any help is
appreciated; please note in advance that I may not be able to try any
suggestions for 24-36 hours.
1) Checking IPSEC in setup menu of services causes startup to hang.
Unchecking allows machine to boot and run without problems.
After startup, if I edit /etc/sysyconfig/config to set START_IPSEC=yes,
and attempt to manually start, I get:
/etc/init.d # ./ipsec start
Starting strongSwan 4.2.16 IPsec [starter]...
insmod /lib/modules/2.6.32.9-grsec/kernel/net/ipv4/ah4.ko
insmod /lib/modules/2.6.32.9-grsec/kernel/net/ipv4/esp4.ko
insmod /lib/modules/2.6.32.9-grsec/kernel/net/xfrm/xfrm_ipcomp.ko
insmod /lib/modules/2.6.32.9-grsec/kernel/net/ipv4/ipcomp.ko
insmod /lib/modules/2.6.32.9-grsec/kernel/net/ipv4/tunnel4.ko
insmod /lib/modules/2.6.32.9-grsec/kernel/net/ipv4/xfrm4_tunnel.ko
insmod /lib/modules/2.6.32.9-grsec/kernel/net/xfrm/xfrm_user.ko
After 90 seconds with no further response, I can <Ctrl>-C back to OS
prompt. It appears that all kernel modules loaded, and host of other
crypto modules also loaded successfully.
/etc/init.d # lsmod
Module Size Used by
deflate 1641 0
zlib_deflate 18159 1 deflate
ctr 2927 0
twofish 8009 0
twofish_common 13176 1 twofish
camellia 19183 0
serpent 17951 0
blowfish 8384 0
cast5 15805 0
aes_i586 6848 0
aes_generic 27446 1 aes_i586
xcbc 2149 0
rmd160 8480 0
sha1_generic 1591 0
hmac 2265 0
crypto_null 2000 0
xfrm_user 17933 4
xfrm4_tunnel 1249 0
tunnel4 1593 1 xfrm4_tunnel
ipcomp 1460 0
xfrm_ipcomp 2923 1 ipcomp
esp4 4301 0
ah4 3353 0
ipv6 233743 20
xt_tcpudp 1923 6
iptable_mangle 1273 0
xt_state 947 14
xt_limit 1144 7
iptable_nat 3046 1
nf_nat 12007 1 iptable_nat
nf_conntrack_ipv4 9110 17 iptable_nat,nf_nat
nf_conntrack 44611 4
xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 779 1 nf_conntrack_ipv4
ipt_LOG 4771 5
ipt_REJECT 1785 1
iptable_filter 1042 1
ip_tables 12203 3
iptable_mangle,iptable_nat,iptable_filter
x_tables 9906 7
xt_tcpudp,xt_state,xt_limit,iptable_nat,ipt_LOG,ipt_REJECT,ip_tables
8021q 16908 0
garp 4704 1 8021q
stp 1104 1 garp
ext3 112371 4
jbd 36621 1 ext3
dm_mod 52370 12
md_mod 81595 0
i2c_piix4 7820 0
shpchp 25853 0
pci_hotplug 21837 1 shpchp
ata_generic 2199 0
tulip 43828 0
i2c_core 15166 1 i2c_piix4
pata_acpi 2228 0
aufs 126918 1
ata_piix 18160 0
libata 137883 3 ata_generic,pata_acpi,ata_piix
loop 52318 0
2) Attempting to start ipsec tools causes segfault ...
