Hide Forgot
Description of problem: I am testing and configuring racoon as xauth_rsa_server with mutliple IP Pools provided to VPN clients based on ldap group authentication. In my configuration, there are two "mode_cfg" pools configured: mode_cfg { auth_source radius; auth_groups "Domain Users"; group_source ldap; accounting none; network4 192.168.241.5; pool_size 20; netmask4 255.255.255.0; conf_source local; dns4 172.16.0.1; #wins4 172.16.0.1; banner "/etc/racoon/motd2"; split_network include 172.16.1.0/24; } # Users Pool mode_cfg { auth_source radius; auth_groups "Domain Admins"; group_source ldap; accounting none; network4 192.168.240.5; pool_size 20; netmask4 255.255.255.0; conf_source local; dns4 172.30.0.1; default_domain "example.com"; wins4 172.30.0.1; banner "/etc/racoon/motd1"; split_network include 172.16.0.0/12; } and when I try to connect to this VPN server, racoon segfaults. Version-Release number of selected component (if applicable): [root@vpn-server ~]# racoon -V @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Compiled with: - OpenSSL 1.0.0-fips 29 Mar 2010 (http://www.openssl.org/) - IPv6 support - Dead Peer Detection - IKE fragmentation - Hybrid authentication - NAT Traversal - Admin port - Monotonic clock - Security context [root@vpn-server ~]# cat /etc/redhat-release CentOS release 6.2 (Final) [root@vpn-server ~]# uname -a Linux vpn-server.example.com 2.6.32-220.2.1.el6.x86_64 #1 SMP Fri Dec 23 02:21:33 CST 2011 x86_64 x86_64 x86_64 GNU/Linux I am using rebuilded src.rpm package from rawhide - ipsec-tools-0.8.0-3.fc17.src.rpm with included LDAP and RADIUS XAUTH support. How reproducible: always Steps to Reproduce: 1.configure racoon with multiple mode_cfg sections 2.start racoon and try to connect with ipsec client Actual results: racoon segfaults: Jan 20 17:57:35 vpn-server kernel: : racoon[26321]: segfault at 7f64d293a000 ip 00007f64d26ee233 sp 00007fff47bc0440 error 4 in racoon[7f64d2688000+9e000] Expected results: racoon continue accepting and finishing VPN connection from client Additional info: log: Jan 20 17:57:35 vpn-server racoon: INFO: purging spi=164289363. Jan 20 17:57:35 vpn-server racoon: INFO: Using port 0 Jan 20 17:57:35 vpn-server racoon: WARNING: no ldap results for filter '(&(cn=Domain Users)(memberUid=user))' Jan 20 17:57:35 vpn-server racoon: INFO: user "user" is not a member of group "Domain Users" Jan 20 17:57:35 vpn-server racoon: INFO: ldap membership group returned 'cn=Domain Admins,ou=Groups,dc=example,dc=com' Jan 20 17:57:35 vpn-server racoon: INFO: user "user" is a member of group "Domain Admins" Jan 20 17:57:35 vpn-server racoon: INFO: login succeeded for user "user" Jan 20 17:57:35 vpn-server racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Jan 20 17:57:35 vpn-server kernel: : racoon[26321]: segfault at 7f64d293a000 ip 00007f64d26ee233 sp 00007fff47bc0440 error 4 in racoon[7f64d2688000+9e000] after segfaulting is VPN connection timed out. If I commented out ONE of two mode_cfg sections (nothing else changed inside configuration), VPN connection will be successfuly initiated and working. But with two sections, racoon always segaults. I have tried to change auth_source from radius to ldap (because ldap auth also works), but the behavior is same - segault for more than one mode_cfg section configured.
Ok, after communication with developer VANHULLEBUS Yvan: " Afaik, you just can't have multiple ModeConfig setups actually. Of course, it would be better to have a clean error message rather than a crash, but it won't change the fact that you can't configure that. We'll probably have a look at that "one day", to allow multiple ModeConfig setups, but it is probably more complex to decide what should be configurable, how to select the correct configuration, etc... than just doing the implementation. " So, closing this, mutliple ModeConfigs are not supported..