IPSec service core dumps upon login



  • I followed this tutorial.

    https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0#IPsec_Server_Setup

    The IPSec log is

    Dec 18 14:30:29 	racoon: INFO: unsupported PF_KEY message REGISTER
    Dec 18 14:31:22 	racoon: INFO: unsupported PF_KEY message REGISTER
    Dec 18 14:31:34 	racoon: [Self]: INFO: respond new phase 1 negotiation: <snip>[500]<=><snip>[5806]
    Dec 18 14:31:34 	racoon: INFO: begin Aggressive mode.
    Dec 18 14:31:34 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Dec 18 14:31:34 	racoon: INFO: received Vendor ID: RFC 3947
    Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Dec 18 14:31:34 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Dec 18 14:31:34 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 18 14:31:34 	racoon: INFO: received Vendor ID: DPD
    Dec 18 14:31:34 	racoon: [<snip>] INFO: Selected NAT-T version: RFC 3947
    Dec 18 14:31:34 	racoon: INFO: Adding remote and local NAT-D payloads.
    Dec 18 14:31:34 	racoon: [<snip>] INFO: Hashing <snip>[5806] with algo #2 (NAT-T forced)
    Dec 18 14:31:34 	racoon: [Self]: [<snip>] INFO: Hashing <snip>[500] with algo #2 (NAT-T forced)
    Dec 18 14:31:34 	racoon: INFO: Adding xauth VID payload.
    Dec 18 14:31:34 	racoon: [Self]: INFO: NAT-T: ports changed to: <snip>[5792]<-><snip>[4500]
    Dec 18 14:31:34 	racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Dec 18 14:31:34 	racoon: INFO: NAT-D payload #0 doesn't match
    Dec 18 14:31:34 	racoon: INFO: NAT-D payload #1 doesn't match
    Dec 18 14:31:34 	racoon: INFO: NAT detected: ME PEER
    Dec 18 14:31:34 	racoon: INFO: Sending Xauth request
    Dec 18 14:31:34 	racoon: [Self]: INFO: ISAKMP-SA established <snip>[4500]-<snip>[5792] spi:<snip>: <snip>Dec 18 14:31:34 	racoon: INFO: Using port 0
    Dec 18 14:31:34 	racoon: user '<snip>' authenticated
    Dec 18 14:31:34 	racoon: INFO: login succeeded for user "<snip>"</snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip></snip>
    

    (Personal info snipped)

    And then the system log

    Dec 18 14:32:16 	kernel: pid 91307 (racoon), uid 0: exited on signal 11 (core dumped)
    

  • Rebel Alliance Developer Netgate

    Are you on 2.1-RELEASE?
    Using RADIUS or LDAP or Local Auth?

    I recall that happening at some point during the 2.1 BETA stage but not in quite some time.



  • @jimp:

    Are you on 2.1-RELEASE?
    Using RADIUS or LDAP or Local Auth?

    I recall that happening at some point during the 2.1 BETA stage but not in quite some time.

    2.1-RELEASE (amd64)
    built on Wed Sep 11 18:17:37 EDT 2013
    FreeBSD <snip>8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #1: Wed Sep 11 18:59:48 EDT 2013 root@snapshots-8_3-amd64.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64

    Intel(R) Celeron(R) CPU 743 @ 1.30GHz

    Local Auth.</snip>


  • Rebel Alliance Developer Netgate

    Does it happen regardless of the login sucess? Meaning, if you put in the wrong password, does it still crash?



  • @jimp:

    Does it happen regardless of the login sucess? Meaning, if you put in the wrong password, does it still crash?

    Dec 19 13:18:01 	racoon: user '<snip>' could not authenticate.
    Dec 19 13:18:01 	racoon: INFO: Released port 0
    Dec 19 13:18:01 	racoon: INFO: login failed for user "<snip>"
    Dec 19 13:18:01 	racoon: ERROR: Attempt to release an unallocated address (port 0)
    Dec 19 13:18:01 	racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA.
    Dec 19 13:18:01 	racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA.
    Dec 19 13:18:01 	racoon: ERROR: mode config 6 from <snip>[62093], but we have no ISAKMP-SA.
    Dec 19 13:18:01 	racoon: [<snip>] ERROR: unknown Informational exchange received.
    Dec 19 13:18:01 	racoon: [<snip>] ERROR: unknown Informational exchange received.</snip></snip></snip></snip></snip></snip></snip>
    

    Looks like it stays running for failed logins.



  • I did additional testing last night, and I can confirm, I can have failed attempts (did 5 separate ones, some failing on user, some on password), but as soon as there's a successful one, the service stops and the system log has the core dump error.



  • Anything else I can do for debugging purposes?  I'm using OpenVPN right now, but I would like to eventually get IPSec set up for people who can't use openvpn.


  • Rebel Alliance Developer Netgate

    It's a bit late, but I think we finally stumbled onto a cause for this.

    https://redmine.pfsense.org/issues/3417

    If you have four DNS servers defined to be pushed to clients, remove the fourth one.



  • @jimp:

    It's a bit late, but I think we finally stumbled onto a cause for this.

    https://redmine.pfsense.org/issues/3417

    If you have four DNS servers defined to be pushed to clients, remove the fourth one.

    I believe I do.  I'll have to double check.



  • Ok, that looks like it corrected the core dump issue at least, though I'm having no luck with getting my Android phone connected.  I don't know where to look from there.

    I used the mobile client tutorial to no avail, but I'm not sure which end is not working correctly now, but that's likely for another topic.


Log in to reply