[Openswan Users] Packet Size Difference?

David McCullough David_Mccullough at securecomputing.com
Mon Aug 10 18:49:26 EDT 2009 

Jivin Diego Rivera lays it down ...
> Hello all!
> 
> I'm getting the following log output:
> 
> ----- BEGIN LOG -----
> Aug 10 14:24:54 amon pluto[28433]: | *received 637 bytes from <roadwarrior-ip>:500 on eth0 (port=500)
> Aug 10 14:24:54 amon pluto[28433]: | **parse ISAKMP Message:
> Aug 10 14:24:54 amon pluto[28433]: |    initiator cookie:
> Aug 10 14:24:54 amon pluto[28433]: |   d2 7d 9f 9f  4c 84 af d8
> Aug 10 14:24:54 amon pluto[28433]: |    responder cookie:
> Aug 10 14:24:54 amon pluto[28433]: |   00 00 00 00  00 00 00 00
> Aug 10 14:24:54 amon pluto[28433]: |    next payload type: ISAKMP_NEXT_SA
> Aug 10 14:24:54 amon pluto[28433]: |    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
> Aug 10 14:24:54 amon pluto[28433]: |    exchange type: ISAKMP_XCHG_AGGR
> Aug 10 14:24:54 amon pluto[28433]: |    flags: none
> Aug 10 14:24:54 amon pluto[28433]: |    message ID:  00 00 00 00
> Aug 10 14:24:54 amon pluto[28433]: |    length: 621
> Aug 10 14:24:54 amon pluto[28433]: packet from <roadwarrior-ip>:500: size (637) differs from size specified in ISAKMP HDR (621)
> Aug 10 14:24:54 amon pluto[28433]: | * processed 0 messages from cryptographic helpers


This is a bug in pluto that I have just finished tracking down.  I should
have a patch for openswan-2.6.22 in the next day or so.

In the meantime,  add:

	nhelpers = 0

to the setup stanza in your ipsec.conf and this error will go away.

Cheers,
Davidm


> ------ END LOG ------
> 
> This is the openswan config in the server the roadwarrior is connecting to:
> 
> ----- BEGIN CONFIG -----
> config setup
>         interfaces="%none"
>         nat_traversal=yes
>         virtual_private=%v4:!<private-subnet>,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         oe=off
>         protostack=netkey
>         nat_traversal=yes
>         plutodebug="parsing emitting control controlmore crypt lifecycle pfkey dpd"
>         plutoopts="--perpeerlog --perpeerlogbase=/etc/openswan/log"
> 
> conn rbx-ras
>         authby=rsasig
>         leftid=%fromcert
>         leftcert=/etc/openswan/ras.crt
>         left=<public-ip>
>         leftupdown="/etc/openswan/ras"
>         leftsubnet=<private-subnet>
>         leftxauthserver=yes
>         leftmodecfgserver=yes
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         rightxauthclient=yes
>         rightmodecfgclient=yes
>         dpdaction=clear
>         dpddelay=30
>         dpdtimeout=60
>         pfs=yes
>         ike=3des-md5
>         esp=3des-md5
>         aggrmode=yes
>         salifetime=20m
>         ikelifetime=8h
>         rekey=no
>         auto=add
>         #forceencaps=yes
>         modecfgdns1=<dns-1>
>         modecfgdns2=<dns-2>
>         modecfgwins1=<wins-1>
>         modecfgwins2=<wins-2>
> ------ END CONFIG ------
> 
> The client is the Cisco VPN client v4.9.01 (0080).  Could this be due to poorly specified PFS group?  I'm supposed to use modp1024 but I can't find the correct way to specify it in "ike" or "esp" - no matter which syntax I use I always get syntax errors (I tried 3des-md5-modp1024, 3des-md5;modp1024, 3des-md5-2, all to no avail).  Notice that the difference between size expectations is 16 bytes.
> 
> Cheers.


-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list