[strongSwan] Bug? leftallowany=yes causes pluto to crash

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 24 10:36:51 CEST 2010 

Hello Troy,

as you can see from the log message

> Sep 23 23:24:11 pilot pluto[12695]: ASSERTION FAILED at
> connections.c:1234: isanyaddr(&c->spd.that.host_addr)

and the connections.c source code, pluto did not crash but
was stopped on purpose by one of those terrible Free/SWAN
legacy assertions. Since the leftallowany option was added relatively
recently and the use of the vhost:... syntax is rather deprecated
you are probably the first user who ran into this assertion.
It might very well be that removal of the assertion will also
remove the problem.

Regards

Andreas

On 24.09.2010 07:43, Troy Telford wrote:
> I noticed in the ipsec.conf manpage:
>   leftallowany  a modifier for left , making it behave as %any although a
>   concrete IP address has been assigned.   Recommended  for dynamic IP 
> addresses
>   that can be resolved by DynDNS at IPsec startup or update time.  Acceptable
>   values are yes and no (the default).
> 
> I took that to mean that on my server, I should have leftallowany=yes - 
> it describes what I do fairly well; I get a dynamically assigned IP 
> address which is then updated via DynDNS.
> 
> I'm willing to wager it's a bad config on my part, but I don't think it 
> should be causing pluto to crash.
> 
> When I add leftallowany=yes to my ipsec.conf, pluto crashes:
> (/var/log/auth.log | grep pluto)
> Sep 23 23:24:11 pilot pluto[12695]: loading secrets from "/etc/ipsec.secrets"
> Sep 23 23:24:11 pilot pluto[12695]: loading secrets from 
> "/var/lib/strongswan/ipsec.secrets.inc"
> Sep 23 23:24:11 pilot pluto[12695]:   loaded private key from 
> '/etc/ipsec.d/private/pilotKey.pem'
> Sep 23 23:24:11 pilot pluto[12695]:   loaded PSK secret for <DynDNS host FDQN>
> Sep 23 23:24:11 pilot pluto[12695]:   loaded host certificate from 
> '/etc/ipsec.d/certs/pilotCert.pem'
> Sep 23 23:24:11 pilot pluto[12695]: ASSERTION FAILED at 
> connections.c:1234: isanyaddr(&c->spd.that.host_addr)
> Sep 23 23:24:11 pilot pluto[12695]: Status of IKEv1 pluto daemon 
> (strongSwan 4.4.1):
> Sep 23 23:24:11 pilot pluto[12695]: interface eth0/eth0 2001:1938:240::1:500
> Sep 23 23:24:11 pilot pluto[12695]: interface lo/lo ::1:500
> Sep 23 23:24:11 pilot pluto[12695]: interface sixxs/sixxs 
> 2001:1938:81:a5::2:500
> Sep 23 23:24:11 pilot pluto[12695]: interface lo/lo 127.0.0.1:4500
> Sep 23 23:24:11 pilot pluto[12695]: interface lo/lo 127.0.0.1:500
> Sep 23 23:24:11 pilot pluto[12695]: interface eth2/eth2 192.168.2.1:4500
> Sep 23 23:24:11 pilot pluto[12695]: interface eth2/eth2 192.168.2.1:500
> Sep 23 23:24:11 pilot pluto[12695]: interface eth0/eth0 192.168.1.1:4500
> Sep 23 23:24:11 pilot pluto[12695]: interface eth0/eth0 192.168.1.1:500
> Sep 23 23:24:11 pilot pluto[12695]: interface eth1/eth1 76.27.20.26:4500
> Sep 23 23:24:11 pilot pluto[12695]: interface eth1/eth1 76.27.20.26:500
> Sep 23 23:24:11 pilot pluto[12695]: interface tun0/tun0 192.168.3.1:4500
> Sep 23 23:24:11 pilot pluto[12695]: interface tun0/tun0 192.168.3.1:500
> Sep 23 23:24:11 pilot pluto[12695]: %myid = '%any'
> Sep 23 23:24:11 pilot pluto[12695]: loaded plugins: curl ldap aes des 
> sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl 
> hmac gmp xauth attr attr-sql resolve
> Sep 23 23:24:11 pilot pluto[12695]: debug options: none
> Sep 23 23:24:11 pilot pluto[12695]:
> Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat": %any[C=US, <foo 
> bar>, CN=*, 
> E=*]:17/%any...76.27.16.1---%76.27.20.26[pilot.fdqn.net]:17/1701; 
> unrouted; eroute owner: #0
> Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   CAs: "C=<foo bar>"
> Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   ike_life: 3600s; 
> ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
> Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   dpd_action: clear; 
> dpd_delay: 30s; dpd_timeout: 120s;
> Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   policy: 
> PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: ;
> Sep 23 23:24:11 pilot pluto[12695]: "rw-l2tp-nat":   newest ISAKMP SA: 
> #0; newest IPsec SA: #0;
> Sep 23 23:24:11 pilot pluto[12695]:
> Sep 23 23:24:11 pilot ipsec_starter[12694]: pluto has died -- restart scheduled
> 
> If I move the location of 'leftallowany=yes', it seems that as long as 
> 'leftallowany=yes' is contained in a conn that does _not_ have 
> rightsubnet=vhost:%no,%priv, pluto will run.
> 
> If a conn does have 'leftallowany=yes' (via also=<foo> or directly), 
> then pluto will crash.
> 
> For reference, I’m using the Debian (unstable) strongSwan 4.4.1-3 
> package.  I looked at the source package.  It appears to be a pure 
> strongSwan 4.4.1 build:  there are no code patches at all; the man page 
> for ipsec.conf had a version number update, but that's literally it...


======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list