[Openswan Users] openswan-2.6.14rc5 and and not enough room left in output packet to place ISAKMP Key Exchange Payload

Chris Patch chrispatch at intrstar.net
Thu May 29 10:13:17 EDT 2008


I am testing openswan 2.6.14rc5 on centos-5 with kernel
2.6.18-53.1.21.el5 from centos.  I am using netkey.

This is the ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
#interfaces="%defaultroute"
config setup
        nat_traversal=yes
        nhelpers=0
        uniqueids=yes
        protostack=netkey
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

# Add connections here
conn %default
        keyingtries=1
        authby=rsasig
        compress=no
        pfs=no
        auto=add

#conn rw-cpatch-laptop
#       also=roadwarrior-l2tp-cert
#       rightcert=cpatch-laptop.intrstar.net.pem
#
#conn rw-earlycollege1
#       also=roadwarrior-l2tp-cert
#       rightcert=earlycollge1.pem
#
#conn rw-earlycollege2
#       also=roadwarrior-l2tp-cert
#       rightcert=earlycollge2.pem

conn roadwarrior-l2tp-cert
        type=transport
        left=66.207.232.2
        leftcert=scs-fw1.sampson.k12.nc.us.pem
        authby=rsasig
        leftprotoport=17/1701
        rightprotoport=17/1701
        right=%any
        rightsubnet="vhost:%no,%priv"
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        auto=add
        pfs=no
        keyingtries=1

#
# sample VPN connections, see /etc/ipsec.d/examples/
#include /etc/ipsec.d/examples/no_oe.conf

These are the logs I get from an xp client connecting:
/var/log/messages
[root at test ~]# tail -f /var/log/messages 
May 29 05:16:38 test ipsec_setup: Starting Openswan IPsec
U2.6.ikev2/K2.6.18-53.1.21.el5...
May 29 05:16:38 test ipsec_setup: Trying to load all NETKEY
modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel
xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key 
May 29 05:16:38 test ipsec_setup: Trying VIA padlock driver, this may
fail, which is okay.
May 29 05:16:38 test ipsec_setup: Trying to load all CryptoAPI modules
May 29 05:16:38 test ipsec_setup: aes-x86_64 aes des sha512 sha256 md5
cbc xcbc ecb twofish blowfish serpent ccm 
May 29 05:16:38 test ipsec__plutorun: 002 loading certificate from
scs-fw1.sampson.k12.nc.us.pem 
May 29 05:16:38 test ipsec__plutorun: 002   loaded host cert file
'/etc/ipsec.d/certs/scs-fw1.sampson.k12.nc.us.pem' (3929 bytes)
May 29 05:16:38 test ipsec__plutorun: 002 added connection description
"roadwarrior-l2tp-cert"
May 29 05:17:59 test Installed: ntp.i386 4.2.2p1-7.el5
May 29 10:07:47 test ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 250:  2667 Aborted                 /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --use-netkey --uniqueids
--nat_traversal --virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

This is from /var/log/secure:

May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
ignoring Vendor ID payload [FRAGMENTATION]
May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
May 29 10:07:46 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: responding to Main Mode from unknown peer
66.207.228.212
May 29 10:07:46 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
May 29 10:07:46 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: STATE_MAIN_R1: sent MR1, expecting MI2
May 29 10:07:47 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 29 10:07:47 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: not enough room left in output packet to place ISAKMP
Key Exchange Payload

Is there anything else I can do to help troubleshoot this?


More information about the Users mailing list