[Openswan dev] IPSec restarts intermittently and PAYLOAD_MALFORMED issue observed

Rajeev Gaur rajeev.gaur at niyuj.com
Mon Dec 28 07:37:56 EST 2015 

Hello Sir

Please have a look into this issue. It will be great if you can suggest
some hints here.

Thanks
Rajeev

On Tue, Dec 22, 2015 at 5:26 PM, Rajeev Gaur <rajeev.gaur at niyuj.com> wrote:

> Hello,
>
> I have received a problem scenario from my company regarding IPSec VPN.
>
> Important Points:
> The problem involves openswan-2.6.31
> Problem is intermittent, does not have a specific interval for occurence.
> This is a hub and spoke problem. Having hub and 3 spokes.
> NAT is not involved. All the connections are through public IPs.
> All connections involve PRESHARED KEYS ONLY.
>
> Problem:
> Intermittently, out of the three spokes two spokes just restart ipsec
> daemon.
> (I am sending the specific logs, if you want any other information please
> do revert)
>
> PAYLOAD_MALFORMED message is received quite sometimes.
>
> This has already taken aaproximately 2 months. Now, it is troubling.
>
> I am attaching the [ipsec whack --debug-all] logs.
> There are two logs for two ends. But ipsec whack logs are quite big so
> I am sending information for specific session ID #180934 which shows
> PAYLOAD_MALFORMED.
>
> If you can suggest something here it will be great.
>
> Please see the config below:
>
> config setup
>     protostack = netkey
>     klipsdebug = none
>     plutodebug = none
>     uniqueids = yes
>     hidetos = no
>
> conn XXX
>     type = tunnel
>     left = X-X-X-X-X
>     right = Y-Y-Y-Y-Y
>     leftnexthop = Z-Z-Z-Z-Z
>     leftsubnet = 10.50.3.0/24
>     rightsubnet = 10.50.1.0/24
>     auto = start
>     keyexchange = ike
>     authby = secret
>     auth = esp
>     keyingtries = 0
>     esp = AES128-SHA1
>     pfs = yes
>     rekey = yes
>     leftid = X-X-X-X-X
>     rightid = Y-Y-Y-Y-Y
>     ike = 3DES-SHA-MODP1024
>     ikelifetime = 28800s
>     keylife = 14400s
>     rekeymargin = 10m
>     rekeyfuzz = 20%
>     X-early = yes
>     dpddelay = 10
>     dpdtimeout = 120
>         dpdaction = restart
>     X-custadmin = off
>
>
>
> config setup
>     protostack = netkey
>     klipsdebug = none
>     plutodebug = none
>     uniqueids = yes
>     hidetos = no
>
> conn YYY
>     type = tunnel
>     left = Y-Y-Y-Y-Y
>     right = %any
>     leftnexthop = Z-Z-Z-Z-Z
>     leftsubnet = 10.50.1.0/24
>     rightsubnet = 10.50.3.0/24
>     auto = add
>     keyexchange = ike
>     authby = secret
>     auth = esp
>     keyingtries = 0
>     esp = AES128-SHA1
>     pfs = yes
>     rekey = yes
>     leftid = 174.47.49.246
>     rightid = %any
>     ike = 3DES-SHA-MODP1024
>     ikelifetime = 28800s
>     keylife = 14400s
>     rekeymargin = 10m
>     rekeyfuzz = 20%
>     X-early =
>     dpddelay = 10
>     dpdtimeout = 120
>         dpdaction = restart
>     X-custadmin = off
>
> In case you want any other information, please do revert.
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/dev/attachments/20151228/bf89e8c8/attachment.html>

More information about the Dev mailing list