[Openswan Users] Cisco IOS 12.3.2 grief

Ted Kaczmarek tedkaz at optonline.net
Fri Oct 29 21:23:00 CEST 2004 

On Thu, 2004-10-28 at 21:25 -0400, Ted Kaczmarek wrote:
> I have Openswan 2.1.5 running great on a FC1 box.
> Kernel 2.4.22-1.2199.nptl. Have a problem connection with a customer
> using IOS 12.3.2, he also had issues connecting to a Cisco Pix running
> 6.3.3 as well.
> 
> I get lots of 
> not enough room in input packet for ISAKMP Vendor ID Payload
> malformed payload in packet
> 
> when trying to bring this connection up. The only way I can get it up at
> all is to restart ipsec. I do have many other connections to Cisco
> Pix'es, another Cisco IOS and netscreen and they all work great.
> 
> Doing some googling leads me to believe this is an IOS issue.
> 
> auth=esp
> esp=3des-md5-96
> key exchange=ike
> pfs=no
> authby=secret
> 
> >From barf
> This is log after restart
> 
> Oct 28 17:19:46 vpn2 pluto[7924]: packet from 208.190.154.239:500:
> ignoring Vendor ID payload [439b59f8ba676c4c...]
> Oct 28 17:19:46 vpn2 pluto[7924]: packet from 208.190.154.239:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 0
> Oct 28 17:19:46 vpn2 pluto[7924]: packet from 208.190.154.239:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 0
> Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: responding to Main Mode
> Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: transition from state
> (null) to state STATE_MAIN_R1
> Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: ignoring Vendor ID
> payload [Cisco-Unity]
> Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: ignoring Vendor ID
> payload [Dead Peer Detection]
> Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: ignoring Vendor ID
> payload [bd60a6abc5405c70...]
> Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: received Vendor ID
> payload [XAUTH]
> Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #33: Peer ID is ID_IPV4_ADDR:
> '208.190.154.239'
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #33: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #33: sent MR3, ISAKMP SA
> established
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: responding to Quick Mode
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: transition from state
> (null) to state STATE_QUICK_R1
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: responding to Quick Mode
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: transition from state
> (null) to state STATE_QUICK_R1
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: IPsec SA established
> {ESP=>0xb4131535 <0x8563c295}
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: IPsec SA established
> {ESP=>0x28cd44a2 <0x8563c296}
> 
> After a while it poops out
> Oct 28 19:07:57 vpn2 pluto[7924]: "cust9" #94: max number of
> retransmissions (20) reached STATE_MAIN_I1.  No response (or no
> acceptable response) to our first IKE message
> Oct 28 19:07:57 vpn2 pluto[7924]: "cust9" #94: starting keying attempt 5
> of an unlimited number
> Oct 28 19:07:57 vpn2 pluto[7924]: "cust9" #106: initiating Main Mode to
> replace #94
> Oct 28 19:07:58 vpn2 pluto[7924]: "cust9" #106: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:07:58 vpn2 pluto[7924]: "cust9" #106: malformed payload in
> packet
> Oct 28 19:07:59 vpn2 pluto[7924]: "cust9" #105: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:07:59 vpn2 pluto[7924]: "cust9" #105: malformed payload in
> packet
> Oct 28 19:08:07 vpn2 pluto[7924]: "cust9" #106: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:08:07 vpn2 pluto[7924]: "cust9" #106: malformed payload in
> packet
> Oct 28 19:08:09 vpn2 pluto[7924]: "cust9" #105: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:08:09 vpn2 pluto[7924]: "cust9" #105: malformed payload in
> packet
> Oct 28 19:08:17 vpn2 pluto[7924]: "cust9" #106: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:08:17 vpn2 pluto[7924]: "cust9" #106: malformed payload in
> packet
> Oct 28 19:08:27 vpn2 pluto[7924]: "cust9" #106: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:08:27 vpn2 pluto[7924]: "cust9" #106: malformed payload in
> packet
> Oct 28 19:08:49 vpn2 pluto[7924]: "cust9" #105: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:08:49 vpn2 pluto[7924]: "cust9" #105: malformed payload in
> packet
> Oct 28 19:09:08 vpn2 pluto[7924]: "cust9" #106: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:09:08 vpn2 pluto[7924]: "cust9" #106: malformed payload in
> packet
> Oct 28 19:09:18 vpn2 pluto[7924]: "cust9" #106: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:09:18 vpn2 pluto[7924]: "cust9" #106: malformed payload in
> packet
> Oct 28 19:10:09 vpn2 pluto[7924]: "cust9" #105: not enough room in input
> packet for ISAKMP Vendor ID Payload
> Oct 28 19:10:09 vpn2 pluto[7924]: "cust9" #105: malformed payload in
> packet
> 
> 
> 
> 
> Anything I can try to set in ipsec.conf anyone can recommend?
> Was trying to keep all my configs generic bu Cisco has a tendency to
> make things like that impossible :-)
> 
> 
> 
> 
> 
> Thanks,
> Ted
> 
This is an annoying customer problem,  appears their host blows up on a
regular basis and they lose the interesting traffic that Cisco needs.

Ted

More information about the Users mailing list