search

xelerance / Openswan

Openswan
Other
858 stars 213 forks source link

ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488 #204

Open lion24 opened 8 years ago

lion24 commented 8 years ago

Pluto is aborting when negotiating ISAKMP SA with the following message:

ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488

My question is, is the openswan project still maintained ? It used to work before..

Full pluto log: 

adding connection: "L2TP-PSK-noNAT"
adding connection: "passthrough-for-non-l2tp"
listening for IKE messages
adding interface eth0/eth0 192.168.0.5:500 (AF_INET)
adding interface eth0/eth0 192.168.0.5:4500
adding interface lo/lo 127.0.0.1:500 (AF_INET)
adding interface lo/lo 127.0.0.1:4500
loading secrets from "/etc/ipsec.secrets"
| creating SPD to 192.168.0.5->spi=00000100@0.0.0.0 proto=61
| creating SPD to 192.168.0.5->spi=00000100@0.0.0.0 proto=61
packet from 192.168.0.22:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from 192.168.0.22:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
packet from 192.168.0.22:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
packet from 192.168.0.22:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 
packet from 192.168.0.22:500: received Vendor ID payload [RFC 3947] method set to=115 
packet from 192.168.0.22:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
packet from 192.168.0.22:500: received Vendor ID payload [Dead Peer Detection]
packet from 192.168.0.22:500: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
packet from 192.168.0.22:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
packet from 192.168.0.22:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
packet from 192.168.0.22:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
packet from 192.168.0.22:500: received Vendor ID payload [Cisco-Unity]
"L2TP-PSK-NAT" #1: Aggressive mode peer ID is ID_FQDN: '@'
"L2TP-PSK-NAT" #1: ASSERTION FAILED at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488: unknown address family in anyaddr/unspecaddr
"L2TP-PSK-NAT" #1: using kernel interface: netkey
"L2TP-PSK-NAT" #1: interface lo/lo 127.0.0.1 (AF_INET)
"L2TP-PSK-NAT" #1: interface lo/lo 127.0.0.1 (AF_INET)
"L2TP-PSK-NAT" #1: interface eth0/eth0 192.168.0.5 (AF_INET)
"L2TP-PSK-NAT" #1: interface eth0/eth0 192.168.0.5 (AF_INET)
"L2TP-PSK-NAT" #1: %myid = (none)
"L2TP-PSK-NAT" #1: debug none
"L2TP-PSK-NAT" #1:  
"L2TP-PSK-NAT" #1: virtual_private (%priv):
"L2TP-PSK-NAT" #1: - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
"L2TP-PSK-NAT" #1: - disallowed 0 subnets: 
"L2TP-PSK-NAT" #1: WARNING: Disallowed subnets in virtual_private= is empty. If you have 
"L2TP-PSK-NAT" #1:          private address space in internal use, it should be excluded!
"L2TP-PSK-NAT" #1:  
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
"L2TP-PSK-NAT" #1: algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
"L2TP-PSK-NAT" #1: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
"L2TP-PSK-NAT" #1: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
"L2TP-PSK-NAT" #1: algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
"L2TP-PSK-NAT" #1: algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
"L2TP-PSK-NAT" #1: algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
"L2TP-PSK-NAT" #1: algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
"L2TP-PSK-NAT" #1: algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
"L2TP-PSK-NAT" #1:  
"L2TP-PSK-NAT" #1: algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
"L2TP-PSK-NAT" #1: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
"L2TP-PSK-NAT" #1: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
"L2TP-PSK-NAT" #1: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
"L2TP-PSK-NAT" #1: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
"L2TP-PSK-NAT" #1: algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
"L2TP-PSK-NAT" #1: algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
"L2TP-PSK-NAT" #1: algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
"L2TP-PSK-NAT" #1:  
"L2TP-PSK-NAT" #1: stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
"L2TP-PSK-NAT" #1:  
"L2TP-PSK-NAT" #1: "L2TP-PSK-NAT": ?===%virtual:17/1701...%any:17/%any; unrouted; eroute owner: #0
"L2TP-PSK-NAT" #1: "L2TP-PSK-NAT":     myip=unset; hisip=unset;
"L2TP-PSK-NAT" #1: "L2TP-PSK-NAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 
"L2TP-PSK-NAT" #1: "L2TP-PSK-NAT":   policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 0,0; interface: lo; kind=CK_TEMPLATE
"L2TP-PSK-NAT" #1: "L2TP-PSK-NAT":   dpd: action:clear; delay:10; timeout:90;  
"L2TP-PSK-NAT" #1: "L2TP-PSK-NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
"L2TP-PSK-NAT" #1: "L2TP-PSK-noNAT": %any:17/1701...%any:17/%any; unrouted; eroute owner: #0
"L2TP-PSK-NAT" #1: "L2TP-PSK-noNAT":     myip=unset; hisip=unset;
"L2TP-PSK-NAT" #1: "L2TP-PSK-noNAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 
"L2TP-PSK-NAT" #1: "L2TP-PSK-noNAT":   policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 0,0; interface: lo; kind=CK_TEMPLATE
"L2TP-PSK-NAT" #1: "L2TP-PSK-noNAT":   dpd: action:clear; delay:10; timeout:90;  
"L2TP-PSK-NAT" #1: "L2TP-PSK-noNAT":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
"L2TP-PSK-NAT" #1: "passthrough-for-non-l2tp": 192.168.0.5---192.168.0.1...%any===0.0.0.0/0; prospective erouted; eroute owner: #0
"L2TP-PSK-NAT" #1: "passthrough-for-non-l2tp":     myip=unset; hisip=unset;
"L2TP-PSK-NAT" #1: "passthrough-for-non-l2tp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
"L2TP-PSK-NAT" #1: "passthrough-for-non-l2tp":   policy: PFS+IKEv2ALLOW+SAREFTRACK+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; kind=CK_PERMANENT
"L2TP-PSK-NAT" #1: "passthrough-for-non-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
"L2TP-PSK-NAT" #1:  
"L2TP-PSK-NAT" #1:  
"L2TP-PSK-NAT" #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488
"L2TP-PSK-NAT" #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488
pluto_crypto_helper: helper [nonnss] (0) is exiting normally

