[Openswan dev] Bug in handling encrypted delete SA payload
Paul Wouters
paul at xelerance.com
Wed Apr 14 17:43:37 CEST 2004
Setting up a conn between openswan-2.1.1 and windows, with rekey=no
gives the following:
Apr 14 15:19:39 fw-500me pluto[3876]: packet from 193.110.157.18:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Apr 14 15:19:39 fw-500me pluto[3876]: "wavesec-for-windows"[1] 193.110.157.18 #78: responding to Main Mode from unknown peer 193.110.157.18
Apr 14 15:19:39 fw-500me pluto[3876]: "wavesec-for-windows"[1] 193.110.157.18 #78: transition from state (null) to state STATE_MAIN_R1
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[1] 193.110.157.18 #78: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[1] 193.110.157.18 #78: Peer ID is ID_DER_ASN1_DN: 'C=NL, ST=nhld, O=Xelerance, CN=client02, E=postmaster at xelerance.com'
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[1] 193.110.157.18 #78: issuer crl not found
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[1] 193.110.157.18 #78: issuer crl not found
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #78: deleting connection "wavesec-for-windows" instance with peer 193.110.157.18 {isakmp=#0/ipsec=#0}
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #78: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #78: sent MR3, ISAKMP SA established
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #79: responding to Quick Mode
Apr 14 15:19:40 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #79: transition from state (null) to state STATE_QUICK_R1
Apr 14 15:19:41 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #79: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 14 15:19:41 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #79: IPsec SA established {ESP=>0xfab6d143 <0xce9702a8}
Apr 14 15:21:22 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #78: received Delete SA payload: deleting ISAKMP State #78
Apr 14 15:26:07 fw-500me pluto[3876]: "wavesec-for-windows"[2] 193.110.157.18 #79: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
I do not understand why this Delete SA is ignored. Note the order of
logging with instance 78 and 79, they overlap. The endresult here is
that windows things it has no conenciton left, while the openswan side
still has the IPsec SA up.
It seems instance 79 is encrypted, and not disgarded as bogus, so openswan
does know somewhat it is not completely bogus, yet fails to realise this
is meant for instance 78.
Paul
More information about the Dev
mailing list