[Openswan Users] openswan 2.1.0rc1 and crls

Paul Wouters paul at xelerance.com
Wed Mar 10 01:07:12 CET 2004


On Tue, 9 Mar 2004, Desai, Jason wrote:

> Mar  9 13:40:33 ppcsec pluto[20471]: packet from 67.20.62.114:500: ignoring
> Vendor ID payload [FRAGMENTATION]

This isn't too good. There are known problems with certificates and
fragmentation.

> Mar  9 13:40:33 ppcsec pluto[20471]: packet from 67.20.62.114:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

nat traversal detected.

> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
> NATed

and used.

> Mar  9 13:40:33 ppcsec kernel: udp_encap_rcv(): Unhandled UDP encap type: 1
> Mar  9 13:40:34 ppcsec kernel: udp_encap_rcv(): Unhandled UDP encap type: 1

It seems there is a conflict in nat-traversal. The kernel detected a type of
udp encapsulation it doesn't know. In your case this is the encapsulation of
windows' ipsec stack.

I'd recommend to try and use KLIPS instead of the 2.6 code and see if that
helps you. You will probably have to try the freeswan-2.06 snapshot, or the
openswan-1 for this. The latter would require you to patch -R the backport
code, the freeswan-2.06 snapshot should take that code into account, but
it is a snapshot; unreleased and not tested very well.

Paul



More information about the Users mailing list