[strongSwan] Bug? leftallowany=yes causes pluto to crash

Fri Sep 24 07:43:43 CEST 2010

I noticed in the ipsec.conf manpage:
  leftallowany  a modifier for left , making it behave as %any although a
  concrete IP address has been assigned.   Recommended  for dynamic IP 
addresses
  that can be resolved by DynDNS at IPsec startup or update time.  Acceptable
  values are yes and no (the default).

I took that to mean that on my server, I should have leftallowany=yes - 
it describes what I do fairly well; I get a dynamically assigned IP 
address which is then updated via DynDNS.

I'm willing to wager it's a bad config on my part, but I don't think it 
should be causing pluto to crash.

When I add leftallowany=yes to my ipsec.conf, pluto crashes:
(/var/log/auth.log | grep pluto)
Sep 23 23:24:11 pilot pluto[12695]: loading secrets from "/etc/ipsec.secrets"
Sep 23 23:24:11 pilot pluto[12695]: loading secrets from 
"/var/lib/strongswan/ipsec.secrets.inc"
Sep 23 23:24:11 pilot pluto[12695]:   loaded private key from 
'/etc/ipsec.d/private/pilotKey.pem'
Sep 23 23:24:11 pilot pluto[12695]:   loaded PSK secret for <DynDNS host FDQN>
Sep 23 23:24:11 pilot pluto[12695]:   loaded host certificate from 
'/etc/ipsec.d/certs/pilotCert.pem'
Sep 23 23:24:11 pilot pluto[12695]: ASSERTION FAILED at 
connections.c:1234: isanyaddr(&c->spd.that.host_addr)
Sep 23 23:24:11 pilot pluto[12695]: Status of IKEv1 pluto daemon 
(strongSwan 4.4.1):
Sep 23 23:24:11 pilot pluto[12695]: interface eth0/eth0 2001:1938:240::1:500
Sep 23 23:24:11 pilot pluto[12695]: interface lo/lo ::1:500
Sep 23 23:24:11 pilot pluto[12695]: interface sixxs/sixxs 
2001:1938:81:a5::2:500
Sep 23 23:24:11 pilot pluto[12695]: interface lo/lo 127.0.0.1:4500
Sep 23 23:24:11 pilot pluto[12695]: interface lo/lo 127.0.0.1:500
Sep 23 23:24:11 pilot pluto[12695]: interface eth2/eth2 192.168.2.1:4500
Sep 23 23:24:11 pilot pluto[12695]: interface eth2/eth2 192.168.2.1:500
Sep 23 23:24:11 pilot pluto[12695]: interface eth0/eth0 192.168.1.1:4500
Sep 23 23:24:11 pilot pluto[12695]: interface eth0/eth0 192.168.1.1:500
Sep 23 23:24:11 pilot pluto[12695]: interface eth1/eth1 76.27.20.26:4500
Sep 23 23:24:11 pilot pluto[12695]: interface eth1/eth1 76.27.20.26:500
Sep 23 23:24:11 pilot pluto[12695]: interface tun0/tun0 192.168.3.1:4500
Sep 23 23:24:11 pilot pluto[12695]: interface tun0/tun0 192.168.3.1:500
Sep 23 23:24:11 pilot pluto[12695]: %myid = '%any'
Sep 23 23:24:11 pilot pluto[12695]: loaded plugins: curl ldap aes des 
sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl 
hmac gmp xauth attr attr-sql resolve
Sep 23 23:24:11 pilot pluto[12695]: debug options: none
Sep 23 23:24:11 pilot pluto[12695]:
Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat": %any[C=US, <foo 
bar>, CN=*, 
E=*]:17/%any...76.27.16.1---%76.27.20.26[pilot.fdqn.net]:17/1701; 
unrouted; eroute owner: #0
Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   CAs: "C=<foo bar>"
Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   ike_life: 3600s; 
ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   dpd_action: clear; 
dpd_delay: 30s; dpd_timeout: 120s;
Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   policy: 
PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: ;
Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   newest ISAKMP SA: 
#0; newest IPsec SA: #0;
Sep 23 23:24:11 pilot pluto[12695]:
Sep 23 23:24:11 pilot ipsec_starter[12694]: pluto has died -- restart scheduled

If I move the location of 'leftallowany=yes', it seems that as long as 
'leftallowany=yes' is contained in a conn that does _not_ have 
rightsubnet=vhost:%no,%priv, pluto will run.

If a conn does have 'leftallowany=yes' (via also=<foo> or directly), 
then pluto will crash.

For reference, I’m using the Debian (unstable) strongSwan 4.4.1-3 
package.  I looked at the source package.  It appears to be a pure 
strongSwan 4.4.1 build:  there are no code patches at all; the man page 
for ipsec.conf had a version number update, but that's literally it...
-- 
Troy Telford