[Openswan dev] pfkey_msg_build of Add SA esp.XX failed

Michael Richardson mcr at xelerance.com
Fri Mar 10 19:41:01 CET 2006

Hash: SHA1

    Brian> 10:14:30 +0000 From: Brian Candler <B.Candler at pobox.com> To:
    Brian> users at openswan.org Subject: [Openswan Users]

    Brian> I have an interoperability problem between Openswan 2.4.5rc5
    Brian> and Cisco PIX 7.0.2 with PFS enabled. Phase 1 comes up
    Brian> successfully, but phase 2 fails with a pfkey error: "Trouble
    Brian> parsing newly built pfkey message, error=-22"

  PFS on or off shouldn't matter.
  I assume that this message is coming from pluto.
Jan  1 18:17:53 (none) kern.debug pluto[6463]: | pfkey_lib_debug:pfkey_msg_parse: parsing message ver=2, type=2(update), errno=0, satype=0(UNKNOWN), len=11, res=0, seq=13, pid=6463.

  The satype=0 is what screws things up. I am uncertain why this is happening. 
Can you operate with anything else?  Can you try the same code on an x86

    Paul> Anybody got any ideas what's going on here, or is there some
    Paul> more debugging I can turn on to help pin this down? As far as
    Paul> I can tell from the source, it seems that openswan is
    Paul> generating a message, running it through its own parser before
    Paul> sending it, and failing to parse it. This implies the problem
    Paul> is either with the format of the message it generates or with
    Paul> its own parser, and not with the PIX.

  It may also be that it accepted a parameter of some kind from the PIX,
which turns out to confuse it when it builds the message. Reparsing the
message is a sanity check, because when the kernel fails to process
things, the debugging result is even less understandable.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list