IPSEC/Charon crash on 23.01

lst_hoe

We recently had a crash of charon which prevented new VPN connections while established one are working until trying to rekey. We are using mostly EA-TLS authenticated Mobile VPN clients (Windows 10) which are working fine since years. It looks strange to me that EAP was succesful but constraint check failed, so maybe the error raised in checking certificates? The logevent form VPN was the the following:

May 22 10:03:39 10.5.0.3 charon[31334]: 07[IKE] <con-mobile|16187> authentication of '2003:ed:b70a:8586:54e1:c88c:f4fd:5bac' with EAP successful
May 22 10:03:39 10.5.0.3 charon[31334]: 07[CFG] <con-mobile|16187> constraint check failed: peer not authenticated by CA 'internal CA name'
May 22 10:03:39 10.5.0.3 charon[31334]: 07[CFG] <con-mobile|16187> selected peer config 'con-mobile' unacceptable: non-matching authentication done
May 22 10:03:39 10.5.0.3 charon[31334]: 07[CFG] <con-mobile|16187> no alternative config found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[ENC] <con-mobile|16187> generating IKE_AUTH response 8 [ N(AUTH_FAILED) ]
May 22 10:03:39 10.5.0.3 charon[31334]: 07[NET] <con-mobile|16187> sending packet: from 2a03:3500:0:a003::100[4500] to 2003:ed:b70a:8586:54e1:c88c:f4fd:5bac[4500] (80 bytes)
May 22 10:03:39 10.5.0.3 charon[31334]: 07[DMN] thread 7 received 10
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] dumping 11 stack frame addresses:
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /lib/libthr.so.3 @ 0x82465f000 (pthread_sigmask+0x540) [0x824678dc0]
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /lib/libthr.so.3 @ 0x82465f000 (pthread_setschedparam+0x83f) [0x82467837f]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] 0x820bbe2d3 <???> at ???
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/plugins/libstrongswan-x509.so @ 0x83924c000 (x509_cert_load+0x1946) [0x839256376]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (auth_cfg_create+0x28d9) [0x822ae50c9]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (array_destroy_offset+0x34) [0x822ac9984]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/libcharon.so.0 @ 0x8239bb000 (ike_sa_create+0xc25) [0x823a10815]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/libcharon.so.0 @ 0x8239bb000 (ike_sa_manager_create+0x2d3c) [0x823a1853c]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/libcharon.so.0 @ 0x8239bb000 (process_message_job_create+0x19e) [0x823a097de]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (processor_create+0x7a7) [0x822aedae7]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (thread_create+0x190) [0x822b03350]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 charon[31334]: 07[LIB] ->
May 22 10:03:39 10.5.0.3 daemon[31076]: dumping 11 stack frame addresses:
May 22 10:03:39 10.5.0.3 daemon[31076]: /lib/libthr.so.3 @ 0x82465f000 (pthread_sigmask+0x540) [0x824678dc0]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /lib/libthr.so.3 @ 0x82465f000 (pthread_setschedparam+0x83f) [0x82467837f]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: 0x820bbe2d3 <???> at ???
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/plugins/libstrongswan-x509.so @ 0x83924c000 (x509_cert_load+0x1946) [0x839256376]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (auth_cfg_create+0x28d9) [0x822ae50c9]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (array_destroy_offset+0x34) [0x822ac9984]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/libcharon.so.0 @ 0x8239bb000 (ike_sa_create+0xc25) [0x823a10815]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/libcharon.so.0 @ 0x8239bb000 (ike_sa_manager_create+0x2d3c) [0x823a1853c]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/libcharon.so.0 @ 0x8239bb000 (process_message_job_create+0x19e) [0x823a097de]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (processor_create+0x7a7) [0x822aedae7]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 daemon[31076]: /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x822a8f000 (thread_create+0x190) [0x822b03350]
May 22 10:03:39 10.5.0.3 daemon[31076]: sh: addr2line: not found
May 22 10:03:39 10.5.0.3 daemon[31076]: ->
May 22 10:03:39 10.5.0.3 charon[31334]: 07[DMN] killing ourself, received critical signal

Is this something to worry about or maybe security related, or simply a hardware flip on the SG5100?

jimp

Hard to say what that crash may have been but probably hit a bug in strongSwan more than anything.

It should be more stable on 23.05. Not only is it on a newer version of strongSwan, but the new version also fixes some locking issues that had sometimes caused charon to end up deadlocked.