Package: openswan Version: 1:2.4.6+dfsg.2-1.1 Severity: important We've recently started to encounter pluto crashes with the following error:
ASSERTION FAILED at kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE I found mention of this same error on the openswan bug tracking system at: http://bugs.xelerance.com/view.php?id=849 The weird part about this error is it only seems to affect certain remote clients. In all cases, those clients were behind a NAT, however, I have successfully configured other remote clients with the same configuration and their connections are just fine. As of yet, I've been unable to determine a pattern to the problem. My ipsec.conf config is fairly simple: version 2.0 config setup interfaces=%defaultroute nat_traversal=yes # actual connection configuration files include /etc/ipsec.d/confs/ipsec.*.conf include /etc/ipsec.d/examples/no_oe.conf and an example client config that has problems looks like: conn testcon left=%defaultroute leftsubnet=192.168.1.0/24 [EMAIL PROTECTED] leftrsasigkey=<blah blah blah>... right=remote.client.com rightsubnetwithin=192.168.0.50/32 [EMAIL PROTECTED] rightrsasigkey=<blah blah blah>... auto=add on the remote side: version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup nat_traversal=yes nhelpers=0 interfaces=%defaultroute conn server left=server.com leftsubnet=192.168.1.0/24 [EMAIL PROTECTED] leftrsasigkey=<blah blah blah>... right=%defaultroute [EMAIL PROTECTED] rightrsasigkey=<blah blah blah>... auto=add include /etc/ipsec.d/examples/no_oe.conf I'm hoping that the openswan group picks up on this bug reported a few days, but I didn't figure it would hurt for the debian package maintainers to know there is something lurky out there. Let me know if I can get you any other information. Thanks, Mark -- System Information: Debian Release: 4.0 Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-k7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openswan depends on: ii bsdmainutils 6.1.6 collection of more utilities from ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii debianutils 2.17 Miscellaneous utilities specific t ii host 20000331-9 utility for querying DNS servers ii iproute 20061002-3 Professional tools to control the ii ipsec-tools 1:0.6.6-3.1etch1 IPsec tools for Linux ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libcurl3 7.15.5-1etch1 Multi-protocol file transfer libra ii libgmp3c2 2:4.2.1+dfsg-4 Multiprecision arithmetic library ii libldap2 2.1.30-13.3 OpenLDAP libraries ii libpam0g 0.79-4 Pluggable Authentication Modules l ii libssl0.9.8 0.9.8c-4 SSL shared libraries ii openssl 0.9.8c-4 Secure Socket Layer (SSL) binary a openswan recommends no packages. -- debconf information: openswan/existing_x509_key_filename: openswan/x509_state_name: openswan/x509_email_address: openswan/x509_country_code: AT openswan/x509_self_signed: true openswan/rsa_key_length: 2048 openswan/restart: true openswan/start_level: earliest openswan/enable-oe: false openswan/x509_organizational_unit: openswan/x509_locality_name: openswan/existing_x509_certificate: false openswan/existing_x509_certificate_filename: openswan/x509_common_name: openswan/create_rsa_key: true openswan/rsa_key_type: x509 openswan/x509_organization_name: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
