[strongSwan] Strongswan 5.6.2: Segfault if charondebug = cfg > 2
Sven Anders
anders at anduras.de
Tue Jun 5 22:11:02 CEST 2018
Hello!
I'm experiencing a segmentation fault, if I set charondebug = cfg to a value greater than 2.
I'm using Strongwan 5.6.2 on Linux kernel 4.1.39 on a 32 bit system.
Strongswan was compiled with:
./configure CFLAGS="-g -march=core2 -O3 -fstack-protector" LDFLAGS="-D_FORTIFY_SOURCE=2 -fPIE -pie -Wl,-z,relro,-z,now" --prefix=/usr
--sysconfdir=/etc --enable-aes --enable-bliss --enable-blowfish --enable-ccm --enable-chapoly --enable-cmac --enable-ctr --enable-des
--enable-fips-prf --enable-gcm --enable-gcrypt --enable-hmac --enable-md4 --enable-md5 --enable-mgf1 --enable-newhope --enable-nonce --enable-ntru
--enable-openssl --enable-padlock --enable-random --enable-rc2 --enable-rdrand --enable-aesni --enable-sha1 --enable-sha2 --enable-sha3 --enable-xcbc
--enable-dnskey --enable-pem --enable-pgp --enable-pkcs1 --enable-pkcs7 --enable-pkcs8 --enable-pkcs12 --enable-pubkey --enable-sshkey --enable-x509
--enable-curl --enable-files --enable-ldap --enable-soup --enable-unbound --disable-winhttp --disable-mysql --enable-sqlite --enable-addrblock
--enable-acert --disable-af-alg --enable-agent --enable-constraints --enable-coupling --enable-dnscert --enable-eap-sim --enable-eap-sim-file
--disable-eap-sim-pcsc --enable-eap-aka --enable-eap-aka-3gpp --enable-eap-aka-3gpp2 --enable-eap-simaka-sql --enable-eap-simaka-pseudonym
--enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls
--enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-ext-auth --enable-ipseckey --disable-keychain --enable-pkcs11
--enable-revocation --enable-whitelist --enable-xauth-generic --enable-xauth-eap --enable-xauth-pam --enable-xauth-noauth --enable-kernel-netlink
--enable-kernel-pfkey --disable-kernel-iph --enable-kernel-libipsec --disable-kernel-wfp --enable-socket-default --enable-socket-dynamic
--disable-socket-win --enable-stroke --enable-smp --enable-sql --disable-uci --enable-vici --disable-android-dns --enable-attr --enable-attr-sql
--enable-bypass-lan --enable-counters --enable-dhcp --disable-osx-attr --disable-p-cscf --enable-resolve --enable-unity --disable-imc-test
--disable-imv-test --enable-imc-scanner --enable-imv-scanner --enable-imc-os --enable-imv-os --enable-imc-attestation --enable-imv-attestation
--enable-imc-swid --disable-imv-swid --enable-imc-hcd --enable-imv-hcd --enable-tnc-ifmap --enable-tnc-imc --enable-tnc-imv --enable-tnc-pdp
--enable-tnccs-11 --enable-tnccs-20 --enable-tnccs-dynamic --disable-android-log --enable-certexpire --enable-connmark --enable-forecast
--enable-duplicheck --enable-error-notify --enable-farp --enable-ha --enable-led --enable-load-tester --enable-lookip --enable-radattr
--enable-systime-fix --enable-test-vectors --enable-updown --enable-aikgen --enable-charon --enable-cmd --disable-conftest --disable-dumm
--disable-fast --enable-libipsec --disable-manager --disable-medcli --disable-medsrv --disable-nm --disable-pki --disable-scepclient --disable-scripts
--disable-svc --enable-swanctl --disable-tkm --disable-bfd-backtraces --disable-dbghelp-backtraces --enable-ikev1 --enable-ikev2
--enable-integrity-test --enable-load-warning --enable-mediation --disable-unwind-backtraces --disable-ruby-gems --disable-ruby-gems-install
--disable-python-eggs --disable-python-eggs-install --disable-perl-cpan --disable-perl-cpan-install --enable-tss-trousers --enable-tss-tss2
--disable-coverage --disable-leak-detective --disable-lock-profiler --enable-log-thread-ids
with "gcc version 4.5.1" (sorry, cannot use a newer compiler on this system... :-( )
Can anybody reproduce this?
