[Openswan Users] openswan-2.6.14rc5 and and not enough room left in output packet to place ISAKMP Key Exchange Payload
Chris Patch
chrispatch at intrstar.net
Thu May 29 10:13:17 EDT 2008
I am testing openswan 2.6.14rc5 on centos-5 with kernel
2.6.18-53.1.21.el5 from centos. I am using netkey.
This is the ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
#interfaces="%defaultroute"
config setup
nat_traversal=yes
nhelpers=0
uniqueids=yes
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# Add connections here
conn %default
keyingtries=1
authby=rsasig
compress=no
pfs=no
auto=add
#conn rw-cpatch-laptop
# also=roadwarrior-l2tp-cert
# rightcert=cpatch-laptop.intrstar.net.pem
#
#conn rw-earlycollege1
# also=roadwarrior-l2tp-cert
# rightcert=earlycollge1.pem
#
#conn rw-earlycollege2
# also=roadwarrior-l2tp-cert
# rightcert=earlycollge2.pem
conn roadwarrior-l2tp-cert
type=transport
left=66.207.232.2
leftcert=scs-fw1.sampson.k12.nc.us.pem
authby=rsasig
leftprotoport=17/1701
rightprotoport=17/1701
right=%any
rightsubnet="vhost:%no,%priv"
rightrsasigkey=%cert
leftrsasigkey=%cert
auto=add
pfs=no
keyingtries=1
#
# sample VPN connections, see /etc/ipsec.d/examples/
#include /etc/ipsec.d/examples/no_oe.conf
These are the logs I get from an xp client connecting:
/var/log/messages
[root at test ~]# tail -f /var/log/messages
May 29 05:16:38 test ipsec_setup: Starting Openswan IPsec
U2.6.ikev2/K2.6.18-53.1.21.el5...
May 29 05:16:38 test ipsec_setup: Trying to load all NETKEY
modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel
xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key
May 29 05:16:38 test ipsec_setup: Trying VIA padlock driver, this may
fail, which is okay.
May 29 05:16:38 test ipsec_setup: Trying to load all CryptoAPI modules
May 29 05:16:38 test ipsec_setup: aes-x86_64 aes des sha512 sha256 md5
cbc xcbc ecb twofish blowfish serpent ccm
May 29 05:16:38 test ipsec__plutorun: 002 loading certificate from
scs-fw1.sampson.k12.nc.us.pem
May 29 05:16:38 test ipsec__plutorun: 002 loaded host cert file
'/etc/ipsec.d/certs/scs-fw1.sampson.k12.nc.us.pem' (3929 bytes)
May 29 05:16:38 test ipsec__plutorun: 002 added connection description
"roadwarrior-l2tp-cert"
May 29 05:17:59 test Installed: ntp.i386 4.2.2p1-7.el5
May 29 10:07:47 test ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 250: 2667 Aborted /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --use-netkey --uniqueids
--nat_traversal --virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
This is from /var/log/secure:
May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
ignoring Vendor ID payload [FRAGMENTATION]
May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
May 29 10:07:46 test pluto[2667]: packet from 66.207.228.212:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
May 29 10:07:46 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: responding to Main Mode from unknown peer
66.207.228.212
May 29 10:07:46 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
May 29 10:07:46 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: STATE_MAIN_R1: sent MR1, expecting MI2
May 29 10:07:47 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 29 10:07:47 test pluto[2667]: "roadwarrior-l2tp-cert"[1]
66.207.228.212 #1: not enough room left in output packet to place ISAKMP
Key Exchange Payload
Is there anything else I can do to help troubleshoot this?
More information about the Users
mailing list