[strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
Vilhelm Jutvik
ville at sics.se
Wed Mar 21 10:54:52 CET 2012
Hello Gowri,
this seems to be the same problem (however I cannot confirm that
SIGSEGV is the culprit in my case).
I saw that you hadn't been able to reproduce the error on x86. My
error occurred on x86 while running on virtualized hardware (virtual
box).
Sincerely,
Vilhelm Jutvik
2012/3/21 gowrishankar <gowrishankar.m at linux.vnet.ibm.com>:
> Hi Tobias,
>
>
> On Wednesday 21 March 2012 12:44 AM, Vilhelm Jutvik wrote:
>>
>> Dear Tobias,
>>
>> thank you very much. I thought that charon was signalled by the IPsec
>> stack's SPD when a new SA was to be negotiated, not that it itself set
>> the policy.
>>
>> Your solution didn't work right away though. I found that "ipsec
>> start" only started the starter process and nothing more. It was not
>> until I removed the charondebug option of the config section (as seen
>> below) that it started. It works though if you limit the debugging
>> level and / or the number of debugging options. I've reproduced this
>> several times just to be sure. Why is this?
>>
> I have observed the same problem recently and posted a patch in
> issue tracker. Can you please have a check.
>
> http://wiki.strongswan.org/issues/184
>
> Thanks,
> Gowri Shankar
>
>> The problem line was (in full):
>> charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3"
>> It works if you change it so (e.g.) charondebug="ike 3"
>>
>> My strongswan version is 4.5.2 as included in Ubuntu 11.10
>>
>> Sincerely,
>> Vilhelm Jutvik
>> MS Thesis Student at SICS
>>
>> 2012/3/13 Tobias Brunner<tobias at strongswan.org>:
>>>
>>> Hi Vilhelm,
>>>
>>>> config setup
>>>> crlcheckinterval=180
>>>> strictcrlpolicy=no
>>>> plutostart=no
>>>> charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4"
>>>>
>>>> conn %default
>>>> auth=esp
>>>> authby=psk
>>>> esp=aes128ctr-aesxcbc!
>>>> ikelifetime=60m
>>>> keylife=20m
>>>> keyingtries=1
>>>> rekeymargin=3m
>>>> keyexchange=ikev2
>>>> ike=aes128ctr-aesxcbc-ecp192!
>>>> type=transport
>>>
>>> Your config file looks incomplete. You have to specify at least one
>>> conn section (other than %default) with the auto keyword (auto can be
>>> specified in %default, though). Where auto=route might be what you
>>> want, as charon will then install policies in the kernel's SPD and an SA
>>> will automatically be negotiated upon matching traffic. You also need
>>> to specify right and optionally left (the endpoints of the IKE_SA) in
>>> that conn section. If you only want specific traffic to be tunneled use
>>> the left|rightsubnet and left|rightprotoport keywords (see the example
>>> at [1]).
>>>
>>> Also if you want to configure the policies in the kernel yourself make
>>> sure you use a reqid> 0 and then specify reqid=<reqid> and
>>> installpolicy=no in the respective conn section.
>>>
>>> Regards,
>>> Tobias
>>>
>>> [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>
More information about the Users
mailing list