Starting strongSwan 5.6.2 IPsec [starter]...
2205[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.1.39-core2, i686)
2205[LIB] plugin 'test-vectors': loaded successfully
2205[LIB] plugin 'unbound': loaded successfully
2205[LIB] plugin 'ldap': loaded successfully
2205[CFG] PKCS11 module '<name>' lacks library path
2205[LIB] plugin 'pkcs11': loaded successfully
2205[LIB] plugin 'aesni': loaded successfully
2205[LIB] plugin 'aes': loaded successfully
2205[LIB] plugin 'des': loaded successfully
2205[LIB] plugin 'blowfish': loaded successfully
2205[LIB] plugin 'rc2': loaded successfully
2205[LIB] plugin 'sha2': loaded successfully
2205[LIB] plugin 'sha3': loaded successfully
2205[LIB] plugin 'sha1': loaded successfully
2205[LIB] plugin 'md4': loaded successfully
2205[LIB] plugin 'md5': loaded successfully
2205[LIB] plugin 'mgf1': loaded successfully
2205[LIB] plugin 'rdrand': loaded successfully
2205[LIB] detected RDRAND support, enabled
2205[LIB] plugin 'random': loaded successfully
2205[LIB] plugin 'nonce': loaded successfully
2205[LIB] plugin 'x509': loaded successfully
2205[LIB] plugin 'revocation': loaded successfully
2205[LIB] plugin 'constraints': loaded successfully
2205[LIB] plugin 'acert': loaded successfully
2205[LIB] plugin 'pubkey': loaded successfully
2205[LIB] plugin 'pkcs1': loaded successfully
2205[LIB] plugin 'pkcs7': loaded successfully
2205[LIB] plugin 'pkcs8': loaded successfully
2205[LIB] plugin 'pkcs12': loaded successfully
2205[LIB] plugin 'pgp': loaded successfully
2205[LIB] plugin 'dnskey': loaded successfully
2205[LIB] plugin 'sshkey': loaded successfully
2205[LIB] plugin 'dnscert': loaded successfully
2205[LIB] plugin 'pem': loaded successfully
2205[LIB] Padlock features supported:, enabled:
2205[LIB] plugin 'padlock': loaded successfully
2205[LIB] plugin 'openssl': loaded successfully
2205[LIB] plugin 'fips-prf': loaded successfully
2205[LIB] plugin 'gmp': loaded successfully
2205[LIB] plugin 'curve25519': loaded successfully
2205[LIB] plugin 'agent': loaded successfully
2205[LIB] plugin 'chapoly': loaded successfully
2205[LIB] plugin 'xcbc': loaded successfully
2205[LIB] plugin 'cmac': loaded successfully
2205[LIB] plugin 'hmac': loaded successfully
2205[LIB] plugin 'ctr': loaded successfully
2205[LIB] plugin 'ccm': loaded successfully
2205[LIB] plugin 'gcm': loaded successfully
2205[LIB] plugin 'ntru': loaded successfully
2205[LIB] plugin 'newhope': loaded successfully
2205[LIB] plugin 'bliss': loaded successfully
2205[LIB] plugin 'curl': loaded successfully
2205[LIB] plugin 'files': loaded successfully
2205[LIB] using SQLite 3.7.15.2, thread safety 1
2205[LIB] plugin 'sqlite': loaded successfully
2205[CFG] loaded attribute INTERNAL_IP4_DNS: 0a:01:03:0a
2205[CFG] loaded attribute INTERNAL_IP4_DNS: 0a:01:03:0b
2205[CFG] loaded attribute (25): 6d:65:2d:67:72:6f:75:70:2e:6c:6f:63:61:6c
2205[LIB] plugin 'attr': loaded successfully
2205[LIB] plugin 'attr-sql': loaded successfully
2205[CFG] disabling load-tester plugin, not configured
2205[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
2205[LIB] plugin 'kernel-netlink': loaded successfully
2205[LIB] plugin 'socket-default': loaded successfully
2205[LIB] plugin 'connmark': loaded successfully
2205[LIB] plugin 'stroke': loaded successfully
2205[LIB] plugin 'vici': loaded successfully
2205[LIB] plugin 'updown': loaded successfully
2205[LIB] plugin 'eap-identity': loaded successfully
