[Openswan Users] PAYLOAD_MALFORMED

openswan at thefeds.net openswan at thefeds.net
Thu Dec 18 12:31:10 EST 2008 

Hi Harald,

I am convinced it is not a network issue, but rather an Openswan bug or 
configuration error.

I have Gb/s of traffic flowing over the same infrastructure with no 
issues, I can ping between the servers without the packets becoming 
damaged.

I have found I can cause lots of PAYLOAD_MALFORMED errors to be logged by 
running "/etc/init.d/ipsec restart" on one of the servers. When I do this 
some of the connections will report malformed packets, but which servers 
is not repeatable. Furthermore some of these servers will not be able to 
ping the server that go the restart. I can see the echo requests arriving 
in ESP packets, but there is something wrong with the connection so they 
are unencapsulated. Pinging in the other direction has the same result. 
But as soon as I do and "ipsec auto --up <con name>" a new SA is 
established successfully and the ping springs into life. I can do the --up 
at either end with the same result.

Looking back through my logs I think that every time I have 
PAYLOAD_MALFORMED in my logs ties up with either me restarting openswan or 
one of two periods when one of my transit providers was performing maintenance 
and so traffic was interrupted. During these periods my other traffic had 
a brief interruption until BGP reconverged over my other transit provider.

Therefore I think my problem is to do with Openswan restarting SAs. 
Probably to do with it restarting lots of SAs at the same time. When I had 
built 6 of the 12 servers I rarely had these problems, now I have 12 the 
problems are far more than twice as frequent.

Tim

On Thu, 18 Dec 2008, harald.meyer7 at freenet.de wrote:

> Hi Tim!
>
>> I am experimenting with 12 Centos servers and Openswan. Mostly they
>> work
>> fine, however I am running into occasional problems with always
>> include
>> PAYLOAD_MALFORMED in the log messages. Often the logs point to
>> unknown
>> hash payloads or non zero bytes.
>
> Do you figured out that no inexpensive/inferior NAT router changes the
> packet data in an unallowed way?
>
> Malformed packets could only caused by bogus implementations or
> changing of data packets on the way between your endpoints.
>
> Bogus implementation should be impossible because of no problems
> at your other sites.
>
>
> Harald
>
>
>
>
>
>
>
>
> #adBox3 {display:none;}
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list