IPSec service core dumps upon login

Trel

I followed this tutorial.

https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0#IPsec_Server_Setup

The IPSec log is

Dec 18 14:30:29 	racoon: INFO: unsupported PF_KEY message REGISTER
Dec 18 14:31:22 	racoon: INFO: unsupported PF_KEY message REGISTER
Dec 18 14:31:34 	racoon: [Self]: INFO: respond new phase 1 negotiation: <snip>[500]<=><snip>[5806]
Dec 18 14:31:34 	racoon: INFO: begin Aggressive mode.
Dec 18 14:31:34 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 18 14:31:34 	racoon: INFO: received Vendor ID: RFC 3947
Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 18 14:31:34 	racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 18 14:31:34 	racoon: INFO: received Vendor ID: DPD
Dec 18 14:31:34 	racoon: [<snip>] INFO: Selected NAT-T version: RFC 3947
Dec 18 14:31:34 	racoon: INFO: Adding remote and local NAT-D payloads.
Dec 18 14:31:34 	racoon: [<snip>] INFO: Hashing <snip>[5806] with algo #2 (NAT-T forced)
Dec 18 14:31:34 	racoon: [Self]: [<snip>] INFO: Hashing <snip>[500] with algo #2 (NAT-T forced)
Dec 18 14:31:34 	racoon: INFO: Adding xauth VID payload.
Dec 18 14:31:34 	racoon: [Self]: INFO: NAT-T: ports changed to: <snip>[5792]<-><snip>[4500]
Dec 18 14:31:34 	racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
Dec 18 14:31:34 	racoon: INFO: NAT-D payload #0 doesn't match
Dec 18 14:31:34 	racoon: INFO: NAT-D payload #1 doesn't match
Dec 18 14:31:34 	racoon: INFO: NAT detected: ME PEER
Dec 18 14:31:34 	racoon: INFO: Sending Xauth request
Dec 18 14:31:34 	racoon: [Self]: INFO: ISAKMP-SA established <snip>[4500]-<snip>[5792] spi:<snip>: <snip>Dec 18 14:31:34 	racoon: INFO: Using port 0
Dec 18 14:31:34 	racoon: user '<snip>' authenticated
Dec 18 14:31:34 	racoon: INFO: login succeeded for user "<snip>"</snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip>

(Personal info snipped)

And then the system log

Dec 18 14:32:16 	kernel: pid 91307 (racoon), uid 0: exited on signal 11 (core dumped)

jimp

Are you on 2.1-RELEASE?
Using RADIUS or LDAP or Local Auth?

I recall that happening at some point during the 2.1 BETA stage but not in quite some time.

Trel

@jimp:

Are you on 2.1-RELEASE?
Using RADIUS or LDAP or Local Auth?

I recall that happening at some point during the 2.1 BETA stage but not in quite some time.

2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:37 EDT 2013
FreeBSD <snip>8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #1: Wed Sep 11 18:59:48 EDT 2013 root@snapshots-8_3-amd64.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64

Intel(R) Celeron(R) CPU 743 @ 1.30GHz

Local Auth.</snip>

jimp

Does it happen regardless of the login sucess? Meaning, if you put in the wrong password, does it still crash?

Trel

@jimp:

Does it happen regardless of the login sucess? Meaning, if you put in the wrong password, does it still crash?

Dec 19 13:18:01 	racoon: user '<snip>' could not authenticate.
Dec 19 13:18:01 	racoon: INFO: Released port 0
Dec 19 13:18:01 	racoon: INFO: login failed for user "<snip>"
Dec 19 13:18:01 	racoon: ERROR: Attempt to release an unallocated address (port 0)
Dec 19 13:18:01 	racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA.
Dec 19 13:18:01 	racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA.
Dec 19 13:18:01 	racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA.
Dec 19 13:18:01 	racoon: [<snip>] ERROR: unknown Informational exchange received.
Dec 19 13:18:01 	racoon: [<snip>] ERROR: unknown Informational exchange received.</snip></snip></snip></snip></snip></snip></snip>

Looks like it stays running for failed logins.

Trel

I did additional testing last night, and I can confirm, I can have failed attempts (did 5 separate ones, some failing on user, some on password), but as soon as there's a successful one, the service stops and the system log has the core dump error.

Trel

Anything else I can do for debugging purposes?  I'm using OpenVPN right now, but I would like to eventually get IPSec set up for people who can't use openvpn.

jimp

It's a bit late, but I think we finally stumbled onto a cause for this.

https://redmine.pfsense.org/issues/3417

If you have four DNS servers defined to be pushed to clients, remove the fourth one.

Trel

@jimp:

It's a bit late, but I think we finally stumbled onto a cause for this.

https://redmine.pfsense.org/issues/3417

If you have four DNS servers defined to be pushed to clients, remove the fourth one.

I believe I do.  I'll have to double check.

Trel

Ok, that looks like it corrected the core dump issue at least, though I'm having no luck with getting my Android phone connected.  I don't know where to look from there.

I used the mobile client tutorial to no avail, but I'm not sure which end is not working correctly now, but that's likely for another topic.