current-users: Re: racoon crash/core dump

Subject: Re: racoon crash/core dump
To: None <current-users@NetBSD.org>
From: Dave Huang <khym@azeotrope.org>
List: current-users
Date: 11/20/2005 23:51:43
On Sun, Nov 20, 2005 at 12:23:31PM +0000, Matthias Scheler wrote:
> Do you enable NAT-T in your configuration? My "racoon.conf" contains
> these lines:

Whoops, I was thinking it would Just Work :) But it turns out I was
missing "options IPSEC_NAT_T" in my kernel configuration file, and the
lines to enable NAT-T in my racoon.conf.

However, racoon still crashes in the same way :(

Excerpt from my racoon.conf:

listen {
  isakmp 69.15.146.26 [500];
  isakmp_natt 69.15.146.26 [4500];
}

[...]

remote 208.180.124.100 {
  exchange_mode main;
  nat_traversal on;
  proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}

And output from racoon -F -v:

Foreground mode.
2005-11-20 23:43:42: INFO: @(#)ipsec-tools 0.6.2 (http://ipsec-tools.sourceforge.net)
2005-11-20 23:43:42: INFO: @(#)This product linked OpenSSL 0.9.7g-fips 11 Apr 2005 (http://www.openssl.org/)
2005-11-20 23:43:42: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2005-11-20 23:43:42: DEBUG: open /var/run/racoon.sock as racoon management.
2005-11-20 23:43:42: INFO: 69.15.146.26[4500] used as isakmp port (fd=9)
2005-11-20 23:43:42: INFO: 69.15.146.26[4500] used for NAT-T
2005-11-20 23:43:42: INFO: 69.15.146.26[500] used as isakmp port (fd=10)
2005-11-20 23:43:42: INFO: 69.15.146.26[500] used for NAT-T
2005-11-20 23:43:42: DEBUG: get pfkey X_SPDDUMP message
2005-11-20 23:43:42: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
2005-11-20 23:43:47: DEBUG: ===
2005-11-20 23:43:47: DEBUG: 108 bytes message received from 208.180.124.100[63330] to 69.15.146.26[500]
2005-11-20 23:43:47: DEBUG: 
fbf9a6e1 cd0e1741 00000000 00000000 01100200 00000000 0000006c 0d00003c
00000001 00000001 00000030 01010401 02000010 00000024 01010000 80010005
80020002 80030001 80040002 800b0001 000c0004 00000e10 00000014 7d9419a6
5310ca6f 2c179d92 15529d56
2005-11-20 23:43:47: DEBUG: configuration found for 208.180.124.100.
2005-11-20 23:43:47: DEBUG: ===
2005-11-20 23:43:47: INFO: respond new phase 1 negotiation: 69.15.146.26[500]<=>208.180.124.100[63330]
2005-11-20 23:43:47: INFO: begin Identity Protection mode.
2005-11-20 23:43:47: DEBUG: begin.
2005-11-20 23:43:47: DEBUG: seen nptype=1(sa)
2005-11-20 23:43:47: DEBUG: seen nptype=13(vid)
2005-11-20 23:43:47: DEBUG: succeed.
2005-11-20 23:43:47: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2005-11-20 23:43:47: DEBUG: total SA len=56
2005-11-20 23:43:47: DEBUG: 
00000001 00000001 00000030 01010401 02000010 00000024 01010000 80010005
80020002 80030001 80040002 800b0001 000c0004 00000e10
2005-11-20 23:43:47: DEBUG: begin.
2005-11-20 23:43:47: DEBUG: seen nptype=2(prop)
2005-11-20 23:43:47: DEBUG: succeed.
2005-11-20 23:43:47: DEBUG: proposal #1 len=48
2005-11-20 23:43:47: WARNING: SPI size isn't zero, but IKE proposal.
2005-11-20 23:43:47: DEBUG: begin.
2005-11-20 23:43:47: DEBUG: seen nptype=3(trns)
2005-11-20 23:43:47: DEBUG: succeed.
2005-11-20 23:43:47: DEBUG: transform #1 len=36
2005-11-20 23:43:47: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2005-11-20 23:43:47: DEBUG: encryption(3des)
2005-11-20 23:43:47: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2005-11-20 23:43:47: DEBUG: hash(sha1)
2005-11-20 23:43:47: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
2005-11-20 23:43:47: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
2005-11-20 23:43:47: DEBUG: hmac(modp1024)
2005-11-20 23:43:47: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2005-11-20 23:43:47: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2005-11-20 23:43:47: DEBUG: pair 1:
