[Openswan Users] UDP: Bad checksum

Lars Bakker lars_bakker at gmx.de
Tue Sep 20 14:31:16 CEST 2005 

Hello,

I'm having serious trouble setting up openswan (l2tp/ipsec) behind a NAT 
device. There is no problem with the ipsec SA negotiation, but as soon 
as the SA is established and the l2tp-packages get decrypted the kernel 
reports: "UDP: Bad checksum". ifconfig reports several error- and 
dropped packages. I guess that there might be a problem with 
recalculating the checksum because the original l2tp destination address 
is the external ip used my the NAT-device (is that true?), or might that 
be a problem associated with the mtu value?

My openswan server is running on an user-mode-linux virtual machine. I'm 
using version 2.3.1 with the additional NAT-server patch from 
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html.

Can anyone help me?

auth.log:
Sep 21 13:49:31 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #1: ignoring informational payload, type INVALID_COOKIE
Sep 21 13:49:31 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #1: received and ignored informational message
Sep 21 13:49:34 fireint pluto[26355]: packet from 84.171.243.24:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Sep 21 13:49:34 fireint pluto[26355]: packet from 84.171.243.24:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Sep 21 13:49:34 fireint pluto[26355]: packet from 84.171.243.24:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set 
to=106
Sep 21 13:49:34 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #2: responding to Main Mode from unknown peer 84.171.243.24
Sep 21 13:49:34 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #2: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=BW, 
O=smart group, OU=vpn, CN=martin'
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-lars"[1] 
84.171.243.24 #2: crl update for "C=DE, ST=Baden-Wuertemberg, 
L=Weinheim, O=smart group, OU=vpn, CN=smart root CA, 
E=lars_bakker at web.de" is overdue since Aug 27 21:28:20 UTC 2005
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-martin"[1] 
84.171.243.24 #2: I am sending my cert
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-martin"[1] 
84.171.243.24 #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 21 13:49:35 fireint pluto[26355]: | NAT-T: new mapping 
84.171.243.24:500/4500)
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-martin"[1] 
84.171.243.24 #2: sent MR3, ISAKMP SA established
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-martin"[1] 
84.171.243.24 #3: responding to Quick Mode {msgid:63a66a27}
Sep 21 13:49:35 fireint pluto[26355]: "roadwarrior-l2tp-martin"[1] 
84.171.243.24 #3: transition from state STATE_QUICK_R0 to state 
STATE_QUICK_R1
Sep 21 13:49:37 fireint pluto[26355]: "roadwarrior-l2tp-martin"[1] 
84.171.243.24 #3: transition from state STATE_QUICK_R1 to state 
STATE_QUICK_R2
Sep 21 13:49:37 fireint pluto[26355]: "roadwarrior-l2tp-martin"[1] 
84.171.243.24 #3: IPsec SA established {ESP=>0x803dd295 <0xa90ece7a 
xfrm=3DES_0-HMAC_MD5 NATD=84.171.243.24}

kern.log:
Sep 21 13:51:13 fireint kernel: UDP: bad checksum. From 
84.171.243.24:1701 to 192.168.178.2:1701 ulen 116
Sep 21 13:51:15 fireint kernel: l2tp package reveived: IN=ipsec0 OUT= 
MAC=fe:fd:c0:a8:b2:02:00:04:0e:9b:34:6a:08:00 SRC=84.171.243.24 
DST=192.168.178.2 LEN=136 TOS=0x00 PREC=0x00 TTL=123 ID=21388 PROTO=UDP 
SPT=1701 DPT=1701 LEN=116
Sep 21 13:51:15 fireint kernel: UDP: bad checksum. From 
84.171.243.24:1701 to 192.168.178.2:1701 ulen 116
Sep 21 13:51:19 fireint kernel: l2tp package reveived: IN=ipsec0 OUT= 
MAC=fe:fd:c0:a8:b2:02:00:04:0e:9b:34:6a:08:00 SRC=84.171.243.24 
DST=192.168.178.2 LEN=136 TOS=0x00 PREC=0x00 TTL=123 ID=21390 PROTO=UDP 
SPT=1701 DPT=1701 LEN=116
Sep 21 13:51:19 fireint kernel: UDP: bad checksum. From 
84.171.243.24:1701 to 192.168.178.2:1701 ulen 116
Sep 21 13:51:27 fireint kernel: l2tp package reveived: IN=ipsec0 OUT= 
MAC=fe:fd:c0:a8:b2:02:00:04:0e:9b:34:6a:08:00 SRC=84.171.243.24 
DST=192.168.178.2 LEN=136 TOS=0x00 PREC=0x00 TTL=123 ID=21391 PROTO=UDP 
SPT=1701 DPT=1701 LEN=116
Sep 21 13:51:27 fireint kernel: UDP: bad checksum. From 
84.171.243.24:1701 to 192.168.178.2:1701 ulen 116
Sep 21 13:51:34 fireint kernel: LAN->Local abgelehnt: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:40:d0:2d:98:1b:08:00 SRC=192.168.49.120 
DST=192.168.49.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=62148 PROTO=UDP 
SPT=138 DPT=138 LEN=209

More information about the Users mailing list