[Openswan dev] [Fwd: Re: [Bug 173165] Openswan Denial of Service (fwd)]

Harald Hoyer harald at redhat.com
Wed Dec 7 13:23:11 CET 2005


Excerpt from a Mail I sent to paul at xelerance.com regarding the patches in the Fedora Core rpms.

Fedora Core <-> Cisco VPN 3000 Series

003 #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
003 #1: initial Aggressive Mode packet claiming to be from xxx.xxx.xxx.xxx on xxx.xxx.xxx.xxx
but no connection has been authorized
218 #1: STATE_AGGR_I1: INVALID_ID_INFORMATION
002 #1: sending notification INVALID_ID_INFORMATION to xxx.xxx.xxx.xxx:500

The Cisco sends protocol/port 17/0 instead of 0/0 or 17/500. This problem could be solved by the
openswan-2.3.1-cisco.patch.

Ok, with this patch applied, we can xauth ourself and get:
...
002 #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
003 #2: ERROR: netlink response for Add SA esp.e81466fc at 192.168.10.245 included errno 22: Invalid argument
004 #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x73c62e4b <0xe81466fc xfrm=3DES_0-HMAC_MD5 
NATD=xxx.xxx.xxx.xxx:4500 DPD=none}

All seems up and running but nothing is going through. Here openswan-2.3.1-nat_t_aggr.patch helps, which is
from a bugreport in your bugzilla.

002 #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x34200389 <0x3d9826d0 xfrm=3DES_0-HMAC_MD5 
NATD=xxx.xxx.xxx.xxx:4500 DPD=none}

With both patches applied all is fine :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-2.3.1-cisco.patch
Type: text/x-patch
Size: 824 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20051207/144b814e/openswan-2.3.1-cisco.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-2.3.1-nat_t_aggr.patch
Type: text/x-patch
Size: 573 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20051207/144b814e/openswan-2.3.1-nat_t_aggr.bin


More information about the Dev mailing list