[Openswan Users] PAYLOAD_MALFORMED

openswan at thefeds.net openswan at thefeds.net
Thu Dec 18 20:18:14 EST 2008


That does make sense and probably explains the malformed packets. The 
real trouble is that once both ends have established new phase 1 and phase 
2 SAs, pings between the hosts are still failing in both directions and 
will do for hours, until I do an "ipsec --up <con name>".

Maybe the non restarted end is using an old SA for all packets and 
therefore the restarted end can't decrypt the packets. But why haven't I 
seen this with previous versions of openswan that I have used? (circa 2 
years old). Also why are only some connections affected?

I will have to continue digging tomorrow.

Tim

On Thu, 18 Dec 2008, Paul Wouters wrote:

> On Thu, 18 Dec 2008, openswan at thefeds.net wrote:
>
>>  I have found I can cause lots of PAYLOAD_MALFORMED errors to be logged by
>>  running "/etc/init.d/ipsec restart" on one of the servers. When I do this
>>  some of the connections will report malformed packets, but which servers
>>  is not repeatable. Furthermore some of these servers will not be able to
>
> Well, that makes sense, since the restarted openswan now no longer has any
> phase 1 state. If you are using PSK, then messages sent from a non-restarted
> unit to restarted unit will be completely unreadable and unidentifiable by 
> the
> restarted unit.
>
> Note also that "ipsec restart" causes the existing phase 2's to die, so
> packet flow will also stop.
>
>>  Therefore I think my problem is to do with Openswan restarting SAs.
>
> you are not just restarting SA's, you are killing all the phase1 and phase2
> of a server by restarting it like that. Though it should send out 
> Notify/Delete's
> to the other end if the connecton is still functional at the time you 
> restarted.
>
> Paul
>
>


More information about the Users mailing list