2205[LIB] plugin 'eap-sim': loaded successfully
2205[LIB] plugin 'eap-sim-file': loaded successfully
2205[LIB] plugin 'eap-aka': loaded successfully
2205[LIB] plugin 'eap-aka-3gpp': loaded successfully
2205[LIB] plugin 'eap-aka-3gpp2': loaded successfully
2205[LIB] plugin 'eap-simaka-sql': loaded successfully
2205[LIB] plugin 'eap-simaka-pseudonym': loaded successfully
2205[LIB] plugin 'eap-simaka-reauth': loaded successfully
2205[LIB] plugin 'eap-md5': loaded successfully
2205[LIB] plugin 'eap-gtc': loaded successfully
2205[LIB] plugin 'eap-mschapv2': loaded successfully
2205[LIB] plugin 'eap-dynamic': loaded successfully
2205[LIB] plugin 'eap-radius': loaded successfully
2205[LIB] plugin 'eap-tls': loaded successfully
2205[LIB] plugin 'eap-ttls': loaded successfully
2205[LIB] plugin 'eap-peap': loaded successfully
2205[LIB] plugin 'eap-tnc': loaded successfully
2205[LIB] plugin 'xauth-generic': loaded successfully
2205[LIB] plugin 'xauth-eap': loaded successfully
2205[LIB] plugin 'xauth-pam': loaded successfully
2205[LIB] plugin 'xauth-noauth': loaded successfully
2205[LIB] plugin 'tnc-ifmap': loaded successfully
2205[LIB] plugin 'tnc-pdp': loaded successfully
2205[LIB] plugin 'tnc-imc': loaded successfully
2205[LIB] plugin 'tnc-imv': loaded successfully
2205[LIB] plugin 'tnc-tnccs': loaded successfully
2205[LIB] plugin 'tnccs-20': loaded successfully
2205[LIB] plugin 'tnccs-11': loaded successfully
2205[LIB] plugin 'tnccs-dynamic': loaded successfully
2205[LIB] plugin 'dhcp': loaded successfully
2205[LIB] plugin 'ha': loaded successfully
2205[LIB] plugin 'whitelist': loaded successfully
2205[LIB] plugin 'ext-auth': loaded successfully
2205[LIB] plugin 'lookip': loaded successfully
2205[LIB] plugin 'error-notify': loaded successfully
2205[LIB] plugin 'certexpire': loaded successfully
2205[LIB] plugin 'systime-fix': loaded successfully
2205[LIB] plugin 'led': loaded successfully
2205[LIB] plugin 'duplicheck': loaded successfully
2205[LIB] plugin 'coupling': loaded successfully
2205[LIB] plugin 'addrblock': loaded successfully
2205[LIB] plugin 'unity': loaded successfully
2205[LIB] plugin 'counters': loaded successfully
2205[KNL] known interfaces and IP addresses:
2205[KNL] lo
2205[KNL] 127.0.0.1
2205[KNL] ::1
2205[KNL] eth1
2205[KNL] fe80::20c:29ff:fede:e80a
2205[KNL] eth2
2205[KNL] fe80::20c:29ff:fede:e832
2205[KNL] eth3
2205[KNL] fe80::20c:29ff:fede:e814
2205[KNL] eth4
2205[KNL] fe80::20c:29ff:fede:e8f6
2205[KNL] eth5
2205[KNL] fe80::20c:29ff:fede:e81e
2205[KNL] eth6
2205[KNL] fe80::20c:29ff:fede:e800
2205[KNL] eth7
2205[KNL] fe80::20c:29ff:fede:e828
2205[KNL] eth0
2205[KNL] 10.10.133.2
2205[KNL] fe80::250:56ff:feaf:ae7a
2205[KNL] bond0
2205[KNL] bond1
2205[KNL] bond2
2205[KNL] bond3
2205[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
2205[CFG] loading unbound resolver config from '/etc/resolv.conf'
2205[CFG] failed to read the resolver config: error reading file (No such file or directory)
2205[CFG] failed to create a DNS resolver instance
2205[LIB] feature CUSTOM:dnscert in plugin 'dnscert' failed to load
2205[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
2205[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
2205[CFG] attr-sql plugin: database URI not set
2205[LIB] feature CUSTOM:attr-sql in plugin 'attr-sql' failed to load
2205[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
2205[CFG] loaded ca certificate "C=DE, ST=Bavaria, L=Ortenburg, O=Micro-Epsilon, OU=IT, DC=local, DC=me-group, CN=Micro-Epsilon CA" from
