[Openswan dev] IPSec restarts intermittently and PAYLOAD_MALFORMED issue observed

Rajeev Gaur rajeev.gaur at niyuj.com
Mon Jan 4 07:59:58 EST 2016 

Hello Sir

Please have a look into this issue. It will be great if you can suggest
some hints here.

Thanks

On Mon, Dec 28, 2015 at 6:07 PM, Rajeev Gaur <rajeev.gaur at niyuj.com> wrote:

> Hello Sir
>
> Please have a look into this issue. It will be great if you can suggest
> some hints here.
>
> Thanks
> Rajeev
>
> On Tue, Dec 22, 2015 at 5:26 PM, Rajeev Gaur <rajeev.gaur at niyuj.com>
> wrote:
>
>> Hello,
>>
>> I have received a problem scenario from my company regarding IPSec VPN.
>>
>> Important Points:
>> The problem involves openswan-2.6.31
>> Problem is intermittent, does not have a specific interval for occurence.
>> This is a hub and spoke problem. Having hub and 3 spokes.
>> NAT is not involved. All the connections are through public IPs.
>> All connections involve PRESHARED KEYS ONLY.
>>
>> Problem:
>> Intermittently, out of the three spokes two spokes just restart ipsec
>> daemon.
>> (I am sending the specific logs, if you want any other information please
>> do revert)
>>
>> PAYLOAD_MALFORMED message is received quite sometimes.
>>
>> This has already taken aaproximately 2 months. Now, it is troubling.
>>
>> I am attaching the [ipsec whack --debug-all] logs.
>> There are two logs for two ends. But ipsec whack logs are quite big so
>> I am sending information for specific session ID #180934 which shows
>> PAYLOAD_MALFORMED.
>>
>> If you can suggest something here it will be great.
>>
>> Please see the config below:
>>
>> config setup
>>     protostack = netkey
>>     klipsdebug = none
>>     plutodebug = none
>>     uniqueids = yes
>>     hidetos = no
>>
>> conn XXX
>>     type = tunnel
>>     left = X-X-X-X-X
>>     right = Y-Y-Y-Y-Y
>>     leftnexthop = Z-Z-Z-Z-Z
>>     leftsubnet = 10.50.3.0/24
>>     rightsubnet = 10.50.1.0/24
>>     auto = start
>>     keyexchange = ike
>>     authby = secret
>>     auth = esp
>>     keyingtries = 0
>>     esp = AES128-SHA1
>>     pfs = yes
>>     rekey = yes
>>     leftid = X-X-X-X-X
>>     rightid = Y-Y-Y-Y-Y
>>     ike = 3DES-SHA-MODP1024
>>     ikelifetime = 28800s
>>     keylife = 14400s
>>     rekeymargin = 10m
>>     rekeyfuzz = 20%
>>     X-early = yes
>>     dpddelay = 10
>>     dpdtimeout = 120
>>         dpdaction = restart
>>     X-custadmin = off
>>
>>
>>
>> config setup
>>     protostack = netkey
>>     klipsdebug = none
>>     plutodebug = none
>>     uniqueids = yes
>>     hidetos = no
>>
>> conn YYY
>>     type = tunnel
>>     left = Y-Y-Y-Y-Y
>>     right = %any
>>     leftnexthop = Z-Z-Z-Z-Z
>>     leftsubnet = 10.50.1.0/24
>>     rightsubnet = 10.50.3.0/24
>>     auto = add
>>     keyexchange = ike
>>     authby = secret
>>     auth = esp
>>     keyingtries = 0
>>     esp = AES128-SHA1
>>     pfs = yes
>>     rekey = yes
>>     leftid = 174.47.49.246
>>     rightid = %any
>>     ike = 3DES-SHA-MODP1024
>>     ikelifetime = 28800s
>>     keylife = 14400s
>>     rekeymargin = 10m
>>     rekeyfuzz = 20%
>>     X-early =
>>     dpddelay = 10
>>     dpdtimeout = 120
>>         dpdaction = restart
>>     X-custadmin = off
>>
>> In case you want any other information, please do revert.
>>
>> Thanks
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/dev/attachments/20160104/286d99f5/attachment.html>

More information about the Dev mailing list