[Openswan Users] Re: WinXP SP2: incomplete ISAKMP SA
Olivier JAVAUX
lejav at ibs-tls.com
Wed Nov 24 08:42:59 CET 2004
Hi,
It seems that you have the same problem that I have.
I sent a message some days ago to the openswan list without response :
> Hello,
>
> I am trying to set a tunnel with NAT-T between an OpenSwan gateway
> and a roadwarrior with Windows XP SP2
> (I had already done ESP tunnel between FreeSwan and XP SP1)
>
> I don't succeed to establish the tunnel.
>
> After investigation, I think that I have identified the problem.
> During the protocol initialization, Windows tries to send a very big packet (1596 bytes) :
> 11-11: 11:26:10:361:36c Sending: SA = 0x000C9048 to 213.56.232.64:Type 2.4500
> 11-11: 11:26:10:361:36c ISAKMP Header: (V1.0), len = 1596
> 11-11: 11:26:10:361:36c I-COOKIE bbbfd174b88f6885
> 11-11: 11:26:10:361:36c R-COOKIE ba02b5aa59dab9e6
> 11-11: 11:26:10:361:36c exchange: Oakley Main Mode
> 11-11: 11:26:10:361:36c flags: 1 ( encrypted )
> 11-11: 11:26:10:361:36c next payload: ID
> 11-11: 11:26:10:361:36c message ID: 00000000
> 11-11: 11:26:10:361:36c Ports S:9411 D:9411
> 11-11: 11:26:10:932:5e0 retransmit: sa = 000C9048 centry 00000000 , count = 1
> This packet is then fragmented, with an initial packet according the MTU and
> a IP fragment following.
> These two packets never reach my gateway.
>
> Why windows has to send 1596 bytes for a SA ?????
> Is there a way to avoid this IP fragmentation ?????
>
> Thx for your help.
>
In your log, I see :
11-23: 17:36:47:571:5b0 Sending: SA = 0x000DF8C8 to 10.10.10.1:Type 2.4500
11-23: 17:36:47:571:5b0 ISAKMP Header: (V1.0), len = 1548
...
so, I suppose that this packet is IP fragmented and does not reach the server....
I am very interested if you find the solution !!!!!!
More information about the Users
mailing list