'/etc/ipsec.d/cacerts/me-ca.crt'
2205[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
2205[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2205[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
2205[CFG] loading crls from '/etc/ipsec.d/crls'
2205[CFG] loading secrets from '/etc/ipsec.secrets'
2205[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
2205[LIB] feature CUSTOM:eap-sim-file-triplets in plugin 'eap-sim-file' failed to load
2205[LIB] feature CUSTOM:sim-card in plugin 'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
2205[LIB] feature CUSTOM:sim-provider in plugin 'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
2205[CFG] eap-simaka-sql database URI missing
2205[LIB] feature CUSTOM:eap-simaka-sql-db in plugin 'eap-simaka-sql' failed to load
2205[LIB] feature CUSTOM:aka-card in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
2205[LIB] feature CUSTOM:sim-card in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
2205[LIB] feature CUSTOM:aka-provider in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
2205[LIB] feature CUSTOM:sim-provider in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
2205[CFG] loaded 0 RADIUS server configurations
2205[TNC] MAP server certificate not defined
2205[LIB] feature CUSTOM:tnc-ifmap-2.1 in plugin 'tnc-ifmap' failed to load
2205[TNC] TNC recommendation policy is 'default'
2205[TNC] loading IMVs from '/etc/tnc_config'
2205[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
2205[CFG] missing PDP server name, PDP disabled
2205[LIB] feature CUSTOM:tnc-pdp in plugin 'tnc-pdp' failed to load
2205[TNC] loading IMCs from '/etc/tnc_config'
2205[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
2205[CFG] HA config misses local/remote address
2205[LIB] feature CUSTOM:ha in plugin 'ha' failed to load
2205[CFG] no script for ext-auth script defined, disabled
2205[LIB] feature CUSTOM:ext_auth in plugin 'ext-auth' failed to load
2205[CFG] no threshold configured for systime-fix, disabled
2205[LIB] feature CUSTOM:systime-fix in plugin 'systime-fix' failed to load
2205[CFG] coupling file path unspecified
2205[LIB] feature CUSTOM:coupling in plugin 'coupling' failed to load
2205[LIB] unloading plugin 'dnscert' without loaded features
2205[LIB] unloading plugin 'padlock' without loaded features
2205[LIB] unloading plugin 'attr-sql' without loaded features
2205[LIB] unloading plugin 'eap-sim-file' without loaded features
2205[LIB] unloading plugin 'eap-simaka-sql' without loaded features
2205[LIB] unloading plugin 'tnc-ifmap' without loaded features
2205[LIB] unloading plugin 'tnc-pdp' without loaded features
2205[LIB] unloading plugin 'ha' without loaded features
2205[LIB] unloading plugin 'ext-auth' without loaded features
2205[LIB] unloading plugin 'systime-fix' without loaded features
2205[LIB] unloading plugin 'coupling' without loaded features
2205[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aesni aes des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 rdrand random nonce x509
revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr
ccm gcm ntru newhope bliss curl files sqlite attr kernel-netlink socket-default connmark stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire
led duplicheck addrblock unity counters
2205[LIB] unable to load 19 plugin features (9 due to unmet dependencies)
2205[JOB] spawning 16 worker threads
