[Openswan Users] PAYLOAD_MALFORMED
openswan at thefeds.net
openswan at thefeds.net
Thu Dec 18 20:18:14 EST 2008
That does make sense and probably explains the malformed packets. The
real trouble is that once both ends have established new phase 1 and phase
2 SAs, pings between the hosts are still failing in both directions and
will do for hours, until I do an "ipsec --up <con name>".
Maybe the non restarted end is using an old SA for all packets and
therefore the restarted end can't decrypt the packets. But why haven't I
seen this with previous versions of openswan that I have used? (circa 2
years old). Also why are only some connections affected?
I will have to continue digging tomorrow.
Tim
On Thu, 18 Dec 2008, Paul Wouters wrote:
> On Thu, 18 Dec 2008, openswan at thefeds.net wrote:
>
>> I have found I can cause lots of PAYLOAD_MALFORMED errors to be logged by
>> running "/etc/init.d/ipsec restart" on one of the servers. When I do this
>> some of the connections will report malformed packets, but which servers
>> is not repeatable. Furthermore some of these servers will not be able to
>
> Well, that makes sense, since the restarted openswan now no longer has any
> phase 1 state. If you are using PSK, then messages sent from a non-restarted
> unit to restarted unit will be completely unreadable and unidentifiable by
> the
> restarted unit.
>
> Note also that "ipsec restart" causes the existing phase 2's to die, so
> packet flow will also stop.
>
>> Therefore I think my problem is to do with Openswan restarting SAs.
>
> you are not just restarting SA's, you are killing all the phase1 and phase2
> of a server by restarting it like that. Though it should send out
> Notify/Delete's
> to the other end if the connecton is still functional at the time you
> restarted.
>
> Paul
>
>
More information about the Users
mailing list