[Openswan Users] stuck in STATE_MAIN_I3/STATE_MAIN_R2

Oskar Liljeblad oskar at osk.mine.nu
Tue Oct 12 18:02:16 CEST 2004 

On Tuesday, October 12, 2004 at 19:41, Herbert Xu wrote:
> Unless your tcpdump command is broken, this looks like an openswan
> problem.  Please find the debug message from pluto about this packet.
> It should tell us where the problem is.

I'm using tcpdump 3.8.3.

The pluto 'emitting' debug for the tcpdumped packet

  IP (tos 0x0, ttl  64, id 4160, offset 0, flags [+], length: 1500) alpha.isakmp > beta.isakmp: isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1652/ip 1472)

is this:

"beta-alpha" #1: I am sending a certificate request
| ***emit ISAKMP Certificate RequestPayload:
|    next payload type: ISAKMP_NEXT_SIG
|    cert type: CERT_X509_SIGNATURE
| emitting 122 raw bytes of CA into ISAKMP Certificate RequestPayload
| CA  30 78 31 0b  30 09 06 03  55 04 06 13  02 53 45 31
|   0e 30 0c 06  03 55 04 08  13 05 53 6b  61 6e 65 31
|   0e 30 0c 06  03 55 04 07  13 05 4d 61  6c 6d 6f 31
|   18 30 16 06  03 55 04 0a  13 0f 4f 73  6b 61 72 20
|   4c 69 6c 6a  65 62 6c 61  64 31 0d 30  0b 06 03 55
|   04 03 13 04  62 65 74 61  31 20 30 1e  06 09 2a 86
|   48 86 f7 0d  01 09 01 16  11 6f 73 6b  61 72 40 6f
|   73 6b 2e 6d  69 6e 65 2e  6e 75
| emitting length of ISAKMP Certificate RequestPayload: 127
| ***emit ISAKMP Signature Payload:
|    next payload type: ISAKMP_NEXT_NONE
| emitting 256 raw bytes of SIG_I into ISAKMP Signature Payload
| SIG_I  70 f9 22 dd  79 f0 2e 5c  4f b3 09 4d  b5 60 56 de
|   90 6c bf b7  fa 29 e1 3b  5f 71 94 05  c3 c2 57 ed
|   30 50 ed 8e  0a f4 39 c2  45 7d 26 b1  07 25 cd 9f
|   f5 d0 c0 38  09 49 d9 ac  cd 05 72 38  6b 60 5b 84
|   9a 89 76 6b  a1 f8 b0 2c  de 24 8a aa  97 4d ae b4
|   a4 6a d4 ea  7e 67 e9 ea  58 ae 46 02  44 aa 83 6b
|   5e 90 31 45  0c 7f 68 8c  64 c6 45 25  70 05 f0 5d
|   f8 2f f7 39  18 ab 57 d4  65 f0 5e 5f  a9 95 74 4b
|   a4 2f be 7c  39 73 9c d6  3a b6 d6 80  e5 5e 5e 31
|   dd 14 63 92  bf e3 d1 3c  d2 50 3e f3  81 a7 d6 0e
|   63 20 39 9b  8b 9a 4e 70  89 aa d6 f1  55 82 80 4f
|   a6 77 a3 e7  36 9c 4f 55  af 1f b4 32  b3 81 e8 af
|   47 a4 cb 77  66 88 12 6b  f4 c7 58 4d  46 f8 57 cb
|   f0 51 d5 5e  bd 9a ea 2e  9b c2 d5 ab  b1 61 db c3
|   2c 4f 09 08  ba 8d 51 80  1f 8d 0a dd  aa 55 29 57
|   5b 5a ef ba  ad 7c 36 2c  e2 8f f6 26  65 a9 f3 e4
| emitting length of ISAKMP Signature Payload: 260
| emitting 5 zero bytes of encryption padding into ISAKMP Message
| emitting length of ISAKMP Message: 1652
"beta-alpha" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Could it be the ISP blocking this packet? To test this possibility I set up
openswan on a third system (on a third ISP). 

  alpha-beta   fails as above
  alpha-third  fails as above
  beta-third   OK!

I double-checked configurations and disabled iptables firewalls on alpha,
beta and the third computer.

Regards,

Oskar Liljeblad (oskar at osk.mine.nu)

More information about the Users mailing list