[Openswan Users] udp fragmented ike packet

Marco Berizzi pupilla at hotmail.com
Fri Dec 22 05:11:00 EST 2006 

Hello everybody.
I have a strange problem with a windows XPsp2
roadwarrior behind an adsl router (the router
is also [P]NATting) and a linux 2.6.19.1 with
openswan 2.4.7
The roadwarrior isn't able to establish the
ipsec tunnel. Openswan log this:

10:18:50 Hercules pluto[709]: packet from windows_xp_rw:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
10:18:50 Hercules pluto[709]: packet from windows_xp_rw:500: ignoring
Vendor ID payload [FRAGMENTATION]
10:18:50 Hercules pluto[709]: packet from windows_xp_rw:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
10:18:50 Hercules pluto[709]: packet from windows_xp_rw:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: responding
to Main Mode from unknown peer windows_xp_rw
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744:
STATE_MAIN_R1: sent MR1, expecting MI2
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744:
STATE_MAIN_R2: sent MR2, expecting MI3
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: Main mode
peer ID is ID_DER_ASN1_DN: 'C=I, ST=V, L=M, O=A, OU=I, CN=C, E=f'
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: no crl from
issuer "C=I, ST=V, L=M, O=A, OU=I, CN=A, E=p" found (strict=no)
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: I am sending
my cert
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
10:18:50 Hercules pluto[709]: | NAT-T: new mapping
windows_xp_rw:500/4500)
10:18:50 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
10:18:51 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
10:18:53 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
10:18:57 Hercules pluto[709]: "rw"[76] windows_xp_rw #1744: discarding
duplicate packet -- exhausted retransmission; already STATE_MAIN_R3

and this is the tcpdump on the public openswan interface:

10:18:50.127103 IP (tos 0x0, ttl 114, id 2145, offset 0, flags [none],
length: 304) windows_xp_rw.500 > openswan.500: isakmp 1.0 msgid : phase
1 I ident: [|sa]
10:18:50.128400 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],
length: 168) openswan.500 > windows_xp_rw.500: isakmp 1.0 msgid : phase
1 R ident: [|sa]
10:18:50.288193 IP (tos 0x0, ttl 114, id 2146, offset 0, flags [none],
length: 260) windows_xp_rw.500 > openswan.500: isakmp 1.0 msgid : phase
1 I ident: [|ke]
10:18:50.326459 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],
length: 256) openswan.500 > windows_xp_rw.500: isakmp 1.0 msgid : phase
1 R ident: [|ke]
10:18:50.552756 IP (tos 0x0, ttl 115, id 2147, offset 0, flags [+],
length: 1500) windows_xp_rw.4500 > openswan.4500: UDP, length: 1944
10:18:50.557379 IP (tos 0x0, ttl 114, id 2147, offset 1480, flags
[none], length: 492) windows_xp_rw > openswan: udp
10:18:50.711665 IP (tos 0x0, ttl  64, id 45031, offset 0, flags [+],
length: 1500) openswan.4500 > windows_xp_rw.4500: UDP, length: 1640
10:18:50.711693 IP (tos 0x0, ttl  64, id 45031, offset 1480, flags
[none], length: 188) openswan > windows_xp_rw: udp
10:18:51.092529 IP (tos 0x0, ttl 115, id 2148, offset 0, flags [+],
length: 1500) windows_xp_rw.4500 > openswan.4500: UDP, length: 1944
10:18:51.097526 IP (tos 0x0, ttl 114, id 2148, offset 1480, flags
[none], length: 492) windows_xp_rw > openswan: udp
10:18:51.098284 IP (tos 0x0, ttl  64, id 45032, offset 0, flags [+],
length: 1500) openswan.4500 > windows_xp_rw.4500: UDP, length: 1640
10:18:51.098309 IP (tos 0x0, ttl  64, id 45032, offset 1480, flags
[none], length: 188) openswan > windows_xp_rw: udp
10:18:53.093290 IP (tos 0x0, ttl 115, id 2151, offset 0, flags [+],
length: 1500) windows_xp_rw.4500 > openswan.4500: UDP, length: 1944
10:18:53.098151 IP (tos 0x0, ttl 114, id 2151, offset 1480, flags
[none], length: 492) windows_xp_rw > openswan: udp
10:18:53.098842 IP (tos 0x0, ttl  64, id 45033, offset 0, flags [+],
length: 1500) openswan.4500 > windows_xp_rw.4500: UDP, length: 1640
10:18:53.098867 IP (tos 0x0, ttl  64, id 45033, offset 1480, flags
[none], length: 188) openswan > windows_xp_rw: udp
10:18:57.100315 IP (tos 0x0, ttl 115, id 2153, offset 0, flags [+],
length: 1500) windows_xp_rw.4500 > openswan.4500: UDP, length: 1944
10:18:57.105274 IP (tos 0x0, ttl 114, id 2153, offset 1480, flags
[none], length: 492) windows_xp_rw > openswan: udp

As you may see the udp ike packets are fragmented.
Is this a problem for openswan?

This is the network schema:

windows xp rw with private ip === adsl pnat/router===internet
openswan with public ip === isp router ==============internet

More information about the Users mailing list