Fwd: Re: [Openswan Users]

Robert W. Burgholzer rburgholzer at maptech-inc.com
Mon Aug 30 18:48:02 CEST 2004


>OK,
>I know that I need to update, its on the list of things to do, sincerely.
>
>That said, the freeswan made very sparse reports, there was nothing in 
>between the lines I sent, although there was a retry line or two, this is 
>ALL there is:
>
>Aug 30 16:33:32 www2 pluto[2485]: packet from 66.207.89.15:500: received 
>Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
>Aug 30 16:33:32 www2 pluto[2485]: "maptech-client"[134] 66.207.89.15 
>#4626: responding to Main Mode from unknown peer 66.207.89.15
>Aug 30 16:34:35 www2 pluto[2485]: "maptech-client"[134] 66.207.89.15 
>#4626: encrypted Informational Exchange message is invalid because it is 
>for incomplete ISAKMP SA
>Aug 30 16:34:42 www2 pluto[2485]: "maptech-client"[134] 66.207.89.15 
>#4626: max number of retransmissions (2) reached STATE_MAIN_R2
>Aug 30 16:34:42 www2 pluto[2485]: "maptech-client"[134] 66.207.89.15: 
>deleting connection "maptech-client" instance with peer 66.207.89.15 
>{isakmp=#0/ipsec=#0}
>
>Could there be some routing trouble that is sending packets to the wrong 
>destination?
>
>thanks,
>robert
>
>At 10:59 PM 8/30/2004 +0200, you wrote:
>>On Mon, 30 Aug 2004, Robert W. Burgholzer wrote:
>>
>>>LapTop Windows XP to freeswan 2.04
>>
>>freeswan-2.04 does not support certicates. Did you patch it with an X509
>>patch? Lookng at hte oakley log further down, it seems you did. 
>>Regardless, you are better of upgrading to Openswan-2, especially if you 
>>later need NAT-traversal as well. No one is maintaining freeswan anymore 
>>and 2.04 is
>>about a year old.
>>
>>>"received an unencrypted packet when crypto active".
>>
>>This usually happens when one of the two ends drops out of negotiating
>>a valid ISAKMP (phase 1). It is likely a configuration error on the Linux
>>end, or missing ServicePack on the client end.
>>
>>>fragmentation was occuring (which is beyond my knowledge), so I 
>>>regenerated the client certificate with 1024 bits, as this was a 
>>>solution that supposedly worked before.
>>
>>I don't think that is you problem at this point. Using smaller certificates
>>is a kludge anyway, not a real solution. Proper settings of mtu would be
>>better, but as I said, I doubt that is your problem here.
>>
>>>Aug 30 16:23:01 www2 pluto[2485]: packet from 66.207.89.15:500: received 
>>>Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
>>>Aug 30 16:23:01 www2 pluto[2485]: "maptech-client"[132] 66.207.89.15 
>>>#4623: responding to Main Mode from unknown peer 66.207.89.15
>>>Aug 30 16:24:05 www2 pluto[2485]: "maptech-client"[132] 66.207.89.15 
>>>#4623: encrypted Informational Exchange message is invalid because it is 
>>>for incomplete ISAKMP SA
>>
>>This is not an entire log. Please restart both ends completely and show us
>>the log, or use 'ipsec barf' to privde us with more details.
>>
>>>Client oakley.log:
>>
>>I'll read that only if I *really* have to :)
>>
>>>8-30: 15:58:18:421:714 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
>>
>>I guess you do have all the service packs you need.
>>
>>>8-30: 15:58:18:421:714 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
>>>8-30: 15:58:18:421:714 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
>>
>>>8-30: 15:58:18:421:714  Algo[0] Operation: ESP Algo: Triple DES CBC 
>>>HMAC: MD5
>>
>>>8-30: 15:58:18:542:714 Phase 1 SA accepted: transform=1
>>>8-30: 15:58:18:542:714 SA - Oakley proposal accepted
>>
>>Looks good.
>>
>>>8-30: 15:58:28:856:714   I-COOKIE 72db281985c1bc2a
>>>8-30: 15:58:28:856:714   R-COOKIE 1830a6b579ac5c77
>>>8-30: 15:58:28:856:714   exchange: Oakley Main Mode
>>>8-30: 15:58:28:856:714   flags: 0
>>>8-30: 15:58:28:856:714   next payload: KE
>>>8-30: 15:58:28:856:714   message ID: 00000000
>>>8-30: 15:58:28:856:714 received an unencrypted packet when crypto active
>>>8-30: 15:58:28:856:714 GetPacket failed 35ec
>>
>>Something failed here. Freeswan will have logged what happened.  But your
>>logs just show the new attempt at starting from scratch, but it doesn't
>>show the actual reason freeswan rejected the phase 2 paramters.
>>
>>Paul
>
>Robert Burgholzer
>Environmental Engineer
>MapTech Inc.
>http://www.maptech-inc.com/

Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/ 



More information about the Users mailing list