From: Jim K. <jku...@gm...> - 2008-02-26 22:01:26
|
Hi all: I have racoon (latest version in CentOS 5 repositories) communicating in tunnel mode with two endpoints: One is a Cisco firewall, the other is a CheckPoint firewall. The Cisco firewall works great. In addition, the Cisco firewall has a VPN with identical settings to the Checkpoint; that works fine, too. Unfortunately, the VPN between the checkpoint and racoon dies frequently, and takes down racoon with it (segfault). Here's a snippit from the racoon -F -d output: 2008-02-26 13:21:34: DEBUG: === 2008-02-26 13:21:34: DEBUG: 60 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] 2008-02-26 13:21:34: DEBUG: 0aa6bdb5 bc1fd24a 890aa6f0 c34edd41 08102001 24b10253 0000003c 83f85250 aac226b5 11706fab 582b9794 3c5933e2 955ee013 e6801a34 2e590a19 2008-02-26 13:21:34: ERROR: wrong state 8. 2008-02-26 13:21:34: ERROR: failed to pre-process packet. 2008-02-26 13:21:34: DEBUG: get pfkey UPDATE message 2008-02-26 13:21:34: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=93510680(0x592dc18) 2008-02-26 13:21:34: INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=93510680(0x592dc18) 2008-02-26 13:21:34: DEBUG: === 2008-02-26 13:21:34: DEBUG: === 2008-02-26 13:21:34: DEBUG: 60 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] 2008-02-26 13:21:34: DEBUG: 0aa6bdb5 bc1fd24a 890aa6f0 c34edd41 08102001 24b10253 0000003c 83f85250 aac226b5 11706fab 582b9794 3c5933e2 955ee013 e6801a34 2e590a19 Segmentation fault I have a much longer chunk available; I just didn't want to spam the list. I also replaced the IPs; 1.1.1.1 is my external IP; 2.2.2.2 is the CheckPoint external interface. Here's my config details: # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; sainfo anonymous { #pfs_group 2; #lifetime time 1 hour ; encryption_algorithm aes, 3des; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } include "/etc/racoon/2.2.2.2.conf"; ----/etc/racoon/2.2.2.2.conf---- remote 2.2.2.2 { exchange_mode aggressive, main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2 ; } } ---end--- Any suggestions? I've googled, and seen that its perfectly possible to maintain stable connections to checkpoint, but I have yet to get anything approximating a stable checkpoint connection. It took over a month to even get a connection established with checkpoint. I don't run the Checkpoint firewall, and do not have access to look at its settings, but I can contact the admin who does run it. Thanks! --Jim |
From: Krzysztof O. <ol...@an...> - 2008-02-26 22:10:57
|
On Tue, 26 Feb 2008, Jim Kusznir wrote: > Hi all: <CUT> > Segmentation fault <CUT> > Any suggestions? I've googled, and seen that its perfectly possible > to maintain stable connections to checkpoint, but I have yet to get > anything approximating a stable checkpoint connection. It took over a > month to even get a connection established with checkpoint. I don't > run the Checkpoint firewall, and do not have access to look at its > settings, but I can contact the admin who does run it. Could you please recompile racoon without without symbol stripping and with "-O0 -g" and run it under valgrind? It should show the exact place in the code where the problem is. Best regards, Krzysztof Olędzki |