[Openswan dev] Host2host tunnels not working with klips

Ruben Laban r.laban at ism.nl
Fri May 27 02:33:56 EDT 2011


On Thursday 26 May 2011 at 21:53 (CET), Paul Wouters wrote:
> On Thu, 26 May 2011, Ruben Laban wrote:
> > The testing is done 32bits Ubuntu VMs. With the 2.6.24 based kernel
> > (hardy) it does work. With the 2.6.32 based kernel (lucid) it does not
> > work. Vanilla 2.6.38.7 kernel does not work either.
> 
> can you try the latest git which has David's routing cache fixes?

No change with git as of a few minutes ago. I already had David's routing cache fixes in my previous tests as well I think.

Some log snippets:

"tunnel-host1-to-host4" #6: responding to Quick Mode proposal {msgid:87884b87}
"tunnel-host1-to-host4" #6:     us: 172.16.3.21<172.16.3.21>[+S=C]---172.16.3.10
"tunnel-host1-to-host4" #6:   them: 172.16.2.20---172.16.2.10<172.16.2.10>[+S=C]
"tunnel-host1-to-host4" #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 
"tunnel-host1-to-host4" #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
"tunnel-host1-to-host4" #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 
"tunnel-host1-to-host4" #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xc135418f <0x6d6e4a42 xfrm=3DES_0-HMAC_MD5 NATOA=none 
NATD=none DPD=none}
"tunnel-host1-to-host4" #7: responding to Quick Mode proposal {msgid:80b69e82}
"tunnel-host1-to-host4" #7:     us: 172.16.3.21<172.16.3.21>[+S=C]---172.16.3.10
"tunnel-host1-to-host4" #7:   them: 172.16.2.20---172.16.2.10<172.16.2.10>[+S=C]
"tunnel-host1-to-host4" #7: keeping refhim=11 during rekey
"tunnel-host1-to-host4" #7: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 
"tunnel-host1-to-host4" #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
"tunnel-host1-to-host4" #7: next payload type of ISAKMP Hash Payload has an unknown value: 208 
"tunnel-host1-to-host4" #7: malformed payload in packet
| payload malformed after IV
|   9f 29 74 6a  44 73 4c 23
"tunnel-host1-to-host4" #7: sending notification PAYLOAD_MALFORMED to 172.16.2.10:500
"tunnel-host1-to-host4" #7: next payload type of ISAKMP Hash Payload has an unknown value: 208 
"tunnel-host1-to-host4" #7: malformed payload in packet
| payload malformed after IV
|   9f 29 74 6a  44 73 4c 23
"tunnel-host1-to-host4" #7: sending notification PAYLOAD_MALFORMED to 172.16.2.10:500

This is what I see on the 2.6.24 host. On the other hosts (2.6.32 & 2.6.38) I don't even see any traces of the rekey attempts in the logs.

Regards,
Ruben Laban


More information about the Dev mailing list