[U-Boot] Pluto not work after log message : Errno 28: No space left on device

15 Dec 2008


      Hi , all :
Linux  kernel  2.6.19  , klips nat-t patched
Openswan  2.4.9
pluto not work after  message
2008/12/14 16:36:10 INTERNET pluto[1415]: ERROR: "PROFILE_1"[676]
60.166.215.36 #21071: pfkey write() of SADB_ADD message 63711 for Add SA
tun.4593@60.166.215.36 failed. Errno 28: No space left on device
I defined only on roadwarrior connection , It worked well for quit a long
time under 500 peers (Linksys box).
Now clients increased to 700  and Pluto refused to work with lots of ERROR
messages below . I “GREPED” only the first error connection for short .
It happens at rekeying period . SADB buffer overflow ? … memory leak ??
Any suggestions , Thx
/etc/ipsec.conf
version 2
config setup
interfaces=”ipsec0=eth0”
pluto=yes
plutowait=no
plutodebug=none
klipsdebug=none
uniqueids=yes
nat_traversal=no
nhelpers=0
conn    %default
type=tunnel
keyingtries=0
keyexchange=ike
auto=start
authby=secret
auth=esp
ikelifetime=1h
rekeymargin=10m
rekeyfuzz=20%
keylife=8h
compress=no
conn PROFILE_1
pfs=yes
keylife=3600s
ikelifetime=86400s
ike=des-md5-modp768,des-sha1-modp768,3des-md5,3des-sha1,3des-md5
esp=3des-md5
compress=no
left=218.xx.xx.xx
leftnexthop=218.xx.xx.xx
leftsubnet=129.100.248.0/21
leftsourceip=129.100.253.50
auto=add
right=%any
rightsubnetwithin=0.0.0.0/0
#Disable Opportunistic Encryption
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
Log ：
2008/12/14 15:45:26 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: initiating Main Mode to replace #15846
2008/12/14 15:45:26 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: You should NOT use insecure IKE algorithms (OAKLEY_DES_CBC)!
2008/12/14 15:45:26 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
2008/12/14 15:45:26 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: STATE_MAIN_I2: sent MI2, expecting MR2
2008/12/14 15:45:27 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: I did not send a certificate because I do not have one.
2008/12/14 15:45:27 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
2008/12/14 15:45:27 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: STATE_MAIN_I3: sent MI3, expecting MR3
2008/12/14 15:45:27 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: Main mode peer ID is ID_IPV4_ADDR: '60.166.215.36'
2008/12/14 15:45:27 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
2008/12/14 15:45:27 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18338: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_des_cbc_64 prf=oakley_md5 group=modp768}
2008/12/14 15:45:27 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18340: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #15848
{using isakmp#18338}
2008/12/14 15:45:28 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18340: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
2008/12/14 15:45:28 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#18340: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xbbe29168
<0x9c158064 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
2008/12/14 15:50:18 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#15846: received Delete SA(0xf432d9a4) payload: deleting IPSEC State #15848
2008/12/14 15:50:18 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#15846: received and ignored informational message
2008/12/14 16:33:43 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: initiating Main Mode to replace #18338
2008/12/14 16:33:44 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: You should NOT use insecure IKE algorithms (OAKLEY_DES_CBC)!
2008/12/14 16:33:44 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
2008/12/14 16:33:44 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: STATE_MAIN_I2: sent MI2, expecting MR2
2008/12/14 16:33:44 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: I did not send a certificate because I do not have one.
2008/12/14 16:33:44 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
2008/12/14 16:33:44 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: STATE_MAIN_I3: sent MI3, expecting MR3
2008/12/14 16:33:45 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: Main mode peer ID is ID_IPV4_ADDR: '60.166.215.36'
2008/12/14 16:33:45 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
2008/12/14 16:33:45 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20930: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_des_cbc_64 prf=oakley_md5 group=modp768}
2008/12/14 16:34:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: responding to Main Mode from unknown peer 60.166.215.36
2008/12/14 16:34:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: You should NOT use insecure IKE algorithms (OAKLEY_DES_CBC)!
2008/12/14 16:34:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2008/12/14 16:34:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: STATE_MAIN_R1: sent MR1, expecting MI2
2008/12/14 16:34:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2008/12/14 16:34:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: STATE_MAIN_R2: sent MR2, expecting MI3
2008/12/14 16:34:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: Main mode peer ID is ID_IPV4_ADDR: '60.166.215.36'
2008/12/14 16:34:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: I did not send a certificate because I do not have one.
2008/12/14 16:34:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2008/12/14 16:34:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20946: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_sha
group=modp768}
2008/12/14 16:34:11 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20947: responding to Quick Mode {msgid:fcd27e1e}
2008/12/14 16:34:11 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20947: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
2008/12/14 16:34:11 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#20947: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2008/12/14 16:34:11 INTERNET pluto[1415]: ERROR: "PROFILE_1"[676]
60.166.215.36 #20947: pfkey write() of SADB_ADD message 63627 for Add SA
esp.d3719364@60.166.215.36 failed. Errno 28: No space left on device
2008/12/14 16:36:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: responding to Main Mode from unknown peer 60.166.215.36
2008/12/14 16:36:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: You should NOT use insecure IKE algorithms (OAKLEY_DES_CBC)!
2008/12/14 16:36:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2008/12/14 16:36:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: STATE_MAIN_R1: sent MR1, expecting MI2
2008/12/14 16:36:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2008/12/14 16:36:09 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: STATE_MAIN_R2: sent MR2, expecting MI3
2008/12/14 16:36:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: Main mode peer ID is ID_IPV4_ADDR: '60.166.215.36'
2008/12/14 16:36:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: I did not send a certificate because I do not have one.
2008/12/14 16:36:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2008/12/14 16:36:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21069: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_sha
group=modp768}
2008/12/14 16:36:10 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21071: responding to Quick Mode {msgid:fdc82638}
2008/12/14 16:36:10 INTERNET pluto[1415]: ERROR: "PROFILE_1"[676]
60.166.215.36 #21071: pfkey write() of SADB_ADD message 63711 for Add SA
tun.4593@60.166.215.36 failed. Errno 28: No space left on device
2008/12/14 16:36:38 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: responding to Main Mode from unknown peer 60.166.215.36
2008/12/14 16:36:38 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: You should NOT use insecure IKE algorithms (OAKLEY_DES_CBC)!
2008/12/14 16:36:38 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2008/12/14 16:36:39 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: STATE_MAIN_R1: sent MR1, expecting MI2
2008/12/14 16:36:39 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2008/12/14 16:36:39 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: STATE_MAIN_R2: sent MR2, expecting MI3
2008/12/14 16:36:40 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: Main mode peer ID is ID_IPV4_ADDR: '60.166.215.36'
2008/12/14 16:36:40 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: I did not send a certificate because I do not have one.
2008/12/14 16:36:40 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2008/12/14 16:36:40 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21113: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_sha
group=modp768}
2008/12/14 16:36:40 INTERNET pluto[1415]: "PROFILE_1"[676] 60.166.215.36
#21118: responding to Quick Mode {msgid:04712648}

陈琳涛

tags (0)

participants (1)