[Openswan Users]
connection problem after installation of openswan 2.2.1rc1
Pablo Miguel
p.miguel at osra.it
Tue Oct 26 18:13:05 CEST 2004
Hi everybody
I try to install the new version openswan 2.2.1rc1 because I using openswan
<- winxp sp2 with NAT-T and I have the problem of rekeying.
With this version I saw this error mess:
pluto[9610]: "remote_1"[1] XXX.XX.XX.XX #1: payload alignment problem please
check the code in main_inI1_outR1 (num=1)
The client can't open a connection even if I don't use NAT-T.
I think it was a problem in the build so I made and installed the 2.2.0 and
I didn't have any problem at all.
This is the log of the connection with 2.2.1rc1 :
packet from XXX.XX.XX.XX:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]
packet from XXX.XX.XX.XX:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from XXX.XX.XX.XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
packet from XXX.XX.XX.XX:500: ignoring Vendor ID payload
[26244d38eddb61b3172a36e3d0cfb819]
| alg_info_addref() alg_info->ref_cnt=3
| alg_info_addref() alg_info->ref_cnt=3
| alg_info_addref() alg_info->ref_cnt=4
| alg_info_addref() alg_info->ref_cnt=4
| instantiated "remote_1" for XXX.XX.XX.XX
| creating state object #1 at 0x80f07b8
| ICOOKIE: db 57 5d a4 c0 20 7e 72
| RCOOKIE: 65 79 92 c1 e4 aa 13 95
| peer: d4 61 37 3b
| state hash entry 13
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
"remote_1"[1] XXX.XX.XX.XX #1: responding to Main Mode from unknown peer
XXX.XX.XX.XX
| **emit ISAKMP Message:
| initiator cookie:
| db 57 5d a4 c0 20 7e 72
| responder cookie:
| 65 79 92 c1 e4 aa 13 95
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 188
| proposal number: 1
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 5
|*****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_T
| length: 36
| transform number: 1
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 5
| [5 is OAKLEY_3DES_CBC]
| ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192,
keydeflen=192, keymaxlen=192, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 14
| [14 is OAKLEY_GROUP_MODP2048]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 3
| [3 is OAKLEY_RSA_SIG]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION (variable length)
| length/value: 4
| long duration: 28800
| Oakley Transform 1 accepted
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 1
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 1
| transform ID: KEY_IKE
| emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
| attributes 80 01 00 05 80 02 00 02 80 04 00 0e 80 03 00 03
| 80 0b 00 01 00 0c 00 04 00 00 70 80
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 44
| emitting length of ISAKMP Security Association Payload: 56
| sender checking NAT-t: 1 and 106
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| emitting length of ISAKMP Vendor ID Payload: 20
"remote_1"[1] XXX.XX.XX.XX #1: payload alignment problem please check the
code in main_inI1_outR1 (num=1)
| emitting length of ISAKMP Message: 104
"remote_1"[1] XXX.XX.XX.XX #1: transition from state (null) to state
STATE_MAIN_R1
| sending 104 bytes for STATE_MAIN_R0 through eth1 to XXX.XX.XX.XX:500:
| db 57 5d a4 c0 20 7e 72 65 79 92 c1 e4 aa 13 95
| 01 10 02 00 00 00 00 00 00 00 00 68 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01
| 00 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02
| 80 04 00 0e 80 03 00 03 80 0b 00 01 00 0c 00 04
| 00 00 70 80 0d 00 00 14 90 cb 80 91 3e bb 69 6e
| 08 63 81 b5 ec 42 7b 1f
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3499 seconds
| handling event EVENT_RETRANSMIT for XXX.XX.XX.XX "remote_1" #1
| sending 104 bytes for EVENT_RETRANSMIT through eth1 to XXX.XX.XX.XX:500:
***
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_RETRANSMIT in 20 seconds for #1
| *received 56 bytes from XXX.XX.XX.XX:500 on eth1
**
| **parse ISAKMP Message:
| initiator cookie:
| db 57 5d a4 c0 20 7e 72
| responder cookie:
| 65 79 92 c1 e4 aa 13 95
| next payload type: ISAKMP_NEXT_D
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_INFO
| flags: none
| message ID: b9 9b e2 a8
| length: 56
| ICOOKIE: db 57 5d a4 c0 20 7e 72
| RCOOKIE: 65 79 92 c1 e4 aa 13 95
| peer: d4 61 37 3b
| state hash entry 13
| peer and cookies match on #1, provided msgid 00000000 vs 00000000
| state object #1 found, in STATE_MAIN_R1
| ***parse ISAKMP Delete Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 28
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 16
| number of SPIs: 1
"remote_1"[1] XXX.XX.XX.XX #1: ignoring Delete SA payload: not encrypted
I have a linux SuSE 9.1 kernel 2.6.5-7.108 and a simple road-warrior
configuration:
config setup
nat_traversal=yes
interfaces=%defaultroute
uniqueids=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# default settings for connections
conn %default
keyingtries=0
keylife=24h
rekeymargin=8m
disablearrivalcheck=no
authby=rsasig
dpdaction=clear
conn remote_1
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
leftcert=server.pem
rightcert=cliente1.pem
left=%defaultroute
right=%any
rightid="C=IT,ST=XX,L=XX,O=XX,OU=Generic VPN IPSEC Access,CN=cliente1"
rightsubnet=vhost:%no,%priv
auto=add
Somebody have the same problem?
Thanks in advance..
Pablo Miguel
Italy
More information about the Users
mailing list