2005-11-20 23:43:47: DEBUG:  0x80cf670: next=0x0 tnext=0x0
2005-11-20 23:43:47: DEBUG: proposal #1: 1 transform
2005-11-20 23:43:47: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=1
2005-11-20 23:43:47: DEBUG: trns#=1, trns-id=IKE
2005-11-20 23:43:47: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2005-11-20 23:43:47: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2005-11-20 23:43:47: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
2005-11-20 23:43:47: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
2005-11-20 23:43:47: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2005-11-20 23:43:47: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2005-11-20 23:43:47: DEBUG: Compared: DB:Peer
2005-11-20 23:43:47: DEBUG: (lifetime = 28800:3600)
2005-11-20 23:43:47: DEBUG: (lifebyte = 0:0)
2005-11-20 23:43:47: DEBUG: enctype = 3DES-CBC:3DES-CBC
2005-11-20 23:43:47: DEBUG: (encklen = 0:0)
2005-11-20 23:43:47: DEBUG: hashtype = SHA:SHA
2005-11-20 23:43:47: DEBUG: authmethod = pre-shared key:pre-shared key
2005-11-20 23:43:47: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group
2005-11-20 23:43:47: DEBUG: an acceptable proposal found.
2005-11-20 23:43:47: DEBUG: hmac(modp1024)
2005-11-20 23:43:48: DEBUG: new cookie:
bc225bfd224b3ea4 
2005-11-20 23:43:48: DEBUG: add payload of len 56, next type 13
2005-11-20 23:43:48: DEBUG: add payload of len 16, next type 0
2005-11-20 23:43:48: DEBUG: 108 bytes from 69.15.146.26[500] to 208.180.124.100[63330]
2005-11-20 23:43:48: DEBUG: sockname 69.15.146.26[500]
2005-11-20 23:43:48: DEBUG: send packet from 69.15.146.26[500]
2005-11-20 23:43:48: DEBUG: send packet to 208.180.124.100[63330]
2005-11-20 23:43:48: DEBUG: 1 times of 108 bytes message will be sent to 208.180.124.100[63330]
2005-11-20 23:43:48: DEBUG: 
fbf9a6e1 cd0e1741 bc225bfd 224b3ea4 01100200 00000000 0000006c 0d00003c
00000001 00000001 00000030 01010401 00000000 00000024 01010000 80010005
80020002 80030001 80040002 800b0001 000c0004 00000e10 00000014 afcad713
68a1f1c9 6b8696fc 77570100
2005-11-20 23:43:48: DEBUG: resend phase1 packet fbf9a6e1cd0e1741:bc225bfd224b3ea4
2005-11-20 23:43:49: DEBUG: ===
2005-11-20 23:43:49: DEBUG: 232 bytes message received from 208.180.124.100[63330] to 69.15.146.26[500]
2005-11-20 23:43:49: DEBUG: 
fbf9a6e1 cd0e1741 bc225bfd 224b3ea4 04100200 00000000 000000e8 0a000084
17ef1e13 09868f77 d591be8d 20144126 93c10f4f d4ce77fa 9d9ecc28 9935640c
f1d65640 ea60066d da00c9a4 159ccbad 6358f10b ddec64c2 0c50aafb fc173d44
0b12159f 55186d76 aa5dc293 0291705e 7ae7efdb 4c1a0eb9 9a3d4a8f e5c65b4c
db07e8c4 edfcea9d 27059a88 839e507b 5be98c7d eb98f0c7 1c06d54c d7bdc172
82000018 70d8247e 179ddefc 4f253922 d93c0ed8 f6d3649b 82000018 6baadafa
7faebbdc fc1bab09 78855264 81f3c09d 00000018 cd7e8a91 4f743786 4430f863
5c60db11 113ec5c6
2005-11-20 23:43:49: DEBUG: begin.
2005-11-20 23:43:49: DEBUG: seen nptype=4(ke)
2005-11-20 23:43:49: DEBUG: seen nptype=10(nonce)
2005-11-20 23:43:49: DEBUG: seen nptype=130(nat-d)
2005-11-20 23:43:49: DEBUG: seen nptype=130(nat-d)
2005-11-20 23:43:49: DEBUG: succeed.

Program received signal SIGSEGV, Segmentation fault.
0x08057511 in ident_r2recv (iph1=0x80d0400, msg=0x80cf670)
    at /usr/src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1066
1066                            if (pa->type == iph1->natt_options->payload_nat_d)
(gdb) print iph1->natt_options
$1 = (struct ph1natt_options *) 0x0

-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: khym@azeotrope.org |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 30 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++