[strongSwan] Charon crash

Noel Kuntze noel at familie-kuntze.de
Thu Aug 7 19:46:54 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello list,

I have an IKEv2 connection between to strongSwan 5.2.0 installations.
This is the relevant configuration on the first side:
        thinkpad {
                version = 2
                remote_addrs = %any
                reauth_time = 0m
                over_time = 3m
                keyingtries = 3
                dpd_delay = 10
                dpd_timeout = 60
                proposals = aes256gcm16-sha256-ecp521,aes256-sha256-modp1024
                pools = app,thinkpad-ipv6
                local {
                        certs = strongswan_strangled.pem
                        id = thermi.strangled.net
                        auth = pubkey
                }

                remote {
                        certs = Thermi_Thinkpad.pem
                        auth = pubkey
                }

                children {
                        thinkpad-net4 {
                                local_ts = 192.168.178.0/24,172.16.20.0/24,141.79.0.0/16
                                inactivity = 0s
                                tfc_padding = mtu
                                dpd_action = clear
                                close_action = clear
                                ipcomp = yes
                                rekey_time = 0s
                                updown = /usr/lib/strongswan/sudo_updown
                                esp_proposals = aes256-sha256-ecp521
                        }
                        thinkpad-allaccess {
                                local_ts = 192.168.178.48,172.16.20.0/24,141.79.0.0/16,::/0
                                inactivity = 0s
                                tfc_padding = mtu
                                dpd_action = clear
                                close_action = clear
                                ipcomp = yes
                                rekey_time = 0s
                                updown = /usr/lib/strongswan/sudo_updown
                                esp_proposals = aes256-sha256-ecp521
                        }
                }
        }

After a couple of hours of operation, charon dies with the following message:
31[NET] received packet: from 212.2.34.225[7407] to 37.120.161.220[4500] (1245 bytes)
31[MGR] created IKE_SA (unnamed)[38]
31[IKE] 212.2.34.225 is initiating an IKE_SA
31[IKE] IKE_SA strongswan-app[38] state change: CREATED => CONNECTING
31[CFG] selecting proposal:
31[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
31[CFG] selecting proposal:
31[CFG]   no acceptable ENCRYPTION_ALGORITHM found
31[CFG] selecting proposal:
31[CFG]   proposal matches
31[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
31[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_512_BP
31[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_512_BP
31[IKE] DH group ECP_521 inacceptable, requesting ECP_512_BP
31[IKE] IKE_SA strongswan-app[38] state change: CONNECTING => DESTROYING
31[DMN] thread 31 received 11
31[LIB]  dumping 11 stack frame addresses:
31[LIB]   /usr/lib/libpthread.so.0 @ 0x7fed6a5a7000 [0x7fed6a5b64b0]
31[LIB]     -> sigaction.c:?
31[LIB]   /usr/lib/ipsec/plugins/libstrongswan-eap-radius.so @ 0x7fed60396000 [0x7fed6039bd38]
31[LIB]     -> ??:?
31[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7fed6a7c5000 [0x7fed6a7d096d]
31[LIB]     -> ??:0
31[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7fed6a7c5000 [0x7fed6a7ed579]
31[LIB]     -> ??:?
31[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7fed6a7c5000 [0x7fed6a7f8a90]
31[LIB]     -> ??:?
31[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7fed6a7c5000 [0x7fed6a7ee027]
31[LIB]     -> ??:?
31[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7fed6a7c5000 [0x7fed6a7e7be1]
31[LIB]     -> ??:?
31[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fed6ac46000 [0x7fed6ac72f92]
31[LIB]     -> ??:?
31[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fed6ac46000 [0x7fed6ac82568]
31[LIB]     -> ??:?
31[LIB]     -> ??:?
31[LIB]   /usr/lib/libpthread.so.0 @ 0x7fed6a5a7000 [0x7fed6a5ae124]
31[LIB]     -> pthread_create.c:?
31[LIB]   /usr/lib/libc.so.6 @ 0x7fed6a1f9000 (clone+0x6d) [0x7fed6a2e24bd]
31[LIB]     -> ??:?
31[DMN] killing ourself, received critical signal

After that, IPsec starter restarts charon.
Please give advise on how to avoid this event.

Regards,
Noel Kuntze

- -- 
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJT47uOAAoJEDg5KY9j7GZYGQgP/iTzM3EyBL0eAugsLc+LCeQP
HuYimxR+XZSv1c0SY7XDJQAwNLvBNg8zXv9Ov537eZ2Mtymp6GG8J6YYLY/7J+ll
LjSIutGTWQZG5qmq8vToNogtblf0dbXbJQdPYAIMisfgH2RdYp7ZvmyRUN+r09Ki
O6FV3b+rFLR9r47JaoBpZ3G8REPaC33Et9b9eZz9i6f1ds+ItIccjWygSoSEbDKD
owOTJgNC0Ziwy+IsY/k9EdB8OTntkArLKYFMNCXk1cqm9r7T5z6wbShPHYTKvgid
Ko/QkpuXvgQeq+MrPjuSVvHfU9MantBH4B0C+s1aEIKQcSBMswYHK7GdqshsUnqC
APVInIQiK6h71MPqPNuNEd00deQnJycyy/GKwQcq0+lrXYA0Vxpyb3/S6nD6yKI4
m/MWYFHgxnj2aGKvT6qHEiRCpI/tyXXqxKthoEq5GP/hMK9ZpAchyPC5mbub8Ll6
zOZEk/lCdetu+GPKIv52Q8pIbo8lEGEtIYT20/E9Zy5C6HIuvPPKDwblhK0AQEfA
9cdgxJHXCvQ8cjfycDn/Xo0vBJ5EeX8ccgwjLmz4JHC82jAoux/CxvqSJdjxo5Le
BDNo6YmCgXtjAkmWhS64NNsBW+CZ+ROaROLQZcXQPEaUjC3vxVETI+Xhqu8CF899
Ij+P6tCftCL3riGiav45
=FS5b
-----END PGP SIGNATURE-----




More information about the Users mailing list