2219[LIB] created thread 2219 [2219]
2220[LIB] created thread 2220 [2220]
2221[LIB] created thread 2221 [2221]
2221[NET] waiting for data on sockets
2211[LIB] created thread 2211 [2211]
2212[LIB] created thread 2212 [2212]
2216[LIB] created thread 2216 [2216]
2213[LIB] created thread 2213 [2213]
2214[LIB] created thread 2214 [2214]
2215[LIB] created thread 2215 [2215]
2217[LIB] created thread 2217 [2217]
2218[LIB] created thread 2218 [2218]
2210[LIB] created thread 2210 [2210]
2209[LIB] created thread 2209 [2209]
2208[LIB] created thread 2208 [2208]
2207[LIB] created thread 2207 [2207]
2206[LIB] created thread 2206 [2206]
charon (2205) started after 140 ms
2212[DMN] thread 2212 received 11
2212[LIB] dumping 13 stack frame addresses:
2212[LIB] /lib/libpthread.so.0 @ 0x40138000 [0x40146af8]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006d05e]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /lib/libc.so.6 @ 0x40157000 (_IO_vfprintf+0xa35) [0x40197c35]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /lib/libc.so.6 @ 0x40157000 (vsnprintf+0xbd) [0x401bfafd]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x40087838]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x4008799d]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/plugins/libstrongswan-stroke.so @ 0x40988000 [0x4098b07e]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40051a64]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4005556a]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40055fc2]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006a739]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /lib/libpthread.so.0 @ 0x40138000 [0x4013daf5]
sh: addr2line: not found
2212[LIB] ->
2212[LIB] /lib/libc.so.6 @ 0x40157000 (clone+0x5e) [0x402334be]
sh: addr2line: not found
2212[LIB] ->
dumping 13 stack frame addresses:
/lib/libpthread.so.0 @ 0x40138000 [0x40146af8]
sh: addr2line: not found
->
/usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006d05e]
sh: addr2line: not found
->
/lib/libc.so.6 @ 0x40157000 (_IO_vfprintf+0xa35) [0x40197c35]
sh: addr2line: not found
->
/lib/libc.so.6 @ 0x40157000 (vsnprintf+0xbd) [0x401bfafd]
sh: addr2line: not found
->
/usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x40087838]
sh: addr2line: not found
->
/usr/lib/ipsec/libcharon.so.0 @ 0x4007e000 [0x4008799d]
sh: addr2line: not found
->
/usr/lib/ipsec/plugins/libstrongswan-stroke.so @ 0x40988000 [0x4098b07e]
sh: addr2line: not found
->
/usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40051a64]
sh: addr2line: not found
->
/usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4005556a]
sh: addr2line: not found
->
/usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x40055fc2]
sh: addr2line: not found
->
/usr/lib/ipsec/libstrongswan.so.0 @ 0x40021000 [0x4006a739]
sh: addr2line: not found
->
/lib/libpthread.so.0 @ 0x40138000 [0x4013daf5]
sh: addr2line: not found
->
/lib/libc.so.6 @ 0x40157000 (clone+0x5e) [0x402334be]
sh: addr2line: not found
->
2212[DMN] killing ourself, received critical signal
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
charon has died -- restart scheduled (5sec)
^Cipsec starter stopped
Here is the debug output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x41873b70 (LWP 2004)]
0x40069aed in mem_printf_hook (data=0x41871f40, spec=0x41871f30, args=0x41871f70) at utils/utils/memory.c:224
224 utils/utils/memory.c: No such file or directory.
