[Openswan dev] Host2host tunnels not working with klips

Ruben Laban r.laban at ism.nl
Fri May 27 06:30:37 EDT 2011


On Friday 27 May 2011 at 08:33 (CET), Ruben Laban wrote:
> On Thursday 26 May 2011 at 21:53 (CET), Paul Wouters wrote:
> > On Thu, 26 May 2011, Ruben Laban wrote:
> > > The testing is done 32bits Ubuntu VMs. With the 2.6.24 based kernel
> > > (hardy) it does work. With the 2.6.32 based kernel (lucid) it does not
> > > work. Vanilla 2.6.38.7 kernel does not work either.
> > 
> > can you try the latest git which has David's routing cache fixes?
> 
> No change with git as of a few minutes ago. I already had David's routing
> cache fixes in my previous tests as well I think.
> 
> Some log snippets:
> 
> "tunnel-host1-to-host4" #6: responding to Quick Mode proposal
> {msgid:87884b87} "tunnel-host1-to-host4" #6:     us:
> 172.16.3.21<172.16.3.21>[+S=C]---172.16.3.10 "tunnel-host1-to-host4" #6:  
> them: 172.16.2.20---172.16.2.10<172.16.2.10>[+S=C] "tunnel-host1-to-host4"
> #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> "tunnel-host1-to-host4" #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2 "tunnel-host1-to-host4" #6: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2 "tunnel-host1-to-host4" #6:
> STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xc135418f
> <0x6d6e4a42 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
> "tunnel-host1-to-host4" #7: responding to Quick Mode proposal
> {msgid:80b69e82} "tunnel-host1-to-host4" #7:     us:
> 172.16.3.21<172.16.3.21>[+S=C]---172.16.3.10 "tunnel-host1-to-host4" #7:  
> them: 172.16.2.20---172.16.2.10<172.16.2.10>[+S=C] "tunnel-host1-to-host4"
> #7: keeping refhim=11 during rekey
> "tunnel-host1-to-host4" #7: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1 "tunnel-host1-to-host4" #7: STATE_QUICK_R1: sent QR1,
> inbound IPsec SA installed, expecting QI2 "tunnel-host1-to-host4" #7: next
> payload type of ISAKMP Hash Payload has an unknown value: 208
> "tunnel-host1-to-host4" #7: malformed payload in packet
> 
> | payload malformed after IV
> | 
> |   9f 29 74 6a  44 73 4c 23
> 
> "tunnel-host1-to-host4" #7: sending notification PAYLOAD_MALFORMED to
> 172.16.2.10:500 "tunnel-host1-to-host4" #7: next payload type of ISAKMP
> Hash Payload has an unknown value: 208 "tunnel-host1-to-host4" #7:
> malformed payload in packet
> 
> | payload malformed after IV
> | 
> |   9f 29 74 6a  44 73 4c 23
> 
> "tunnel-host1-to-host4" #7: sending notification PAYLOAD_MALFORMED to
> 172.16.2.10:500
> 
> This is what I see on the 2.6.24 host. On the other hosts (2.6.32 & 2.6.38)
> I don't even see any traces of the rekey attempts in the logs.

Did some more kernel testing using the vanilla kernels provided through 
ubuntu's mainline kernel ppa: up to 2.6.30 works, 2.6.31 breaks. Also, ubuntu 
jaunty's 2.6.28 (with backports) kernel is affected (read: doesn't work).

Perhaps this helps pinpointing the problem.

Regards,
Ruben Laban


More information about the Dev mailing list