[Openswan Users] Re: WinXP SP2: incomplete ISAKMP SA

[Olivier JAVAUX]

Hi,

It seems that you have the same problem that I have.

I sent a message some days ago to the openswan list without response :

> Hello,
> 
> I am trying to set a tunnel with NAT-T between an OpenSwan gateway
>     and a roadwarrior with Windows XP SP2
> (I had already done ESP tunnel between FreeSwan and XP SP1)
> 
> I don't succeed to establish the tunnel.
> 
> After investigation, I think that I have identified the problem.
> During the protocol initialization, Windows tries to send a very big packet (1596 bytes) :
>     11-11: 11:26:10:361:36c Sending: SA = 0x000C9048 to 213.56.232.64:Type 2.4500
>     11-11: 11:26:10:361:36c ISAKMP Header: (V1.0), len = 1596
>     11-11: 11:26:10:361:36c   I-COOKIE bbbfd174b88f6885
>     11-11: 11:26:10:361:36c   R-COOKIE ba02b5aa59dab9e6
>     11-11: 11:26:10:361:36c   exchange: Oakley Main Mode
>     11-11: 11:26:10:361:36c   flags: 1 ( encrypted )
>     11-11: 11:26:10:361:36c   next payload: ID
>     11-11: 11:26:10:361:36c   message ID: 00000000
>     11-11: 11:26:10:361:36c Ports S:9411 D:9411
>     11-11: 11:26:10:932:5e0 retransmit: sa = 000C9048 centry 00000000 , count = 1
> This packet is then fragmented, with an initial packet according the MTU and
>     a IP fragment following.
> These two packets never reach my gateway.
> 
> Why windows has to send 1596 bytes for a SA ?????
> Is there a way to avoid this IP fragmentation ?????
> 
> Thx for your help.
> 

In your log, I see :

11-23: 17:36:47:571:5b0 Sending: SA = 0x000DF8C8 to 10.10.10.1:Type 2.4500
11-23: 17:36:47:571:5b0 ISAKMP Header: (V1.0), len = 1548
...

so, I suppose that this packet is IP fragmented and does not reach the server....

I am very interested if you find the solution !!!!!!