in utils/utils/memory.c
(gdb) bt
#0 0x40069aed in mem_printf_hook (data=0x41871f40, spec=0x41871f30, args=0x41871f70) at utils/utils/memory.c:224
#1 0x4006d05e in custom_print (stream=0x41872bdc, info=0x41871fe0, args=0x41871f70)
at utils/printf_hook/printf_hook_glibc.c:117
#2 0x40197c35 in vfprintf () from /lib/libc.so.6
#3 0x401bfafd in vsnprintf () from /lib/libc.so.6
#4 0x40087838 in vlog (this=0x8000cca8, group=DBG_CFG, level=LEVEL_RAW, format=0x4099bc73 "stroke message %b",
args=0x41873190 "x*\006\200\264\002") at bus/bus.c:398
#5 0x4008799d in log_ (this=0x8000cca8, group=DBG_CFG, level=LEVEL_RAW, format=0x4099bc73 "stroke message %b")
at bus/bus.c:439
#6 0x4098b07e in on_accept (this=0x8005ca60, stream=0x80062918) at stroke_socket.c:647
#7 0x40051a64 in accept_async (data=0x80062958) at networking/streams/stream_service.c:189
#8 0x4005556a in execute (this=0x80062a38) at processing/jobs/callback_job.c:77
#9 0x40055fc2 in process_job (worker=0x80055e40) at processing/processor.c:235
#10 process_jobs (worker=0x80055e40) at processing/processor.c:321
#11 0x4006a739 in thread_main (this=0x80021100) at threading/thread.c:331
#12 0x4013daf5 in start_thread (arg=0x41873b70) at pthread_create.c:297
#13 0x402334be in clone () from /lib/libc.so.6
ipsec.conf:
#-----------------------------------------------------------------------------
# Global config
#-----------------------------------------------------------------------------
config setup
# Allows few simultaneous connections with one user account.
# By default only one active connection per user allowed.
# This option also usefull if you have limited rightsourceip pool and want to kick your ghost connection while reconnecting.
uniqueids=no
# Increase debug level
charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 2, knl 2
# charondebug = ike 4, net 4, pts 4, lib 4, tls 2, cfg 3, knl 4, enc 4, esp 4, tnc 4
#-----------------------------------------------------------------------------
# Basic configs
#-----------------------------------------------------------------------------
conn rw-base
# enables IKE fragmentation
fragmentation=yes
# dpdtimeout is not honored for ikev2. For IKEv2, every message is used
# to determine the timeout, so the generic timeout value for IKEv2 messages
# is used.
dpdtimeout=90s
dpddelay=30s
dpdaction=clear
# this is used in every conn in which the client is assigned a "virtual" IP or
# one or several DNS servers
# the cipher suits require the openssl plugin.
conn rw-config
also=rw-base
# not possible with asymmetric authentication
reauth=no
rekey=no
# secure cipher suits
ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072
# RECEIVED FROM THE CLIENT SIDE
leftsubnet=10.0.0.0/8 # Split tunnel config
leftid="vpn.mydom.net"
leftcert=server.crt
leftsendcert=always # not "never"
