[Openswan Users] PAYLOAD_MALFORMED
Paul Wouters
paul at xelerance.com
Thu Dec 18 14:10:59 EST 2008
On Thu, 18 Dec 2008, openswan at thefeds.net wrote:
> I have found I can cause lots of PAYLOAD_MALFORMED errors to be logged by
> running "/etc/init.d/ipsec restart" on one of the servers. When I do this
> some of the connections will report malformed packets, but which servers
> is not repeatable. Furthermore some of these servers will not be able to
Well, that makes sense, since the restarted openswan now no longer has any
phase 1 state. If you are using PSK, then messages sent from a non-restarted
unit to restarted unit will be completely unreadable and unidentifiable by the
restarted unit.
Note also that "ipsec restart" causes the existing phase 2's to die, so
packet flow will also stop.
> Therefore I think my problem is to do with Openswan restarting SAs.
you are not just restarting SA's, you are killing all the phase1 and phase2
of a server by restarting it like that. Though it should send out Notify/Delete's
to the other end if the connecton is still functional at the time you restarted.
Paul
More information about the Users
mailing list