From: Dave H. <kh...@az...> - 2005-09-21 20:02:18
|
I'm trying to get an IPsec tunnel set up between a Linux box (kernel 2.6.9-1.681_FC3, ipsec-tools 0.6.1) and a D-Link DI-804HV (firmware 1.41). The D-Link is behind a NAT, but both it and ipsec-tools support NAT-T, so it should work, right? racoon is crashing trying to dereference a null pointer. Running racoon -F -v under gdb gives: 2005-09-21 13:02:05: INFO: @(#)ipsec-tools 0.6.1 (http://ipsec-tools.sourceforge.net) 2005-09-21 13:02:05: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) 2005-09-21 13:02:06: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2005-09-21 13:02:06: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2005-09-21 13:02:06: INFO: 69.15.146.2[500] used as isakmp port (fd=8) 2005-09-21 13:02:06: INFO: 69.15.146.2[500] used for NAT-T 2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message 2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message 2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0: 10.2.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out 2005-09-21 13:02:06: DEBUG: db :0x888aba0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=in 2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message 2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=fwd 2005-09-21 13:02:06: DEBUG: db :0x888aba0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=in 2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=fwd 2005-09-21 13:02:06: DEBUG: db :0x888c348: 10.2.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out 2005-09-21 13:02:08: DEBUG: === 2005-09-21 13:02:08: DEBUG: 108 bytes message received from 24.242.176.90[500] to 69.15.146.2[500] 2005-09-21 13:02:08: DEBUG: 7e168701 6d967aa9 00000000 00000000 01100200 00000000 0000006c 0d00003c 00000001 00000001 00000030 01010401 03000010 00000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00000e10 00000014 7d9419a6 5310ca6f 2c179d92 15529d56 2005-09-21 13:02:08: DEBUG: configuration found for 24.242.176.90. 2005-09-21 13:02:08: DEBUG: === 2005-09-21 13:02:08: INFO: respond new phase 1 negotiation: 69.15.146.2[500]<=>24.242.176.90[500] 2005-09-21 13:02:08: INFO: begin Identity Protection mode. 2005-09-21 13:02:08: DEBUG: begin. 2005-09-21 13:02:08: DEBUG: seen nptype=1(sa) 2005-09-21 13:02:08: DEBUG: seen nptype=13(vid) 2005-09-21 13:02:08: DEBUG: succeed. 2005-09-21 13:02:08: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2005-09-21 13:02:08: DEBUG: total SA len=56 2005-09-21 13:02:08: DEBUG: 00000001 00000001 00000030 01010401 03000010 00000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00000e10 2005-09-21 13:02:08: DEBUG: begin. 2005-09-21 13:02:08: DEBUG: seen nptype=2(prop) 2005-09-21 13:02:08: DEBUG: succeed. 2005-09-21 13:02:08: DEBUG: proposal #1 len=48 2005-09-21 13:02:08: WARNING: SPI size isn't zero, but IKE proposal. 2005-09-21 13:02:08: DEBUG: begin. 2005-09-21 13:02:08: DEBUG: seen nptype=3(trns) 2005-09-21 13:02:08: DEBUG: succeed. 2005-09-21 13:02:08: DEBUG: transform #1 len=36 2005-09-21 13:02:09: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-09-21 13:02:09: DEBUG: encryption(3des) 2005-09-21 13:02:09: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2005-09-21 13:02:09: DEBUG: hash(sha1) 2005-09-21 13:02:09: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-09-21 13:02:09: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2005-09-21 13:02:09: DEBUG: hmac(modp1024) 2005-09-21 13:02:09: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2005-09-21 13:02:09: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2005-09-21 13:02:09: DEBUG: pair 1: 2005-09-21 13:02:09: DEBUG: 0x888b820: next=(nil) tnext=(nil) 2005-09-21 13:02:09: DEBUG: proposal #1: 1 transform 2005-09-21 13:02:09: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=1 2005-09-21 13:02:09: DEBUG: trns#=1, trns-id=IKE 2005-09-21 13:02:09: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-09-21 