[Openswan Users] One-Way SA Failure

Zachary Kotlarek zach at kotlarek.com
Thu Jun 26 06:08:31 EDT 2008 

I've got two OpenSwan systems that will form an SA in one direction  
but not the other. I get to STATE_QUICK_I1 on both sides without a  
problem. One side then quickly establishes an SA and starts the tunnel  
(or at least claims to), while the other side sits around  
retransmitting.

I've got a very similar configuration (different subnet and  
certificate, otherwise identical) between Leeloo and another host that  
works fine, and for the life of me I can't figure out what's wrong  
with this one. I'd appreciate any suggestions.

I'm getting this error on the Pancho end, but I'm not sure if it's the  
root cause or just a symptom, and either way google offered little  
help in diagnosing it:

"panchoInetLeeloo" #70: responding to Quick Mode proposal {msgid: 
38d61ccc}
"panchoInetLeeloo" #70: ERROR: netlink response for Add SA comp.93d at 66.43.220.65 
  included errno 22: Invalid argument

Later I get things like this, but I'm pretty sure these are secondary  
to the netlink error above (or whatever caused that error):

| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030
"panchoInetLeeloo" #70: next payload type of ISAKMP Hash Payload has  
an unknown value: 203
"panchoInetLeeloo" #70: malformed payload in packet
"panchoInetLeeloo" #70: too many (-397256193) malformed payloads.  
Deleting state

Console logs from the tunnel-up command follow, and I'd be happy to  
provide any additional information that might be useful.

Thanks much,
	Zach

Things work fine from Pancho:

pancho ~ 0$ ipsec --version
Linux Openswan U2.6.14/K2.6.24.7 (netkey)
See `ipsec --copyright' for copyright information.

pancho ~ 0$ sudo ipsec auto --verbose --up panchoInetLeeloo
002 "panchoInetLeeloo" #32: initiating Main Mode
104 "panchoInetLeeloo" #32: STATE_MAIN_I1: initiate
003 "panchoInetLeeloo" #32: ignoring unknown Vendor ID payload  
[4f454b427a64597b774d5d40]
003 "panchoInetLeeloo" #32: received Vendor ID payload [Dead Peer  
Detection]
003 "panchoInetLeeloo" #32: received Vendor ID payload [RFC 3947]  
method set to=109
002 "panchoInetLeeloo" #32: enabling possible NAT-traversal with  
method 4
002 "panchoInetLeeloo" #32: transition from state STATE_MAIN_I1 to  
state STATE_MAIN_I2
106 "panchoInetLeeloo" #32: STATE_MAIN_I2: sent MI2, expecting MR2
003 "panchoInetLeeloo" #32: NAT-Traversal: Result using RFC 3947 (NAT- 
Traversal): no NAT detected
002 "panchoInetLeeloo" #32: I am sending my cert
002 "panchoInetLeeloo" #32: I am sending a certificate request
002 "panchoInetLeeloo" #32: transition from state STATE_MAIN_I2 to  
state STATE_MAIN_I3
108 "panchoInetLeeloo" #32: STATE_MAIN_I3: sent MI3, expecting MR3
002 "panchoInetLeeloo" #32: Main mode peer ID is ID_FQDN: '@leeloo.cynicbytrade.com 
'
002 "panchoInetLeeloo" #32: no crl from issuer "C=US, ST=Iowa, L=Ames,  
O=Cynic by Trade, LLC, OU=Secure Web Services, CN=cynicbytrade.com, E=ssl at cynicbytrade.com 
" found (strict=no)
002 "panchoInetLeeloo" #32: transition from state STATE_MAIN_I3 to  
state STATE_MAIN_I4
004 "panchoInetLeeloo" #32: STATE_MAIN_I4: ISAKMP SA established  
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
002 "panchoInetLeeloo" #32: alloc_bytes1() was mistakenly asked to  
malloc 0 bytes for st_skey_ar in duplicate_state, please report to dev at openswan.org
002 "panchoInetLeeloo" #32: alloc_bytes1() was mistakenly asked to  
malloc 0 bytes for st_skey_er in duplicate_state, please report to dev at openswan.org
002 "panchoInetLeeloo" #32: alloc_bytes1() was mistakenly asked to  
malloc 0 bytes for st_skey_pi in duplicate_state, please report to dev at openswan.org
002 "panchoInetLeeloo" #32: alloc_bytes1() was mistakenly asked to  
malloc 0 bytes for st_skey_pr in duplicate_state, please report to dev at openswan.org
002 "panchoInetLeeloo" #33: initiating Quick Mode RSASIG+ENCRYPT 
+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#32 msgid:a81e36f0  
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
117 "panchoInetLeeloo" #33: STATE_QUICK_I1: initiate
002 "panchoInetLeeloo" #33: transition from state STATE_QUICK_I1 to  
state STATE_QUICK_I2
004 "panchoInetLeeloo" #33: STATE_QUICK_I2: sent QI2, IPsec SA  
established tunnel mode {ESP=>0xd74f4f4e <0x273818ca xfrm=AES_128- 
HMAC_SHA1 NATOA=none NATD=none DPD=none}

But not on the Leeloo end:

leeloo ~ 0$ ipsec --version
Linux Openswan U2.4.12/K2.6.23.17 (netkey)
See `ipsec --copyright' for copyright information.

leeloo ~ 31$ sudo ipsec auto --verbose --up panchoInetLeeloo
002 "panchoInetLeeloo" #34: initiating Quick Mode RSASIG+ENCRYPT 
+COMPRESS+TUNNEL+PFS+UP {using isakmp#28}
117 "panchoInetLeeloo" #34: STATE_QUICK_I1: initiate
010 "panchoInetLeeloo" #34: STATE_QUICK_I1: retransmission; will wait  
20s for response
010 "panchoInetLeeloo" #34: STATE_QUICK_I1: retransmission; will wait  
40s for response
031 "panchoInetLeeloo" #34: max number of retransmissions (2) reached  
STATE_QUICK_I1
000 "panchoInetLeeloo" #34: starting keying attempt 2 of an unlimited  
number, but releasing whack

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1682 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080626/ac4663f9/attachment.bin

More information about the Users mailing list