[Openswan Users] connection problem after installation of openswan 2.2.1rc1

Pablo Miguel p.miguel at osra.it
Tue Oct 26 18:13:05 CEST 2004


Hi everybody

I try to install the new version openswan 2.2.1rc1 because I using openswan
<- winxp sp2 with NAT-T and I have the problem of rekeying.

With this version I saw this error mess:

pluto[9610]: "remote_1"[1] XXX.XX.XX.XX #1: payload alignment problem please
check the code in main_inI1_outR1 (num=1)

The client can't open a connection even if I don't use NAT-T.

I think it was a problem in the build so I made and installed the 2.2.0 and
I didn't have any problem at all.

This is the log of the connection with 2.2.1rc1 : 

packet from XXX.XX.XX.XX:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]
packet from XXX.XX.XX.XX:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from XXX.XX.XX.XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
packet from XXX.XX.XX.XX:500: ignoring Vendor ID payload
[26244d38eddb61b3172a36e3d0cfb819]
| alg_info_addref() alg_info->ref_cnt=3
| alg_info_addref() alg_info->ref_cnt=3
| alg_info_addref() alg_info->ref_cnt=4
| alg_info_addref() alg_info->ref_cnt=4
| instantiated "remote_1" for XXX.XX.XX.XX
| creating state object #1 at 0x80f07b8
| ICOOKIE:  db 57 5d a4  c0 20 7e 72
| RCOOKIE:  65 79 92 c1  e4 aa 13 95
| peer:  d4 61 37 3b
| state hash entry 13
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
"remote_1"[1] XXX.XX.XX.XX #1: responding to Main Mode from unknown peer
XXX.XX.XX.XX
| **emit ISAKMP Message:
|    initiator cookie:
|   db 57 5d a4  c0 20 7e 72
|    responder cookie:
|   65 79 92 c1  e4 aa 13 95
|    next payload type: ISAKMP_NEXT_SA
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: none
|    message ID:  00 00 00 00
| ***emit ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_VID
|    DOI: ISAKMP_DOI_IPSEC
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 188
|    proposal number: 1
|    protocol ID: PROTO_ISAKMP
|    SPI size: 0
|    number of transforms: 5
|*****parse ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    length: 36
|    transform number: 1
|    transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 5
|    [5 is OAKLEY_3DES_CBC]
| ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192,
keydeflen=192, keymaxlen=192, ret=1
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|    [2 is OAKLEY_SHA]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 14
|    [14 is OAKLEY_GROUP_MODP2048]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|    [3 is OAKLEY_RSA_SIG]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|    [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION (variable length)
|    length/value: 4
|    long duration: 28800
| Oakley Transform 1 accepted
| ****emit IPsec DOI SIT:
|   IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****emit ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    proposal number: 1
|    protocol ID: PROTO_ISAKMP
|    SPI size: 0
|    number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_NONE
|    transform number: 1
|    transform ID: KEY_IKE
| emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
| attributes  80 01 00 05  80 02 00 02  80 04 00 0e  80 03 00 03
|   80 0b 00 01  00 0c 00 04  00 00 70 80
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 44
| emitting length of ISAKMP Security Association Payload: 56
| sender checking NAT-t: 1 and 106
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  90 cb 80 91  3e bb 69 6e  08 63 81 b5  ec 42 7b 1f
| emitting length of ISAKMP Vendor ID Payload: 20
"remote_1"[1] XXX.XX.XX.XX #1: payload alignment problem please check the
code in main_inI1_outR1 (num=1)
| emitting length of ISAKMP Message: 104
 "remote_1"[1] XXX.XX.XX.XX #1: transition from state (null) to state
STATE_MAIN_R1
| sending 104 bytes for STATE_MAIN_R0 through eth1 to XXX.XX.XX.XX:500:
|   db 57 5d a4  c0 20 7e 72  65 79 92 c1  e4 aa 13 95
|   01 10 02 00  00 00 00 00  00 00 00 68  0d 00 00 38
|   00 00 00 01  00 00 00 01  00 00 00 2c  01 01 00 01
|   00 00 00 24  01 01 00 00  80 01 00 05  80 02 00 02
|   80 04 00 0e  80 03 00 03  80 0b 00 01  00 0c 00 04
|   00 00 70 80  0d 00 00 14  90 cb 80 91  3e bb 69 6e
|   08 63 81 b5  ec 42 7b 1f
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3499 seconds
| handling event EVENT_RETRANSMIT for XXX.XX.XX.XX "remote_1" #1
| sending 104 bytes for EVENT_RETRANSMIT through eth1 to XXX.XX.XX.XX:500:

***
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_RETRANSMIT in 20 seconds for #1
| *received 56 bytes from XXX.XX.XX.XX:500 on eth1
**
| **parse ISAKMP Message:
|    initiator cookie:
|   db 57 5d a4  c0 20 7e 72
|    responder cookie:
|   65 79 92 c1  e4 aa 13 95
|    next payload type: ISAKMP_NEXT_D
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_INFO
|    flags: none
|    message ID:  b9 9b e2 a8
|    length: 56
| ICOOKIE:  db 57 5d a4  c0 20 7e 72
| RCOOKIE:  65 79 92 c1  e4 aa 13 95
| peer:  d4 61 37 3b
| state hash entry 13
| peer and cookies match on #1, provided msgid 00000000 vs 00000000
| state object #1 found, in STATE_MAIN_R1
| ***parse ISAKMP Delete Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 28
|    DOI: ISAKMP_DOI_IPSEC
|    protocol ID: 1
|    SPI size: 16
|    number of SPIs: 1
"remote_1"[1] XXX.XX.XX.XX #1: ignoring Delete SA payload: not encrypted

I have a linux SuSE 9.1 kernel 2.6.5-7.108 and a simple road-warrior
configuration:

config setup
	nat_traversal=yes
	interfaces=%defaultroute
	uniqueids=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# default settings for connections
conn %default
	keyingtries=0
	keylife=24h
	rekeymargin=8m
	disablearrivalcheck=no
	authby=rsasig
	dpdaction=clear
		
conn remote_1
    pfs=no
    leftprotoport=17/1701
    rightprotoport=17/1701
    leftcert=server.pem
    rightcert=cliente1.pem
    left=%defaultroute
    right=%any
    rightid="C=IT,ST=XX,L=XX,O=XX,OU=Generic VPN IPSEC Access,CN=cliente1"
    rightsubnet=vhost:%no,%priv
    auto=add 
  

Somebody have the same problem?

Thanks in advance..

Pablo Miguel
Italy



More information about the Users mailing list