13:02:09: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2005-09-21 13:02:09: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-09-21 13:02:09: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2005-09-21 13:02:09: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2005-09-21 13:02:09: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2005-09-21 13:02:09: DEBUG: Compared: DB:Peer 2005-09-21 13:02:09: DEBUG: (lifetime = 28800:3600) 2005-09-21 13:02:09: DEBUG: (lifebyte = 0:0) 2005-09-21 13:02:09: DEBUG: enctype = 3DES-CBC:3DES-CBC 2005-09-21 13:02:09: DEBUG: (encklen = 0:0) 2005-09-21 13:02:09: DEBUG: hashtype = SHA:SHA 2005-09-21 13:02:09: DEBUG: authmethod = pre-shared key:pre-shared key 2005-09-21 13:02:09: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group 2005-09-21 13:02:09: DEBUG: an acceptable proposal found. 2005-09-21 13:02:09: DEBUG: hmac(modp1024) 2005-09-21 13:02:09: DEBUG: new cookie: e3134e604669c155 2005-09-21 13:02:09: DEBUG: add payload of len 56, next type 0 2005-09-21 13:02:09: DEBUG: 88 bytes from 69.15.146.2[500] to 24.242.176.90[500] 2005-09-21 13:02:09: DEBUG: sockname 69.15.146.2[500] 2005-09-21 13:02:09: DEBUG: send packet from 69.15.146.2[500] 2005-09-21 13:02:09: DEBUG: send packet to 24.242.176.90[500] 2005-09-21 13:02:09: DEBUG: src4 69.15.146.2[500] 2005-09-21 13:02:09: DEBUG: dst4 24.242.176.90[500] 2005-09-21 13:02:09: DEBUG: 1 times of 88 bytes message will be sent to 24.242.176.90[500] 2005-09-21 13:02:09: DEBUG: 7e168701 6d967aa9 e3134e60 4669c155 01100200 00000000 00000058 0000003c 00000001 00000001 00000030 01010401 00000000 00000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00000e10 2005-09-21 13:02:09: DEBUG: resend phase1 packet 7e1687016d967aa9:e3134e604669c155 2005-09-21 13:02:09: DEBUG: === 2005-09-21 13:02:09: DEBUG: 232 bytes message received from 24.242.176.90[500] to 69.15.146.2[500] 2005-09-21 13:02:09: DEBUG: 7e168701 6d967aa9 e3134e60 4669c155 04100200 00000000 000000e8 0a000084 5ea03af2 5d82075d 869dab65 708d75e1 a8cca76d 85bdfd18 07e74f86 6622a74a 167ac92d 1087ecbb 5bed0552 eb72287d c3770519 d9375fd3 f7dddc31 1e44928a 154ad511 e10fcb51 e53b7cb5 f76954c9 f5a894cd a23e1444 1261e9b1 21226db8 694b5102 907a8758 53b678d6 35c09010 f89154b1 db5a3e7c 94b8225a c7539f66 82000018 5c89b298 14c70bd2 a195d215 69a9003c f503adcd 82000018 84523d42 5f6e9638 a1b30b39 1a141491 7cfce516 00000018 d5f8dc8f 18619ca2 333b2400 bed8890f 36e19e6e 2005-09-21 13:02:09: DEBUG: begin. 2005-09-21 13:02:09: DEBUG: seen nptype=4(ke) 2005-09-21 13:02:09: DEBUG: seen nptype=10(nonce) 2005-09-21 13:02:09: DEBUG: seen nptype=130(nat-d) 2005-09-21 13:02:09: DEBUG: seen nptype=130(nat-d) 2005-09-21 13:02:09: DEBUG: succeed. Program received signal SIGSEGV, Segmentation fault. 0x08052e56 in ident_r2recv (iph1=0x888c7c0, msg=0x888cb60) at isakmp_ident.c:1066 1066 if (pa->type == iph1->natt_options->payload_nat_d) (gdb) print iph1 $1 = (struct ph1handle *) 0x888c7c0 (gdb) print iph1->natt_options $2 = (struct ph1natt_options *) 0x0 (gdb) where #0 0x08052e56 in ident_r2recv (iph1=0x888c7c0, msg=0x888cb60) at isakmp_ident.c:1066 #1 0x0804eb47 in isakmp_main (msg=0x888cb60, remote=0xfefed180, local=0xfefed100) at isakmp.c:754 #2 0x0804fc27 in isakmp_handler (so_isakmp=8) at isakmp.c:359 #3 0x0804befe in session () at session.c:178 #4 0x0804b93f in main (ac=0, av=0xfefed454) at main.c:266 Any thoughts on what's wrong? -- Name: Dave Huang | Mammal, mammal / their names are called / INet: kh...@az... | they raise a paw / the bat, the cat / FurryMUCK: Dahan | dolphin and dog / koala bear and hog -- TMBG Dahan: Hani G Y+C 29 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++ |
From: Dave H. <kh...@az...> - 2005-10-14 17:55:05
|
