[Openswan Users] Packet Size Difference?
David McCullough
David_Mccullough at securecomputing.com
Mon Aug 10 19:24:33 EDT 2009
Jivin Diego Rivera lays it down ...
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
> </head>
> <body bgcolor="#ffffff" text="#000000">
> Not so jivin... nhelpers=0 did not help - I still get the error. I'll
> wait for your patch though before pursuing this further. Also, I tried
Probably a good call. Although I could never reproduce it without helpers,
the code has the potential to be broken in both modes.
It's basically pluto not reinitialising some data structures before building
a reply packet. I thought it was primarily due to the helper context
switches but I could be wrong and may have just lucked out there,
> to register myself so I could file bug reports at bugs.openswan.org
> with no success - no matter what I do I can't log in. I realize this
> is probably not the proper form for that but can you point me in the
> right direction?<br>
Someone else will have to help you there ;-)
Cheers,
Davidm
> <br>
> I found a bug in the way the "ike=" configuration is parsed - it
> doesn't allow specification of the DH group (i.e.
> ike=3des-sha1;modp1024 causes pluto to fart badly, but
> esp=3des-sha1;modp1024 works fine) and I'd like to report it officially
> so it can be tracked.<br>
> <br>
> Cheers.<br>
> <br>
> David McCullough wrote:
> <blockquote cite="mid:20090810224926.GA26067 at securecomputing.com"
> type="cite">
> <pre wrap="">Jivin Diego Rivera lays it down ...
> </pre>
> <blockquote type="cite">
> <pre wrap="">Hello all!
>
> I'm getting the following log output:
>
> ----- BEGIN LOG -----
> Aug 10 14:24:54 amon pluto[28433]: | *received 637 bytes from <roadwarrior-ip>:500 on eth0 (port=500)
> Aug 10 14:24:54 amon pluto[28433]: | **parse ISAKMP Message:
> Aug 10 14:24:54 amon pluto[28433]: | initiator cookie:
> Aug 10 14:24:54 amon pluto[28433]: | d2 7d 9f 9f 4c 84 af d8
> Aug 10 14:24:54 amon pluto[28433]: | responder cookie:
> Aug 10 14:24:54 amon pluto[28433]: | 00 00 00 00 00 00 00 00
> Aug 10 14:24:54 amon pluto[28433]: | next payload type: ISAKMP_NEXT_SA
> Aug 10 14:24:54 amon pluto[28433]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
> Aug 10 14:24:54 amon pluto[28433]: | exchange type: ISAKMP_XCHG_AGGR
> Aug 10 14:24:54 amon pluto[28433]: | flags: none
> Aug 10 14:24:54 amon pluto[28433]: | message ID: 00 00 00 00
> Aug 10 14:24:54 amon pluto[28433]: | length: 621
> Aug 10 14:24:54 amon pluto[28433]: packet from <roadwarrior-ip>:500: size (637) differs from size specified in ISAKMP HDR (621)
> Aug 10 14:24:54 amon pluto[28433]: | * processed 0 messages from cryptographic helpers
> </pre>
> </blockquote>
> <pre wrap=""><!---->
>
> This is a bug in pluto that I have just finished tracking down. I should
> have a patch for openswan-2.6.22 in the next day or so.
>
> In the meantime, add:
>
> nhelpers = 0
>
> to the setup stanza in your ipsec.conf and this error will go away.
>
> Cheers,
> Davidm
>
>
> </pre>
> <blockquote type="cite">
> <pre wrap="">------ END LOG ------
>
> This is the openswan config in the server the roadwarrior is connecting to:
>
> ----- BEGIN CONFIG -----
> config setup
> interfaces="%none"
> nat_traversal=yes
> virtual_private=%v4:!<private-subnet>,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> oe=off
> protostack=netkey
> nat_traversal=yes
> plutodebug="parsing emitting control controlmore crypt lifecycle pfkey dpd"
> plutoopts="--perpeerlog --perpeerlogbase=/etc/openswan/log"
>
> conn rbx-ras
> authby=rsasig
> leftid=%fromcert
> leftcert=/etc/openswan/ras.crt
> left=<public-ip>
> leftupdown="/etc/openswan/ras"
> leftsubnet=<private-subnet>
> leftxauthserver=yes
> leftmodecfgserver=yes
> right=%any
> rightsubnet=vhost:%no,%priv
> rightxauthclient=yes
> rightmodecfgclient=yes
> dpdaction=clear
> dpddelay=30
> dpdtimeout=60
> pfs=yes
> ike=3des-md5
> esp=3des-md5
> aggrmode=yes
> salifetime=20m
> ikelifetime=8h
> rekey=no
> auto=add
> #forceencaps=yes
> modecfgdns1=<dns-1>
> modecfgdns2=<dns-2>
> modecfgwins1=<wins-1>
> modecfgwins2=<wins-2>
> ------ END CONFIG ------
>
> The client is the Cisco VPN client v4.9.01 (0080). Could this be due to poorly specified PFS group? I'm supposed to use modp1024 but I can't find the correct way to specify it in "ike" or "esp" - no matter which syntax I use I always get syntax errors (I tried 3des-md5-modp1024, 3des-md5;modp1024, 3des-md5-2, all to no avail). Notice that the difference between size expectations is 16 bytes.
>
> Cheers.
> </pre>
> </blockquote>
> <pre wrap=""><!---->
>
> </pre>
> </blockquote>
> <br>
> <div class="moz-signature">-- <br>
> <style type="text/css">
> p { margin: 0; }
> </style>
> <div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">
> <font size="1"> Diego Rivera<br>
> Director / System Operations<br>
> Roundbox Global : <span
> style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
> technology : genius</span><br>
> ------------------------------------------------------------------------------------------------------------------<br>
> Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
> tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
> 2258-3695<br>
> email: <a href="mailto:diego.rivera at rbxglobal.com">diego.rivera at rbxglobal.com</a>
> | <a href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
> ------------------------------------------------------------------------------------------------------------------<br>
> </font> </div>
> </div>
> </body>
> </html>
>
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users
mailing list