Thanks for support! :)

shussain commented 8 years ago

You are having a failed assert: unknown address family in anyaddr/unspecaddr

Could you please test in Openswan 2.6.48? If the issue still occurs, can you please post your ipsec configuration.

lion24 commented 8 years ago

Will give a shot later, thank for the advice ;)

lion24 commented 8 years ago

Nope.. Same behavior in 2.6.48.

Here is my ipsec.conf (just copied from the example).

config setup
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    interfaces=%defaultroute
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    oe=off
    protostack=auto
    plutostderrlog=/var/log/pluto.log

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
    auto=add

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    keyingtries=3
    rekey=no
    dpddelay=10
    dpdtimeout=90
    dpdaction=clear
    ikelifetime=8h
    keylife=1h
    type=transport
    left=%defaultroute
    leftnexthop=%defaultroute
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    auto=add

conn passthrough-for-non-l2tp
        type=passthrough
        left=192.168.0.5
        leftnexthop=192.168.0.1
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

Openswan is running on Archlinux (for raspberry) on a Raspberry Pi behind a NAT (but in DMZ zone)..

letoams commented 8 years ago

Sent from my iPhone

On Aug 8, 2016, at 8:11 AM, lion24 notifications@github.com wrote:

Nope.. Same behavior in 2.6.48.

I tested this in libreswan, and assuming the empty ID used is the problem (it shows up in your logs as '@'$, I tested libreswan and it did not crash in that. But I cannot be sure that was really the problem, so please give libreswan a try? If it also crashes, a gdb backtrace would help me diagnose it further.