a) Tried simply executing: /etc/ipsec-tools/setkey.cfg
b) Tried more direct: cat /etc/ipsec-tools/setkey.cfg | strace setkey
-c
execve("/usr/sbin/setkey", ["setkey", "-c"], [/* 17 vars */]) = 0
brk(0) = 0x139633a8
access("/etc/ld.so.preload", R_OK) = 0
open("/etc/ld.so.preload", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=18, ...}) = 0 mmap2(NULL, 18,
PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x4e316000
close(3) = 0
open("/lib/libsafe.so.2", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\16\0\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=21710, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4e315000 mmap2(NULL, 20584, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4e30f000 mmap2(0x4e313000, 8192,
PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3) =
0x4e313000
close(3) = 0
munmap(0x4e316000, 18) = 0
open("/data/build/tmp/libradius-linux/lib/tls/i686/libutil.so.1",
O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/data/build/tmp/libradius-linux/lib/tls/i686", 0x5af9d1d4) = -1
ENOENT (No such file or directory)
open("/data/build/tmp/libradius-linux/lib/tls/libutil.so.1", O_RDONLY) =
-1 ENOENT (No such file or directory)
stat64("/data/build/tmp/libradius-linux/lib/tls", 0x5af9d1d4) = -1
ENOENT (No such file or directory)
open("/data/build/tmp/libradius-linux/lib/i686/libutil.so.1", O_RDONLY)
= -1 ENOENT (No such file or directory)
stat64("/data/build/tmp/libradius-linux/lib/i686", 0x5af9d1d4) = -1
ENOENT (No such file or directory)
open("/data/build/tmp/libradius-linux/lib/libutil.so.1", O_RDONLY) = -1
ENOENT (No such file or directory)
stat64("/data/build/tmp/libradius-linux/lib", 0x5af9d1d4) = -1 ENOENT
(No such file or directory) open("/lib/tls/i686/libutil.so.1", O_RDONLY)
= -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686", 0x5af9d1d4) = -1 ENOENT (No such file or
directory)
open("/lib/tls/libutil.so.1", O_RDONLY) = -1 ENOENT (No such file or
directory)
stat64("/lib/tls", 0x5af9d1d4) = -1 ENOENT (No such file or
directory)
open("/lib/i686/libutil.so.1", O_RDONLY) = -1 ENOENT (No such file or
directory)
stat64("/lib/i686", 0x5af9d1d4) = -1 ENOENT (No such file or
directory)
open("/lib/libutil.so.1", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\n\0\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=12537, ...}) = 0
mmap2(NULL, 12432, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x4e30b000 mmap2(0x4e30d000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x4e30d000
close(3) = 0
open("/lib/libpam.so.0", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\32\0\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=53980, ...}) = 0
mmap2(NULL, 49164, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x4e2fe000 mmap2(0x4e309000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa) = 0x4e309000
close(3) = 0
open("/lib/libdl.so.2", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\n\0\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=13505, ...}) = 0
mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x4e2fa000 mmap2(0x4e2fc000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x4e2fc000
close(3) = 0
open("/lib/libcrypt.so.1", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\10\0\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=47107, ...}) = 0
mmap2(NULL, 205372, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x4e2c7000 mmap2(0x4e2d0000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8) = 0x4e2d0000
mmap2(0x4e2d3000, 156220, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4e2d3000
close(3) = 0
open("/lib/libldap-2.4.so.2", O_RDONLY) = 3 read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\224\0\0004\0\0\0"..
., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=287387, ...}) =
0 mmap2(NULL, 254616, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x4e288000 mmap2(0x4e2c5000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c) = 0x4e2c5000
close(3) = 0
open("/lib/liblber-2.4.so.2", O_RDONLY) = 3 read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320%\0\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=62529, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4e316000 mmap2(NULL, 53412, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4e27a000 mmap2(0x4e286000, 8192,
PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb) =
0x4e286000
close(3) = 0
open("/lib/libresolv.so.2", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P!\0\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=69500, ...}) = 0
mmap2(NULL, 71880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x4e268000 mmap2(0x4e276000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd) = 0x4e276000
mmap2(0x4e278000, 6344, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4e278000
close(3) = 0
open("/lib/libssl.so.0.9.8", O_RDONLY) = 3 read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\275\0\0004\0\0\0"..