Does nobody have any ideas on this? On Wed, Sep 21, 2005 at 03:02:12PM -0500, Dave Huang wrote: > I'm trying to get an IPsec tunnel set up between a Linux box (kernel > 2.6.9-1.681_FC3, ipsec-tools 0.6.1) and a D-Link DI-804HV (firmware > 1.41). The D-Link is behind a NAT, but both it and ipsec-tools support > NAT-T, so it should work, right? > > racoon is crashing trying to dereference a null pointer. Running > racoon -F -v under gdb gives: > > 2005-09-21 13:02:05: INFO: @(#)ipsec-tools 0.6.1 (http://ipsec-tools.sourceforge.net) > 2005-09-21 13:02:05: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) > 2005-09-21 13:02:06: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. > 2005-09-21 13:02:06: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. > 2005-09-21 13:02:06: INFO: 69.15.146.2[500] used as isakmp port (fd=8) > 2005-09-21 13:02:06: INFO: 69.15.146.2[500] used for NAT-T > 2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message > 2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message > 2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0: 10.2.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out > 2005-09-21 13:02:06: DEBUG: db :0x888aba0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=in > 2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message > 2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=fwd > 2005-09-21 13:02:06: DEBUG: db :0x888aba0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=in > 2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0: 10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=fwd > 2005-09-21 13:02:06: DEBUG: db :0x888c348: 10.2.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out > 2005-09-21 13:02:08: DEBUG: === > 2005-09-21 13:02:08: DEBUG: 108 bytes message received from 24.242.176.90[500] to 69.15.146.2[500] > 2005-09-21 13:02:08: DEBUG: > 7e168701 6d967aa9 00000000 00000000 01100200 00000000 0000006c 0d00003c > 00000001 00000001 00000030 01010401 03000010 00000024 01010000 80010005 > 80020002 80030001 80040002 800b0001 000c0004 00000e10 00000014 7d9419a6 > 5310ca6f 2c179d92 15529d56 > 2005-09-21 13:02:08: DEBUG: configuration found for 24.242.176.90. > 2005-09-21 13:02:08: DEBUG: === > 2005-09-21 13:02:08: INFO: respond new phase 1 negotiation: 69.15.146.2[500]<=>24.242.176.90[500] > 2005-09-21 13:02:08: INFO: begin Identity Protection mode. > 2005-09-21 13:02:08: DEBUG: begin. > 2005-09-21 13:02:08: DEBUG: seen nptype=1(sa) > 2005-09-21 13:02:08: DEBUG: seen nptype=13(vid) > 2005-09-21 13:02:08: DEBUG: succeed. > 2005-09-21 13:02:08: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 > 2005-09-21 13:02:08: DEBUG: total SA len=56 > 2005-09-21 13:02:08: DEBUG: > 00000001 00000001 00000030 01010401 03000010 00000024 01010000 80010005 > 80020002 80030001 80040002 800b0001 000c0004 00000e10 > 2005-09-21 13:02:08: DEBUG: begin. > 2005-09-21 13:02:08: DEBUG: seen nptype=2(prop) > 2005-09-21 13:02:08: DEBUG: succeed. > 2005-09-21 13:02:08: DEBUG: proposal #1 len=48 > 2005-09-21 13:02:08: WARNING: SPI size isn't zero, but IKE proposal. > 2005-09-21 13:02:08: DEBUG: begin. > 2005-09-21 13:02:08: DEBUG: seen nptype=3(trns) > 2005-09-21 13:02:08: DEBUG: succeed. > 2005-09-21 13:02:08: DEBUG: transform #1 len=36 > 2005-09-21 13:02:09: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC > 2005-09-21 13:02:09: DEBUG: encryption(3des) > 2005-09-21 13:02:09: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA > 2005-09-21 13:02:09: DEBUG: hash(sha1) > 2005-09-21 13:02:09: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key > 2005-09-21 13:02:09: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group > 2005-09-21 13:02:09: DEBUG: hmac(modp1024) > 2005-09-21 13:02:09: DEBUG: type=Life Type, flag=0x8000, lorv=seconds > 2005-09-21 13:02:09: DEBUG: type=Life Duration, flag=0x0000, lorv=4 > 2005-09-21 13:02:09: DEBUG: pair 1: > 2005-09-21 13:02:09: DEBUG: 0x888b820: next=(nil) tnext=(nil) > 2005-09-21 13:02:09: DEBUG: proposal #1: 1 transform > 2005-09-21 13:02:09: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=1 > 2005-09-21 13:02:09: DEBUG: