[Openswan Users] IPSEC(epa_des_crypt): decrypted packet failed SA identity
Markus Locher
ml at as-support.com
Thu Dec 18 04:44:20 EST 2008
Hello List,
after many hours of searching and reading logfiles, I got the ipsec up
and working. Now if I send packages to the server, the server (CISCO
router) tells me one line with "debug crypto ipsec" on:
>>> IPSEC(epa_des_crypt): decrypted packet failed SA identity
Thats all!
Don't know exactly which log or config files you could use, but I enter
some data below.
There are many different comments in the web for this error, but not
really a solution until know. It may be a very variable error message.
So let's find a solution for this one.
Thanks Markus
PS: I tried a lot with mtu and stuff but that doesn't solve the problem!
The router has a "adaptive" rule for mtu size:
------------Config cisco router ----------------
interface Virtual-Template1
ip unnumbered BVI1
ip nat inside
ip virtual-reassembly
peer default ip address dhcp-pool ASK-Firma
ppp mtu adaptive
ppp authentication chap ms-chap ms-chap-v2
------------------------------------------------------
-------- Output of ipsec start ----------- (last line)
004 "L2TPPSKCLIENT" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
transport mode {ESP=>0xf823215d <0x6941a41d xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=enabled}
------------------------------------------------------------------
------------ Ouput of a tcpdump ---------at the time I start openl2tpd
(!) ----------
# tcpdump -vn |grep -i esp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
2589:10:39:57.171405 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
proto ESP (50), length 208) 87.106.244.79 > 217.91.16.223:
ESP(spi=0x9b8ab0cd,seq=0x1), length 188
2605:10:39:59.670835 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
proto ESP (50), length 208) 87.106.244.79 > 217.91.16.223:
ESP(spi=0x9b8ab0cd,seq=0x2), length 188
2612:10:40:00.920828 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
proto ESP (50), length 208) 87.106.244.79 > 217.91.16.223:
ESP(spi=0x9b8ab0cd,seq=0x3), length 188
----------------------------------------------------------------------------------------------------------
----------- Entries of "setkey -DP" -------- after startup of ipsec (!)
-----------------
# setkey -DP
(per-socket policy)
Policy:[Invalid direciton]
created: Dec 18 10:41:14 2008 lastused: Dec 18 10:41:19 2008
lifetime: 0(s) validtime: 0(s)
spid=323 seq=1 pid=11904
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Dec 18 10:41:14 2008 lastused: Dec 18 10:41:19 2008
lifetime: 0(s) validtime: 0(s)
spid=332 seq=2 pid=11904
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Dec 18 10:41:14 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=339 seq=3 pid=11904
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Dec 18 10:41:14 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=348 seq=4 pid=11904
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Dec 18 10:41:14 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=355 seq=5 pid=11904
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Dec 18 10:41:14 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=364 seq=6 pid=11904
refcnt=1
217.91.16.223[any] 87.106.244.79[any] udp
in prio high + 1073739744 ipsec
esp/transport//unique#16385
created: Dec 18 10:41:19 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=368 seq=7 pid=11904
refcnt=1
87.106.244.79[any] 217.91.16.223[any] udp
out prio high + 1073739744 ipsec
esp/transport//unique#16385
created: Dec 18 10:41:19 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=377 seq=0 pid=11904
refcnt=1
--------------------------------------------------------------------------------------------------------
More information about the Users
mailing list