[Openswan Users] OpenSwan Client sends "Malformed Packet" of type ESP

Markus Locher ml at as-support.com
Mon Jan 19 06:26:25 EST 2009 

Hi list,

I found similar but not equal problems in this mailling list so I post this.

The OpenSwan-Daemon is sending "malformed packages" of type "esp" to a
CISCO-router - which the CISCO never gets. That happens when I start
openl2tpd to create the tunnel of the VPN.

Log of WireShark:
------------------------
(Phase 1 Main Mode and Quick Mode logs are OK!)
...
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef)
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef) 
[Malformed Packet]
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef) 
[Malformed Packet]
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef) 
[Malformed Packet]
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef) 
[Malformed Packet]
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef)
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef)
client-ip      cisco-ip           ESP               ESP(SPI=0x87fbfeef) 
[Malformed Packet]
...
----------------------

The PSK used is absolutely correct. I changed it and ipsec failed with
errors

    "Informational Exchange message is invalid because it has a Message
ID of 0" from startup log
 and
    "inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for#1"
from messages-log with "plutodebug=all" set
and
    "MESZ: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <client-ip>
failed its sanity check or is malformed" from CISCO-log. 

So this can't be the problem.

The SPI's are equal as far as both outputs from "setkey -DP" and "setkey
-D" compared to the CISCO's "show crypto ipsec sa" output are the same.

The question is : Why is ipsec sending one good ESP packet followed by
malformed packages and why are they malformed?


------------IPSEC.CONF------------
# basic configuration
config setup
        # Do not set debug= options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
        # eg:
        #plutodebug="control parsing"
        plutodebug="all"
        #klipsdebug="all"
        #
        # enable to get logs per-peer
        #plutoopts="--perpeerlog"
        #
        # Only enable *debug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        virtual_private=%v4:10.255.255.1/32,%v4:192.168.0.0/24
        #virtual_private=%v4:192.168.0.0/24
        # OE is now off by default. Uncomment and change to on, to enable.
        OE=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        #protostack=netkey
        protostack=auto
        fragicmp=yes    # only for KLIPS - disable PMTU
        nhelpers=0


# Add connections here

conn L2TPPSKCLIENT
        #
        # ----------------------------------------------------------
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        # Initiate rekeying.
        # Connection type _must_ be Transport Mode.
        #
        authby=secret
        pfs=no          # default is yes
        rekey=yes
        keyingtries=3
        keyexchange=ike
        type=transport
        #
        # Specify type of encryption for ISAKAMP SA (IPsec Phase 1)
        # Cipher= 3des, Hash = sha, DH-Group = 2
        ike=3des-sha1-modp1024
        # Specify type of encryption for IPSEC SA (IPsec Phase 2)
        # Cipher= 3des, Hash = sha, DH-Group = 2
        phase2=esp
        phase2alg=3des-sha1
        #
        # Specifiy liftime of ike and key management
        # Note: Should match values on remote end
        ikelifetime=3600s
        salifetime=600s
        #
        # Keep connection alive through DPD (Dead Peer Detection)
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        #
        #
        # Try XAUTH authentication
        #leftxauthclient=yes
        # ----------------------------------------------------------
        # The local Linux machine that connects as a client.
        #
        # The external network interface is used to connect to the server.
        # If you want to use a different interface or if there is no
        # defaultroute, you can use:   left=your.ip.addr.ess
        #left=87.106.244.79
        left=%defaultroute
        #leftsubnet=10.255.255.1/32
        #leftsubnet=87.106.244.79/32
        #left=%defaultroute
        leftnexthop=%defaultroute
        leftid=87.106.244.79
        leftprotoport=17/1701
        #
        # ----------------------------------------------------------
        # The remote server.
        #
        # Connect to the server at this IP address.
        right=217.91.16.223
        #rightid=217.91.16.223
        #rightsubnet=192.168.0.0/24  # Caused fail of phase 2 :
NO_PROPOSAL_CHOOSEN
        #rightsubnet=217.91.16.223/24
        rightprotoport=17/1701
        # ----------------------------------------------------------
        #
        # Change 'ignore' to 'add' to enable this configuration.
        #
        auto=add


## Disabling OE -- I think this is the old notation
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore
---------------------------------------------------

Thanks for your help.

Markus

More information about the Users mailing list