Here is my ipsec.conf (just copied from the example).

config setup dumpdir=/var/run/pluto/ nat_traversal=yes interfaces=%defaultroute virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 oe=off protostack=auto plutostderrlog=/var/log/pluto.log

conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT auto=add

conn L2TP-PSK-noNAT authby=secret pfs=no keyingtries=3 rekey=no dpddelay=10 dpdtimeout=90 dpdaction=clear ikelifetime=8h keylife=1h type=transport left=%defaultroute leftnexthop=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any auto=add

conn passthrough-for-non-l2tp type=passthrough left=192.168.0.5 leftnexthop=192.168.0.1 right=0.0.0.0 rightsubnet=0.0.0.0/0 auto=route Openswan is running on Archlinux (for raspberry) on a Raspberry Pi behind a NAT (but in DMZ zone)..

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

lion24 commented 8 years ago

Ok seems a bit better with libreswan but it is complaining that the connection is not allowed..

[alarm@alarmpi libreswan]$ tail -f /var/log/pluto.log 
Aug  8 15:50:25: adding interface eth0/eth0 192.168.0.5:4500
Aug  8 15:50:25: adding interface lo/lo 127.0.0.1:500
Aug  8 15:50:25: adding interface lo/lo 127.0.0.1:4500
Aug  8 15:50:25: | setup callback for interface lo:4500 fd 19
Aug  8 15:50:25: | setup callback for interface lo:500 fd 18
Aug  8 15:50:25: | setup callback for interface eth0:4500 fd 17
Aug  8 15:50:25: | setup callback for interface eth0:500 fd 16
Aug  8 15:50:25: loading secrets from "/etc/ipsec.secrets"
Aug  8 15:50:25: loading secrets from "/etc/ipsec.d/home.secrets"
Aug  8 15:50:25: reapchild failed with errno=10 No child processes
Aug  8 15:51:06: packet from 178.50.70.163:26447: initial Main Mode message received on 192.168.0.5:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Aug  8 15:51:09: packet from 178.50.70.163:26447: initial Main Mode message received on 192.168.0.5:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW

I've used the exact ipsec.conf file as previous.

letoams commented 8 years ago

Looks like the connection did not load, can you confirm the connection loads using:

ipsec auto --add L2TP-PSK-noNAT

lion24 commented 8 years ago

Seems to be the issue...

022 connection L2TP-PSK-noNAT must specify host IP address for our side 036 attempt to load incomplete connection

But anyway, I mention left=%defaultroute, so it should parse the infos from routing table right? :)

letoams commented 8 years ago

It should. Are you sure you don't have a mix of openswan/libreswan installed? Is there anything odd in your routing table?

Maybe just temporarily set left= to the real IP address you want to use to test for this crasher?

lion24 commented 8 years ago

I removed my previously openswan installation using pacman -R openswan so yeah it should be removed I guess :P

The routing table is clean and no policy routing magic is applied.. 

[alarm@alarmpi ~]$ ip rule
0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
[alarm@alarmpi ~]$ ip route show default
default via 192.168.0.1 dev eth0  proto dhcp  src 192.168.0.5  metric 1024 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.5 
192.168.0.1 dev eth0  proto dhcp  scope link  src 192.168.0.5  metric 1024

Ok I am gonna try to assigned left to 192.168.0.5 which is the static IP attribute to my pi on the LAN.

lion24 commented 8 years ago

Ok seems now to be good for the libreswan part. But the tunnel won't go up. :(

In the log of xl2tpd, I see that the peer is trying the request a certain tunnel id and as it fails, request the same once again indefinitely...