., 512) = 512 fstat64(3, {st_mode=S_IFREG|0555, st_size=327884, ...}) =
0 mmap2(NULL, 296248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x4e21f000
mprotect(0x4e263000, 4096, PROT_NONE) = 0
mmap2(0x4e264000, 16384, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x44) = 0x4e264000
close(3) = 0
open("/lib/libcrypto.so.0.9.8", O_RDONLY) = 3 read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300v\3\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0555, st_size=1640537, ...}) = 0
mmap2(NULL, 1474204, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x4e0b7000 mmap2(0x4e206000, 90112, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14e) = 0x4e206000
mmap2(0x4e21c000, 11932, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4e21c000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\222`\1\0004\0\0\0"...,
512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1410041, ...}) = 0
mmap2(NULL, 1193636, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x4df93000 mmap2(0x4e0b1000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11e) = 0x4e0b1000
mmap2(0x4e0b4000, 9892, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4e0b4000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4df92000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4df91000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4df916c0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/erandom", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/dev/urandom", O_RDONLY) = 3
read(3, "Z\255C\274", 4) = 4
close(3) = 0
mprotect(0x4e0b1000, 8192, PROT_READ) = 0
mprotect(0x4e206000, 32768, PROT_READ) = 0
mprotect(0x4e264000, 4096, PROT_READ) = 0
mprotect(0x4e276000, 4096, PROT_READ) = 0
mprotect(0x4e286000, 4096, PROT_READ) = 0
mprotect(0x4e2c5000, 4096, PROT_READ) = 0
mprotect(0x4e2d0000, 4096, PROT_READ) = 0
mprotect(0x4e2fc000, 4096, PROT_READ) = 0
mprotect(0x4e309000, 4096, PROT_READ) = 0
mprotect(0x4e30d000, 4096, PROT_READ) = 0
mprotect(0x4e313000, 4096, PROT_READ) = 0
mprotect(0x1394f000, 4096, PROT_READ) = 0
mprotect(0x4e331000, 4096, PROT_READ) = 0
readlink("/proc/self/exe", "/usr/sbin/setkey", 4095) = 16
brk(0) = 0x139633a8
brk(0x139843a8) = 0x139843a8
brk(0x13985000) = 0x13985000
open("/etc/libsafe.exclude", O_RDONLY) = 3 fstat64(3,
{st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap2(NULL, 4096,
PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4df90000
read(3, "", 2048) = 0
close(3) = 0
munmap(0x4df90000, 4096) = 0
brk(0x13984000) = 0x13984000
time(NULL) = 1272973477
open("/etc/localtime", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 fstat64(3,
{st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 mmap2(NULL, 4096,
PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4df90000
read(3,
"TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 2048)
= 1267
close(3) = 0
munmap(0x4df90000, 4096) = 0
socket(PF_KEY, SOCK_RAW, 2) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [131072], 4) = 0 setsockopt(3,
SOL_SOCKET, SO_RCVBUF, [131072], 4) = 0 setsockopt(3, SOL_SOCKET,
SO_RCVBUF, [262144], 4) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUF,
[524288], 4) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUF, [1048576], 4) = 0
getpid() = 2840
send(3, "\2\7\0\0\2\0\0\0\0\0\0\0\30\v\0\0", 16, 0) = 16 recv(3,
"\2\7\0\0\24\0\0\0\0\0\0\0\30\v\0\0", 16, MSG_PEEK) = 16 recv(3,
"\2\7\0\0\24\0\0\0\0\0\0\0\30\v\0\0\7\0\16\0\0\0\0\0\373\0\0\0\0\0\0\0".
.., 160, 0) = 160 fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4df90000 read(0, "#!/usr/sbin/setkey -f\n\n# Flush t"..., 4096) =
293 setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0", 8) = 0
send(3, "\2\t\0\0\2\0\0\0\0\0\0\0\30\v\0\0", 16, 0) = 16 recv(3,
"\2\t\0\0\2\0.v\0\0\0\0\30\v\0\0", 32768, 0) = 16 setsockopt(3,
SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0", 8) = 0 send(3,
"\2\23\0\0\2\0\0\0\0\0\0\0\30\v\0\0", 16, 0) = 16 recv(3,
"\2\23\0\0\2\0\0\0\0\0\0\0\30\v\0\0", 32768, 0) = 16
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
3) I tried reverting to RC2. I did not attempt all of above, but
./ipsec start hangs in identical manner as noted in #1 above.
|
