[Openswan Users] INVALID_SPI

Sebastien COUPPEY sebastien.couppey at zero9.it
Mon Feb 11 08:44:19 EST 2008 

Hello,

I got yesterday thousands of lines "ignoring informational payload,
type INVALID_SPI"

...
Feb 10 12:23:36 frw01 pluto[9461]: "Openswan-to-cisco3080" #250689: Dead Peer Detection (RFC 3706): enabled
Feb 10 12:23:36 frw01 pluto[9461]: "Openswan-to-cisco3080" #250689: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 10 12:23:36 frw01 pluto[9461]: "Openswan-to-cisco3080" #250689: STATE_QUICK_R2: IPsec SA established {ESP=>0x03be64ae <0x857a7939 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=enabled} 
Feb 10 12:23:36 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: ignoring informational payload, type INVALID_SPI
Feb 10 12:23:36 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: received and ignored informational message
Feb 10 12:23:36 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: ignoring informational payload, type INVALID_SPI
Feb 10 12:23:36 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: received and ignored informational message
Feb 10 12:23:37 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: ignoring informational payload, type INVALID_SPI
Feb 10 12:23:37 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: received and ignored informational message
Feb 10 12:23:37 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: ignoring informational payload, type INVALID_SPI
Feb 10 12:23:37 frw01 pluto[9461]: "Openswan-to-cisco3080" #250687: received and ignored informational message
...



After some researches on the mailling archives I already read some non
answered threads 

http://article.gmane.org/gmane.network.openswan.user/4437/match=invalid%5fspi

A document from mGuard dealing with cisco devices has a small
description of the error :

http://www.innominate.de/images/stories/documents/interop/Interop_mGuard_CiscoPIX.pdf

"If the mGuard log displays the message “ignoring informational
payload, type INVALID_SPI” then the specified source and destination 
network IPs were swapped in the access-list."

Does it mean that the reason could be the same for Openswan ? 
how could the 'acces-list' be inversed when there is no such concept
with Openswan ?

Manually restarting (down then up) the tunnel solved the problem :(

Any advice how to avoid these errors?

Thanks

More information about the Users mailing list