Here are the logs..

xl2tpd[5644]: setsockopt recvref[30]: Protocol not available
xl2tpd[5644]: Using l2tp kernel support.
xl2tpd[5644]: open_controlfd: Unable to open /var/run/xl2tpd/l2tp-control for reading.
[alarm@alarmpi ~]$ sudo xl2tpd -D
xl2tpd[5646]: setsockopt recvref[30]: Protocol not available
xl2tpd[5646]: Using l2tp kernel support.
xl2tpd[5646]: xl2tpd version xl2tpd-1.3.7 started on alarmpi PID:5646
xl2tpd[5646]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[5646]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[5646]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[5646]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[5646]: Listening on IP address 0.0.0.0, port 1701
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
packet dump: 
HEX: { C8 02 00 68 0D 6A 00 00 00 00 00 01 80 08 00 00 00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 0D 00 00 00 07 61 6C 61 72 6D 70 69 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 B0 18 80 08 00 00 00 0A 00 04 }
ASCII: {    h j                                                        alarmpi      xelerance.com                }
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
xl2tpd[5646]: control_finish: Peer requested tunnel 3434 twice, ignoring second one.
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
xl2tpd[5646]: control_finish: Peer requested tunnel 3434 twice, ignoring second one.
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
xl2tpd[5646]: control_finish: Peer requested tunnel 3434 twice, ignoring second one.
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
xl2tpd[5646]: control_finish: Peer requested tunnel 3434 twice, ignoring second one.
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
xl2tpd[5646]: control_finish: Peer requested tunnel 3434 twice, ignoring second one.
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
xl2tpd[5646]: control_finish: Peer requested tunnel 3434 twice, ignoring second one.
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }
xl2tpd[5646]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5646]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5646]: hostname_avp: peer reports hostname 'anonymous'
xl2tpd[5646]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5646]: assigned_tunnel_avp: using peer's tunnel 3434
xl2tpd[5646]: receive_window_size_avp: peer wants RWS of 1.  Will use flow control.
xl2tpd[5646]: control_finish: Peer requested tunnel 3434 twice, ignoring second one.
packet dump: 
HEX: { 02 C8 45 00 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 0D 6A 80 08 00 00 00 0A 00 01 }
ASCII: {   E                               anonymous                 j        }

And I think I'm using the latest xl2tpd version from Archlinux source:

xl2tpd version:  xl2tpd-1.3.7
letoams commented 8 years ago

There are known bugs in xl2tpd mistakenly using saref when not explicitly disabled. Fedora/EPEL versions of xl2tpd are kept at 1.3.6 plus a few patches. It might work with 1.3.7, but you should look at the configuration at https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP

dwiest commented 7 years ago

I'm also getting this failed assertion with openswan 2.6.49 (built on Amazon Linux with XAUTH, PAM and threads enabled) when connecting from macOS Sierra using a Cisco IPSec type VPN service.

packet from 208.177.245.226:1011: received Vendor ID payload [XAUTH] packet from 208.177.245.226:1011: received Vendor ID payload [Cisco-Unity] packet from 208.177.245.226:1011: received Vendor ID payload [Dead Peer Detection] | find_host_connection2 called from aggr_inI1_outR1_common, me=10.1.20.28:500 him=208.177.245.226:1011 policy=/!IKEv1 | find_host_pair: looking for me=10.1.20.28:500 %any him=208.177.245.226:1011 any-match | find_host_pair: comparing to me=10.1.20.28:500 %any him=:500 | find_host_pair: concluded with psk+aggressive | found_host_pair_conn (find_host_connection2): 10.1.20.28:500 %any/208.177.245.226:1011 -> hp:psk+aggressive | searching for connection with policy = /!IKEv1 | found policy = PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK (psk+aggressive) | find_host_connection2 returns psk+aggressive (ike=none/none) | creating state object #1 at 0x5555beede640 | KEY ID: 61 70 65 72 76 69 74 61 "psk+aggressive" #1: Aggressive mode peer ID is ID_KEY_ID: '@#0x6170657276697461' | refine_connection: starting with psk+aggressive | started looking for secret for 10.1.20.28->(none) of kind PPK_PSK | replace him to 0.0.0.0 "psk+aggressive" #1: ASSERTION FAILED at /home/ec2-user/rpmbuild/BUILD/openswan-2.6.49.1/programs/pluto/keys.c:488: unknown address family in anyaddr/unspecaddr

I get the same error with aggrmode set to either yes or no.

If I define a rightid I can get past the assertion, but then I get INVALID_ID_INFORMATION errors.

Has anyone been able to get this working with Openswan?