IPSec service core dumps upon login
-
I followed this tutorial.
https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0#IPsec_Server_Setup
The IPSec log is
Dec 18 14:30:29 racoon: INFO: unsupported PF_KEY message REGISTER Dec 18 14:31:22 racoon: INFO: unsupported PF_KEY message REGISTER Dec 18 14:31:34 racoon: [Self]: INFO: respond new phase 1 negotiation: <snip>[500]<=><snip>[5806] Dec 18 14:31:34 racoon: INFO: begin Aggressive mode. Dec 18 14:31:34 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 18 14:31:34 racoon: INFO: received Vendor ID: RFC 3947 Dec 18 14:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 18 14:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 18 14:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Dec 18 14:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Dec 18 14:31:34 racoon: INFO: received Vendor ID: CISCO-UNITY Dec 18 14:31:34 racoon: INFO: received Vendor ID: DPD Dec 18 14:31:34 racoon: [<snip>] INFO: Selected NAT-T version: RFC 3947 Dec 18 14:31:34 racoon: INFO: Adding remote and local NAT-D payloads. Dec 18 14:31:34 racoon: [<snip>] INFO: Hashing <snip>[5806] with algo #2 (NAT-T forced) Dec 18 14:31:34 racoon: [Self]: [<snip>] INFO: Hashing <snip>[500] with algo #2 (NAT-T forced) Dec 18 14:31:34 racoon: INFO: Adding xauth VID payload. Dec 18 14:31:34 racoon: [Self]: INFO: NAT-T: ports changed to: <snip>[5792]<-><snip>[4500] Dec 18 14:31:34 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet. Dec 18 14:31:34 racoon: INFO: NAT-D payload #0 doesn't match Dec 18 14:31:34 racoon: INFO: NAT-D payload #1 doesn't match Dec 18 14:31:34 racoon: INFO: NAT detected: ME PEER Dec 18 14:31:34 racoon: INFO: Sending Xauth request Dec 18 14:31:34 racoon: [Self]: INFO: ISAKMP-SA established <snip>[4500]-<snip>[5792] spi:<snip>: <snip>Dec 18 14:31:34 racoon: INFO: Using port 0 Dec 18 14:31:34 racoon: user '<snip>' authenticated Dec 18 14:31:34 racoon: INFO: login succeeded for user "<snip>"</snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip>
(Personal info snipped)
And then the system log
Dec 18 14:32:16 kernel: pid 91307 (racoon), uid 0: exited on signal 11 (core dumped)
-
Are you on 2.1-RELEASE?
Using RADIUS or LDAP or Local Auth?I recall that happening at some point during the 2.1 BETA stage but not in quite some time.
-
Are you on 2.1-RELEASE?
Using RADIUS or LDAP or Local Auth?I recall that happening at some point during the 2.1 BETA stage but not in quite some time.
2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:37 EDT 2013
FreeBSD <snip>8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #1: Wed Sep 11 18:59:48 EDT 2013 root@snapshots-8_3-amd64.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64Intel(R) Celeron(R) CPU 743 @ 1.30GHz
Local Auth.</snip>
-
Does it happen regardless of the login sucess? Meaning, if you put in the wrong password, does it still crash?
-
Does it happen regardless of the login sucess? Meaning, if you put in the wrong password, does it still crash?
Dec 19 13:18:01 racoon: user '<snip>' could not authenticate. Dec 19 13:18:01 racoon: INFO: Released port 0 Dec 19 13:18:01 racoon: INFO: login failed for user "<snip>" Dec 19 13:18:01 racoon: ERROR: Attempt to release an unallocated address (port 0) Dec 19 13:18:01 racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA. Dec 19 13:18:01 racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA. Dec 19 13:18:01 racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA. Dec 19 13:18:01 racoon: [<snip>] ERROR: unknown Informational exchange received. Dec 19 13:18:01 racoon: [<snip>] ERROR: unknown Informational exchange received.</snip></snip></snip></snip></snip></snip></snip>
Looks like it stays running for failed logins.
-
I did additional testing last night, and I can confirm, I can have failed attempts (did 5 separate ones, some failing on user, some on password), but as soon as there's a successful one, the service stops and the system log has the core dump error.
-
Anything else I can do for debugging purposes?ย I'm using OpenVPN right now, but I would like to eventually get IPSec set up for people who can't use openvpn.
-
It's a bit late, but I think we finally stumbled onto a cause for this.
https://redmine.pfsense.org/issues/3417
If you have four DNS servers defined to be pushed to clients, remove the fourth one.
-
It's a bit late, but I think we finally stumbled onto a cause for this.
https://redmine.pfsense.org/issues/3417
If you have four DNS servers defined to be pushed to clients, remove the fourth one.
I believe I do.ย I'll have to double check.
-
Ok, that looks like it corrected the core dump issue at least, though I'm having no luck with getting my Android phone connected.ย I don't know where to look from there.
I used the mobile client tutorial to no avail, but I'm not sure which end is not working correctly now, but that's likely for another topic.