trns#=1, trns-id=IKE > 2005-09-21 13:02:09: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC > 2005-09-21 13:02:09: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA > 2005-09-21 13:02:09: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key > 2005-09-21 13:02:09: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group > 2005-09-21 13:02:09: DEBUG: type=Life Type, flag=0x8000, lorv=seconds > 2005-09-21 13:02:09: DEBUG: type=Life Duration, flag=0x0000, lorv=4 > 2005-09-21 13:02:09: DEBUG: Compared: DB:Peer > 2005-09-21 13:02:09: DEBUG: (lifetime = 28800:3600) > 2005-09-21 13:02:09: DEBUG: (lifebyte = 0:0) > 2005-09-21 13:02:09: DEBUG: enctype = 3DES-CBC:3DES-CBC > 2005-09-21 13:02:09: DEBUG: (encklen = 0:0) > 2005-09-21 13:02:09: DEBUG: hashtype = SHA:SHA > 2005-09-21 13:02:09: DEBUG: authmethod = pre-shared key:pre-shared key > 2005-09-21 13:02:09: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group > 2005-09-21 13:02:09: DEBUG: an acceptable proposal found. > 2005-09-21 13:02:09: DEBUG: hmac(modp1024) > 2005-09-21 13:02:09: DEBUG: new cookie: > e3134e604669c155 > 2005-09-21 13:02:09: DEBUG: add payload of len 56, next type 0 > 2005-09-21 13:02:09: DEBUG: 88 bytes from 69.15.146.2[500] to 24.242.176.90[500] > 2005-09-21 13:02:09: DEBUG: sockname 69.15.146.2[500] > 2005-09-21 13:02:09: DEBUG: send packet from 69.15.146.2[500] > 2005-09-21 13:02:09: DEBUG: send packet to 24.242.176.90[500] > 2005-09-21 13:02:09: DEBUG: src4 69.15.146.2[500] > 2005-09-21 13:02:09: DEBUG: dst4 24.242.176.90[500] > 2005-09-21 13:02:09: DEBUG: 1 times of 88 bytes message will be sent to 24.242.176.90[500] > 2005-09-21 13:02:09: DEBUG: > 7e168701 6d967aa9 e3134e60 4669c155 01100200 00000000 00000058 0000003c > 00000001 00000001 00000030 01010401 00000000 00000024 01010000 80010005 > 80020002 80030001 80040002 800b0001 000c0004 00000e10 > 2005-09-21 13:02:09: DEBUG: resend phase1 packet 7e1687016d967aa9:e3134e604669c155 > 2005-09-21 13:02:09: DEBUG: === > 2005-09-21 13:02:09: DEBUG: 232 bytes message received from 24.242.176.90[500] to 69.15.146.2[500] > 2005-09-21 13:02:09: DEBUG: > 7e168701 6d967aa9 e3134e60 4669c155 04100200 00000000 000000e8 0a000084 > 5ea03af2 5d82075d 869dab65 708d75e1 a8cca76d 85bdfd18 07e74f86 6622a74a > 167ac92d 1087ecbb 5bed0552 eb72287d c3770519 d9375fd3 f7dddc31 1e44928a > 154ad511 e10fcb51 e53b7cb5 f76954c9 f5a894cd a23e1444 1261e9b1 21226db8 > 694b5102 907a8758 53b678d6 35c09010 f89154b1 db5a3e7c 94b8225a c7539f66 > 82000018 5c89b298 14c70bd2 a195d215 69a9003c f503adcd 82000018 84523d42 > 5f6e9638 a1b30b39 1a141491 7cfce516 00000018 d5f8dc8f 18619ca2 333b2400 > bed8890f 36e19e6e > 2005-09-21 13:02:09: DEBUG: begin. > 2005-09-21 13:02:09: DEBUG: seen nptype=4(ke) > 2005-09-21 13:02:09: DEBUG: seen nptype=10(nonce) > 2005-09-21 13:02:09: DEBUG: seen nptype=130(nat-d) > 2005-09-21 13:02:09: DEBUG: seen nptype=130(nat-d) > 2005-09-21 13:02:09: DEBUG: succeed. > > Program received signal SIGSEGV, Segmentation fault. > 0x08052e56 in ident_r2recv (iph1=0x888c7c0, msg=0x888cb60) > at isakmp_ident.c:1066 > 1066 if (pa->type == iph1->natt_options->payload_nat_d) > (gdb) print iph1 > $1 = (struct ph1handle *) 0x888c7c0 > (gdb) print iph1->natt_options > $2 = (struct ph1natt_options *) 0x0 > (gdb) where > #0 0x08052e56 in ident_r2recv (iph1=0x888c7c0, msg=0x888cb60) > at isakmp_ident.c:1066 > #1 0x0804eb47 in isakmp_main (msg=0x888cb60, remote=0xfefed180, > local=0xfefed100) at isakmp.c:754 > #2 0x0804fc27 in isakmp_handler (so_isakmp=8) at isakmp.c:359 > #3 0x0804befe in session () at session.c:178 > #4 0x0804b93f in main (ac=0, av=0xfefed454) at main.c:266 > > Any thoughts on what's wrong? -- Name: Dave Huang | Mammal, mammal / their names are called / INet: kh...@az... | they raise a paw / the bat, the cat / FurryMUCK: Dahan | dolphin and dog / koala bear and hog -- TMBG Dahan: Hani G Y+C 29 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++ |