[strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0
gowrishankar
gowrishankar.m at linux.vnet.ibm.com
Wed Mar 21 14:50:52 CET 2012
Hi Vilhelm,
On Wednesday 21 March 2012 03:24 PM, Vilhelm Jutvik wrote:
> Hello Gowri,
>
> this seems to be the same problem (however I cannot confirm that
> SIGSEGV is the culprit in my case).
>
So, can you check/paste what is happening while ENC
parsing IKE_SA_INIT response for SA payload. You can get it from charon.log
with strongswan.conf setting as in http://wiki.strongswan.org/issues/184
If you see that, charon restarts just after that, following a error message
something like "killing ourself, received critical signal", this
confirms the
SIGSEGV issue.
Thanks,
Gowri Shankar
> I saw that you hadn't been able to reproduce the error on x86. My
> error occurred on x86 while running on virtualized hardware (virtual
> box).
>
> Sincerely,
> Vilhelm Jutvik
>
> 2012/3/21 gowrishankar<gowrishankar.m at linux.vnet.ibm.com>:
>> Hi Tobias,
>>
>>
>> On Wednesday 21 March 2012 12:44 AM, Vilhelm Jutvik wrote:
>>> Dear Tobias,
>>>
>>> thank you very much. I thought that charon was signalled by the IPsec
>>> stack's SPD when a new SA was to be negotiated, not that it itself set
>>> the policy.
>>>
>>> Your solution didn't work right away though. I found that "ipsec
>>> start" only started the starter process and nothing more. It was not
>>> until I removed the charondebug option of the config section (as seen
>>> below) that it started. It works though if you limit the debugging
>>> level and / or the number of debugging options. I've reproduced this
>>> several times just to be sure. Why is this?
>>>
>> I have observed the same problem recently and posted a patch in
>> issue tracker. Can you please have a check.
>>
>> http://wiki.strongswan.org/issues/184
>>
>> Thanks,
>> Gowri Shankar
>>
>>> The problem line was (in full):
>>> charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3"
>>> It works if you change it so (e.g.) charondebug="ike 3"
>>>
>>> My strongswan version is 4.5.2 as included in Ubuntu 11.10
>>>
>>> Sincerely,
>>> Vilhelm Jutvik
>>> MS Thesis Student at SICS
>>>
>>> 2012/3/13 Tobias Brunner<tobias at strongswan.org>:
>>>> Hi Vilhelm,
>>>>
>>>>> config setup
>>>>> crlcheckinterval=180
>>>>> strictcrlpolicy=no
>>>>> plutostart=no
>>>>> charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4"
>>>>>
>>>>> conn %default
>>>>> auth=esp
>>>>> authby=psk
>>>>> esp=aes128ctr-aesxcbc!
>>>>> ikelifetime=60m
>>>>> keylife=20m
>>>>> keyingtries=1
>>>>> rekeymargin=3m
>>>>> keyexchange=ikev2
>>>>> ike=aes128ctr-aesxcbc-ecp192!
>>>>> type=transport
>>>> Your config file looks incomplete. You have to specify at least one
>>>> conn section (other than %default) with the auto keyword (auto can be
>>>> specified in %default, though). Where auto=route might be what you
>>>> want, as charon will then install policies in the kernel's SPD and an SA
>>>> will automatically be negotiated upon matching traffic. You also need
>>>> to specify right and optionally left (the endpoints of the IKE_SA) in
>>>> that conn section. If you only want specific traffic to be tunneled use
>>>> the left|rightsubnet and left|rightprotoport keywords (see the example
>>>> at [1]).
>>>>
>>>> Also if you want to configure the policies in the kernel yourself make
>>>> sure you use a reqid> 0 and then specify reqid=<reqid> and
>>>> installpolicy=no in the respective conn section.
>>>>
>>>> Regards,
>>>> Tobias
>>>>
>>>> [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>>
>
More information about the Users
mailing list