left=10.2.115.99 # External IP: 217.6.20.75
lefthostaccess=yes
# SEND FROM THE SERVER SIDE
rightdns=10.1.3.10, 10.1.3.11
rightsourceip=%static, %dynamic
#-----------------------------------------------------------------------------
# IKEv1
#-----------------------------------------------------------------------------
## this conn is set up for l2tp support where the user authentication is happening
## in the l2tp control connection. With L2TP, clients are usually not assigned
## a virtual IP in IKE.
## Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
## mark=%unique requires the connmark plugin.
#conn ikev1-l2tp-chap-auth-in-l2tp
# also=rw-base
# # reduce to the most secure combination the client can support, if absolutely required.
# ike=aes128-sha1-modp3072
# esp=aes128-sha1-modp3072
# leftsubnet=%dynamic[/1701]
# rightsubnet=%dynamic
# mark=%unique
# leftauth=psk
# rightauth=psk
# type=transport
# auto=add
## this conn is set up for l2tp support where the user authentication is happening
## during the IKEv1 authentication. With L2TP, clients are usually not assigned
## a virtual IP in IKE.
## mark=%unique requires the connmark plugin.
## this requires the xauth-generic plugin.
#conn ikev1-l2tp-xauth-in-ike
# also=rw-base
# # reduce to the most secure combination the client can support, if absolutely required.
# ike=aes128-sha1-modp3072
# esp=aes128-sha1-modp3072
# leftsubnet=%dynamic[/1701]
# rightsubnet=%dynamic
# mark=%unique
# leftauth=psk
# rightauth=psk
# rightauth2=xauth-generic
# xauth=server
# # not possible with asymmetric authentication
# reauth=no
# rekey=no
# type=transport
# auto=add
# this requires the xauth-generic plugin.
# (for iPhones mit IKEv1 und Shared Secret)
#conn ikev1-psk-xauth
# also=rw-config
# keyexchange=ikev1
# leftauth=psk
# rightauth=psk
# rightauth2=xauth-generic
# xauth=server
# auto=add
# leftauth and rightauth default to "pubkey", so no change necessary.
#conn ikev1-pubkey
# also=rw-config
# keyexchange=ikev1
# auto=add
# this requires the xauth-generic plugin.
# (for iPhones with IKEv1 and local stored passwords)
#conn ikev1-pubkey-xauth
# also=rw-config
# keyexchange=ikev1
# #rightauth=pubkey
# rightauth2=xauth-generic
# xauth=server
# auto=add
# this requires the xauth-noauth plugin.
# (for iPhones with IKEv1 WITHOUT password querying)
conn ikev1-pubkey-xauth-noauth
also=rw-config
keyexchange=ikev1
#rightauth=pubkey
rightauth2=xauth-noauth
xauth=server
auto=add
# this requires the xauth-pam plugin.
# (for iPhones with IKEv1 and passwords via PAM)
#conn ikev1-pubkey-xauth-radius
# also=rw-config
# keyexchange=ikev1
# #rightauth=pubkey
# rightauth2=xauth-pam
# xauth=server
# auto=add
# this requires the eap-radius plugin.
# (for iPhones with IKEv1 and passwords on radius/DC)
#conn ikev1-pubkey-xauth-radius
# also=rw-config
# keyexchange=ikev1
# #rightauth=pubkey
# rightauth2=eap-radius
# xauth=server
# auto=add
# this requires the xauth-generic plugin.
#conn ikev1-hybrid
# also=rw-config
# keyexchange=ikev1
# rightauth=xauth-generic
# xauth=server
#-----------------------------------------------------------------------------
# IKEv2
#-----------------------------------------------------------------------------
# use IKEv2 with client certificate only
conn ikev2-pubkey
also=rw-config
keyexchange=ikev2
auto=add
## IF you need to support several EAP methods at the same time, you need to
## use eap-dynamic and not use any other conn with eap settings.
## Add the settings for the eap-dynamic plugin to your strongswan.conf file.
#
#conn ikev2-eap
# also=rw-config
# keyexchange=ikev2
# rightauth=eap-dynamic
# eap_identity=%identity
# auto=add
#
# this requires the eap-tls plugin.
#conn ikev2-eap-tls
# also=rw-base
# keyexchange=ikev2
# rightauth=eap-tls
# eap_identity=%identity
# auto=add
## this requires the eap-gtc plugin.
#conn ikev2-eap-gtc
# also=rw-config
# keyexchange=ikev2
# rightauth=eap-gtc
# eap_identity=%identity
# auto=add
# this requires the eap-mschapv2 plugin.
# (Apple clients with cert+password usually goes here)
#conn ikev2-eap-mschapv2
# also=rw-config
# keyexchange=ikev2
# auto=add
# # right - remote (client) side
# rightauth=eap-mschapv2
# eap_identity=%identity
# Use RADIUS EAP plugin
#conn ikev2-eap-radius
# also=rw-config
# keyexchange=ikev2
# auto=add
# # right - remote (client) side
# rightauth=eap-radius
# eap_identity=%identity
Regards
Sven Anders
--
Sven Anders <anders at anduras.de> () UTF-8 Ribbon Campaign
/\ Support plain text e-mail
ANDURAS intranet security AG
Messestrasse 3 - 94036 Passau - Germany
Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anders.vcf
Type: text/x-vcard
Size: 339 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180605/53ade62b/attachment-0001.vcf>
More information about the Users
mailing list