<div dir="ltr"><div><div><div>Hello Sir<br><br></div>Please have a look into this issue. It will be great if you can suggest some hints here.<br><br></div>Thanks<br></div>Rajeev<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 22, 2015 at 5:26 PM, Rajeev Gaur <span dir="ltr"><<a href="mailto:rajeev.gaur@niyuj.com" target="_blank">rajeev.gaur@niyuj.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello,</div><div><br></div><div>I have received a <span>problem</span> scenario from my company regarding IPSec VPN.</div><div><br></div><div>Important Points:</div><div>The <span>problem</span> involves openswan-2.6.31</div><div><span>Problem</span> is intermittent, does not have a specific interval for occurence.</div><div>This is a hub and spoke <span>problem</span>. Having hub and 3 spokes.</div><div>NAT is not involved. All the connections are through public IPs.</div><div>All connections involve PRESHARED KEYS ONLY.</div><div><br></div><div><span>Problem</span>:</div><div>Intermittently, out of the three spokes two spokes just restart ipsec daemon.</div><div>(I am sending the specific logs, if you want any other information please do revert)</div><div><br></div><div><span>PAYLOAD_MALFORMED</span> message is received quite sometimes.</div><div><br></div><div>This has already taken aaproximately 2 months. Now, it is troubling.</div><div><br></div><div>I am attaching the [ipsec whack --debug-all] logs.</div><div>There are two logs for two ends. But ipsec whack logs are quite big so</div><div>I am sending information for specific session ID #180934 which shows</div><div><span>PAYLOAD_MALFORMED</span>.</div><div><br></div><div>If you can suggest something here it will be great.<br></div><div><br></div><div>Please see the config below:<br></div><div><br>config setup<br> protostack = netkey<br> klipsdebug = none<br> plutodebug = none<br> uniqueids = yes<br> hidetos = no<br><br>conn XXX<br> type = tunnel<br> left = X-X-X-X-X<br> right = Y-Y-Y-Y-Y<br> leftnexthop = Z-Z-Z-Z-Z<br> leftsubnet = <a href="http://10.50.3.0/24" target="_blank">10.50.3.0/24</a><br> rightsubnet = <a href="http://10.50.1.0/24" target="_blank">10.50.1.0/24</a><br> auto = start<br> keyexchange = ike<br> authby = secret<br> auth = esp<br> keyingtries = 0<br> esp = AES128-SHA1<br> pfs = yes<br> rekey = yes<br> leftid = X-X-X-X-X<br> rightid = Y-Y-Y-Y-Y<br> ike = 3DES-SHA-MODP1024<br> ikelifetime = 28800s<br> keylife = 14400s<br> rekeymargin = 10m<br> rekeyfuzz = 20%<br> X-early = yes<br> dpddelay = 10<br> dpdtimeout = 120<br> dpdaction = restart<br> X-custadmin = off<br><br><br><br>config setup<br> protostack = netkey<br> klipsdebug = none<br> plutodebug = none<br> uniqueids = yes<br> hidetos = no<br><br>conn YYY<br> type = tunnel<br> left = Y-Y-Y-Y-Y<br> right = %any<br> leftnexthop = Z-Z-Z-Z-Z<br> leftsubnet = <a href="http://10.50.1.0/24" target="_blank">10.50.1.0/24</a><br> rightsubnet = <a href="http://10.50.3.0/24" target="_blank">10.50.3.0/24</a><br> auto = add<br> keyexchange = ike<br> authby = secret<br> auth = esp<br> keyingtries = 0<br> esp = AES128-SHA1<br> pfs = yes<br> rekey = yes<br> leftid = 174.47.49.246<br> rightid = %any<br> ike = 3DES-SHA-MODP1024<br> ikelifetime = 28800s<br> keylife = 14400s<br> rekeymargin = 10m<br> rekeyfuzz = 20%<br> X-early = <br> dpddelay = 10<br> dpdtimeout = 120<br> dpdaction = restart<br> X-custadmin = off<br><br></div><div>In case you want any other information, please do revert.<br><br></div><div>Thanks</div></div>
</blockquote></div><br></div>