[vpn-help] Key daemon / IKE Service keeps dying with cert-based VPN in Win 7

A. J. Clark kinetix at dhbit.ca
Wed Nov 30 16:41:59 CST 2011


Hi there,

I can confirm that this issue exists in Linux as well... the same
certificate/VPN setup shows the following;

adamwork ike # iked -F
ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.2.0
## : Copyright 2009 Shrew Soft Inc.
## : This product linked OpenSSL 1.0.0e 6 Sep 2011
ii : opened '/var/log/iked.log'
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : ipc server process thread begin ...
K< : recv pfkey REGISTER AH message
K< : recv pfkey REGISTER ESP message
K< : recv pfkey REGISTER IPCOMP message
K! : recv X_SPDDUMP message failure ( errno = 2 )
ii : ipc client process thread begin ...
<A : peer config add message
<A : proposal config message
<A : proposal config message
<A : client config message
<A : local id 'User1 at testzing.com' message
<A : remote id 'test.cert.vpn' message
<A : remote certificate data message
ii : remote certificate read complete ( 1481 bytes )
<A : local certificate data message
ii : local certificate read complete ( 1356 bytes )
<A : local key data message
ii : local key read complete ( 2350 bytes )
<A : remote resource message
<A : peer tunnel enable message
DB : peer added ( obj count = 1 )
ii : local address 10.250.0.243 selected for peer
DB : tunnel added ( obj count = 1 )
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : 10.250.0.243:500 <-> 10.250.0.241:500
DB : 374969c9314c3af4:0000000000000000
DB : phase1 added ( obj count = 1 )
>> : security association payload
>> : - proposal #1 payload
>> : -- transform #1 payload
>> : key exchange payload
>> : nonce payload
>> : cert request payload
>> : identification payload
>> : vendor id payload
ii : local supports nat-t ( draft v00 )
>> : vendor id payload
ii : local supports nat-t ( draft v01 )
>> : vendor id payload
ii : local supports nat-t ( draft v02 )
>> : vendor id payload
ii : local supports nat-t ( draft v03 )
>> : vendor id payload
ii : local supports nat-t ( rfc )
>> : vendor id payload
ii : local supports FRAGMENTATION
>> : vendor id payload
>> : vendor id payload
ii : local supports DPDv1
>> : vendor id payload
ii : local is SHREW SOFT compatible
>> : vendor id payload
ii : local is NETSCREEN compatible
>> : vendor id payload
ii : local is SIDEWINDER compatible
>> : vendor id payload
ii : local is CISCO UNITY compatible
>= : cookies 374969c9314c3af4:0000000000000000
>= : message 00000000
-> : send IKE packet 10.250.0.243:500 -> 10.250.0.241:500 ( 547 bytes )
DB : phase1 resend event scheduled ( ref count = 2 )
<- : recv IKE packet 10.250.0.241:500 -> 10.250.0.243:500 ( 1673 bytes )
DB : phase1 found
ii : processing phase1 packet ( 1673 bytes )
=< : cookies 374969c9314c3af4:8382478cf00cb7a1
=< : message 00000000
<< : security association payload
<< : - propsal #1 payload
<< : -- transform #1 payload
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = 3des
ii : - key length   = default
ii : - hash type    = sha1
ii : - dh group     = group2 ( modp-1024 )
ii : - auth type    = sig-rsa
ii : - life seconds = 86400
ii : - life kbytes  = 0
<< : vendor id payload
ii : unknown vendor id ( 28 bytes )
0x : e7a811cf 8de6140e 3adc82fd 7855ff8f f1eadb8f 00000013 0000061e
<< : vendor id payload
ii : peer supports DPDv1
<< : vendor id payload
ii : peer supports HEARTBEAT-NOTIFY
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : phase1 id match
ii : received = fqdn test.cert.vpn
<< : certificate payload
<< : cert request payload
<< : vendor id payload
ii : peer supports nat-t ( draft v02 )
<< : nat discovery payload
<< : nat discovery payload
<< : signature payload
ii : disabled nat-t ( no nat detected )
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 20 bytes )
== : SETKEYID_d ( 20 bytes )
== : SETKEYID_a ( 20 bytes )
== : SETKEYID_e ( 20 bytes )
== : cipher key ( 40 bytes )
== : cipher iv ( 8 bytes )
>> : certificate payload
== : phase1 hash_i ( computed ) ( 20 bytes )
>> : signature payload
>> : nat discovery payload
>> : nat discovery payload
>= : cookies 374969c9314c3af4:8382478cf00cb7a1
>= : message 00000000
>= : encrypt iv ( 8 bytes )
== : encrypt packet ( 1953 bytes )
== : stored iv ( 8 bytes )
DB : phase1 resend event canceled ( ref count = 1 )
-> : send IKE packet 10.250.0.243:500 -> 10.250.0.241:500 ( 1984 bytes )
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/ST=British Columbia/L=Kamloops/O=SuperTestzing/OU=IPSec
VPN/CN=0162072007000231/CN=(250)
434-8700/CN=ecdsa-key/CN=test.cert.vpn/CN=Adam Clark
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=CA/ST=British
Columbia/L=Kamloops/O=Testzing/OU=StaffVPN/CN=test.cert.vpn
Segmentation fault


I'm not sure if/why iked might be having issues with no CRL setup (as
there's no place to put a CRL setup), or if it's just coincidence that
that's the last thing it logs before it crashes.

Thanks,



More information about the vpn-help mailing list