[Openswan Users] Packet Size Difference?

David McCullough David_Mccullough at securecomputing.com
Mon Aug 10 19:24:33 EDT 2009


Jivin Diego Rivera lays it down ...
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
> </head>
> <body bgcolor="#ffffff" text="#000000">
> Not so jivin... nhelpers=0 did not help - I still get the error.&nbsp; I'll
> wait for your patch though before pursuing this further.&nbsp; Also, I tried

Probably a good call.  Although I could never reproduce it without helpers,
the code has the potential to be broken in both modes.

It's basically pluto not reinitialising some data structures before building
a reply packet.  I thought it was primarily due to the helper context
switches but I could be wrong and may have just lucked out there,

> to register myself so I could file bug reports at bugs.openswan.org
> with no success - no matter what I do I can't log in.&nbsp; I realize this
> is probably not the proper form for that but can you point me in the
> right direction?<br>

Someone else will have to help you there ;-)

Cheers,
Davidm

> <br>
> I found a bug in the way the "ike=" configuration is parsed - it
> doesn't allow specification of the DH group (i.e.
> ike=3des-sha1;modp1024 causes pluto to fart badly, but
> esp=3des-sha1;modp1024 works fine) and I'd like to report it officially
> so it can be tracked.<br>
> <br>
> Cheers.<br>
> <br>
> David McCullough wrote:
> <blockquote cite="mid:20090810224926.GA26067 at securecomputing.com"
>  type="cite">
>   <pre wrap="">Jivin Diego Rivera lays it down ...
>   </pre>
>   <blockquote type="cite">
>     <pre wrap="">Hello all!
> 
> I'm getting the following log output:
> 
> ----- BEGIN LOG -----
> Aug 10 14:24:54 amon pluto[28433]: | *received 637 bytes from &lt;roadwarrior-ip&gt;:500 on eth0 (port=500)
> Aug 10 14:24:54 amon pluto[28433]: | **parse ISAKMP Message:
> Aug 10 14:24:54 amon pluto[28433]: |    initiator cookie:
> Aug 10 14:24:54 amon pluto[28433]: |   d2 7d 9f 9f  4c 84 af d8
> Aug 10 14:24:54 amon pluto[28433]: |    responder cookie:
> Aug 10 14:24:54 amon pluto[28433]: |   00 00 00 00  00 00 00 00
> Aug 10 14:24:54 amon pluto[28433]: |    next payload type: ISAKMP_NEXT_SA
> Aug 10 14:24:54 amon pluto[28433]: |    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
> Aug 10 14:24:54 amon pluto[28433]: |    exchange type: ISAKMP_XCHG_AGGR
> Aug 10 14:24:54 amon pluto[28433]: |    flags: none
> Aug 10 14:24:54 amon pluto[28433]: |    message ID:  00 00 00 00
> Aug 10 14:24:54 amon pluto[28433]: |    length: 621
> Aug 10 14:24:54 amon pluto[28433]: packet from &lt;roadwarrior-ip&gt;:500: size (637) differs from size specified in ISAKMP HDR (621)
> Aug 10 14:24:54 amon pluto[28433]: | * processed 0 messages from cryptographic helpers
>     </pre>
>   </blockquote>
>   <pre wrap=""><!---->
> 
> This is a bug in pluto that I have just finished tracking down.  I should
> have a patch for openswan-2.6.22 in the next day or so.
> 
> In the meantime,  add:
> 
> 	nhelpers = 0
> 
> to the setup stanza in your ipsec.conf and this error will go away.
> 
> Cheers,
> Davidm
> 
> 
>   </pre>
>   <blockquote type="cite">
>     <pre wrap="">------ END LOG ------
> 
> This is the openswan config in the server the roadwarrior is connecting to:
> 
> ----- BEGIN CONFIG -----
> config setup
>         interfaces="%none"
>         nat_traversal=yes
>         virtual_private=%v4:!&lt;private-subnet&gt;,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         oe=off
>         protostack=netkey
>         nat_traversal=yes
>         plutodebug="parsing emitting control controlmore crypt lifecycle pfkey dpd"
>         plutoopts="--perpeerlog --perpeerlogbase=/etc/openswan/log"
> 
> conn rbx-ras
>         authby=rsasig
>         leftid=%fromcert
>         leftcert=/etc/openswan/ras.crt
>         left=&lt;public-ip&gt;
>         leftupdown="/etc/openswan/ras"
>         leftsubnet=&lt;private-subnet&gt;
>         leftxauthserver=yes
>         leftmodecfgserver=yes
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         rightxauthclient=yes
>         rightmodecfgclient=yes
>         dpdaction=clear
>         dpddelay=30
>         dpdtimeout=60
>         pfs=yes
>         ike=3des-md5
>         esp=3des-md5
>         aggrmode=yes
>         salifetime=20m
>         ikelifetime=8h
>         rekey=no
>         auto=add
>         #forceencaps=yes
>         modecfgdns1=&lt;dns-1&gt;
>         modecfgdns2=&lt;dns-2&gt;
>         modecfgwins1=&lt;wins-1&gt;
>         modecfgwins2=&lt;wins-2&gt;
> ------ END CONFIG ------
> 
> The client is the Cisco VPN client v4.9.01 (0080).  Could this be due to poorly specified PFS group?  I'm supposed to use modp1024 but I can't find the correct way to specify it in "ike" or "esp" - no matter which syntax I use I always get syntax errors (I tried 3des-md5-modp1024, 3des-md5;modp1024, 3des-md5-2, all to no avail).  Notice that the difference between size expectations is 16 bytes.
> 
> Cheers.
>     </pre>
>   </blockquote>
>   <pre wrap=""><!---->
> 
>   </pre>
> </blockquote>
> <br>
> <div class="moz-signature">-- <br>
> <style type="text/css">
> 			p { margin: 0; }
> 		</style>
> <div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">
> <font size="1"> Diego Rivera<br>
> Director / System Operations<br>
> Roundbox Global : <span
>  style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
> technology : genius</span><br>
> ------------------------------------------------------------------------------------------------------------------<br>
> Avenida 11 y Calle 7-9, Barrio Am&oacute;n, San Jos&eacute;, Costa Rica<br>
> tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
> 2258-3695<br>
> email: <a href="mailto:diego.rivera at rbxglobal.com">diego.rivera at rbxglobal.com</a>
> | <a href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
> ------------------------------------------------------------------------------------------------------------------<br>
> </font> </div>
> </div>
> </body>
> </html>
> 



-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


More information about the Users mailing list