[Openswan dev] pfkey_msg_build of Add SA esp.XX failed
Michael Richardson
mcr at xelerance.com
Fri Mar 10 19:41:01 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brian> 10:14:30 +0000 From: Brian Candler <B.Candler at pobox.com> To:
Brian> users at openswan.org Subject: [Openswan Users]
Brian> I have an interoperability problem between Openswan 2.4.5rc5
Brian> and Cisco PIX 7.0.2 with PFS enabled. Phase 1 comes up
Brian> successfully, but phase 2 fails with a pfkey error: "Trouble
Brian> parsing newly built pfkey message, error=-22"
PFS on or off shouldn't matter.
I assume that this message is coming from pluto.
Jan 1 18:17:53 (none) kern.debug pluto[6463]: | pfkey_lib_debug:pfkey_msg_parse: parsing message ver=2, type=2(update), errno=0, satype=0(UNKNOWN), len=11, res=0, seq=13, pid=6463.
The satype=0 is what screws things up. I am uncertain why this is happening.
Can you operate with anything else? Can you try the same code on an x86
box?
Paul> Anybody got any ideas what's going on here, or is there some
Paul> more debugging I can turn on to help pin this down? As far as
Paul> I can tell from the source, it seems that openswan is
Paul> generating a message, running it through its own parser before
Paul> sending it, and failing to parse it. This implies the problem
Paul> is either with the format of the message it generates or with
Paul> its own parser, and not with the PIX.
Yes-ish.
It may also be that it accepted a parameter of some kind from the PIX,
which turns out to confuse it when it builds the message. Reparsing the
message is a sanity check, because when the kernel fails to process
things, the debugging result is even less understandable.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRBIcl4CLcPvd0N1lAQKm3wf+MLuhAJX5XnnCvfSCXP6VOCL6M2s+y9iP
Knp3Vqhn+ejeWh43NJ6HjBp4XcJqexgOPFAT00mW2wS0KJgvJitwdjiToWhGR56m
sxGE6c5UuspNLpO9BP9ntPlJR6XHkY2AM2S0n/Y3GSyYH/X1eBpWpGCIPSkJFFw8
4tzur5wbkmk4BsKiVf9T2n1umquwgb5hcN7l5e2AbnR6Sebuze86YxVcYrKDRRz2
KGHrwQITJSR+KWLzCZprlL9Cvc0Mm18Ruo19bFXQgsQguIjHPwiGmEJNDTcjYvsi
zO5rZOcX68rd39TXolhsfIcZmnCQqCSbizgaRXvmyfAHDo3BhjmiRg==
=0xKj
-----END PGP SIGNATURE-----
More information about the Dev
mailing list