[Openswan Users] OpenSwan Client sends "Malformed Packet" of typeESP

Markus Locher ml at as-support.com
Wed Jan 21 05:45:45 EST 2009


Hello list,

some more information on this problem.

It's really remarkable, because there is no indication of errors anywhere.

Problem:
==================
- I can set up a ipsec (transport) connection - packets are encapsulated
in ESP when they are transported.
- I can set up a openl2tp connection - when ipsec IS NOT STARTED!
- The ipsec keys and all following handshake on port 500 (isakmp)
function properly.
- Ipsec communicates on port 1701 for both sides (CISCO <---> openswan).
- The SPI's are equal at the time of communication for inbound and
outbound on both systems.
- Setkey -D(P) showing the right routing information (as I can see).
---------------------------------------------
217.0.0.0[any] 87.0.0.0[any] udp
fwd prio high + 1073739744 ipsec
esp/transport//unique#16385
created: Jan 21 11:08:23 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=4202 seq=12 pid=32726
refcnt=1
87.0.0.0[any] 217.0.0.0[any] udp
out prio high + 1073739744 ipsec
esp/transport//unique#16385
created: Jan 21 11:23:16 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=4209 seq=0 pid=32726
refcnt=1
---------------------------------------------
- CISCO shows only sendig packages to client on port 1701
- Client sends 5-6 packages and CISCO does the same, but I don't see any
incoming on port UDP 1701 __ON BOTH SYSTMES__. So ESP packages are lost
in space.

Conclusion:
======================
1) ESP packets are encrypted correctly, ...
because the SPI's are equal and none of both systems complain that.
Except the wireshark of the client, which says some packets are
malformed, but CISCO has no send or receive errors and has the right
count of decrypt/encrypt packets.
2) ESP packets are send correctly, ...
because port on both sides is 1701 on any send message.
3) The tunnel with l2tp - without ipsec - function properly, so ipsec
must be the problem.


Questions:
=======================
A) There are my ESP packets and how can I find them?
B) Is there a way to look into ESP packets except of tcpdump (which I
can't compile with crypto).
C) Could it be that the NETKEY module of the kernel is the problem and
can I trace it's output somehow?








Am 2009-01-19 11:26, Markus Locher schrieb:
> Hi list,
>
> I found similar but not equal problems in this mailling list so I post
this.
>
> The OpenSwan-Daemon is sending "malformed packages" of type "esp" to a
> CISCO-router - which the CISCO never gets. That happens when I start
> openl2tpd to create the tunnel of the VPN.
>
> Log of WireShark:
>
> The PSK used is absolutely correct. I changed it and ipsec failed with
> errors
>
> "Informational Exchange message is invalid because it has a Message
> ID of 0" from startup log
> and
> "inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for#1"
> from messages-log with "plutodebug=all" set
> and
> "MESZ: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from
> failed its sanity check or is malformed" from CISCO-log.
>
> So this can't be the problem.
>
> The SPI's are equal as far as both outputs from "setkey -DP" and "setkey
> -D" compared to the CISCO's "show crypto ipsec sa" output are the same.
>
> The question is : Why is ipsec sending one good ESP packet followed by
> malformed packages and why are they malformed?
>
>
> ------------IPSEC.CONF------------
> # basic configuration
> config setup
> # Do not set debug= options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd
> private"
> # eg:
> #plutodebug="control parsing"
> plutodebug="all"
> #klipsdebug="all"
> #
> # enable to get logs per-peer
> #plutoopts="--perpeerlog"
> #
> # Only enable *debug=all if you are a developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> virtual_private=%v4:10.255.255.1/32,%v4:192.168.0.0/24
> #virtual_private=%v4:192.168.0.0/24
> # OE is now off by default. Uncomment and change to on, to enable.
> OE=off
> # which IPsec stack to use. netkey,klips,mast,auto or none
> #protostack=netkey
> protostack=auto
> fragicmp=yes # only for KLIPS - disable PMTU
> nhelpers=0
>
>
> # Add connections here
>
> conn L2TPPSKCLIENT
> #
> # ----------------------------------------------------------
> # Use a Preshared Key. Disable Perfect Forward Secrecy.
> # Initiate rekeying.
> # Connection type _must_ be Transport Mode.
> #
> authby=secret
> pfs=no # default is yes
> rekey=yes
> keyingtries=3
> keyexchange=ike
> type=transport
> #
> # Specify type of encryption for ISAKAMP SA (IPsec Phase 1)
> # Cipher= 3des, Hash = sha, DH-Group = 2
> ike=3des-sha1-modp1024
> # Specify type of encryption for IPSEC SA (IPsec Phase 2)
> # Cipher= 3des, Hash = sha, DH-Group = 2
> phase2=esp
> phase2alg=3des-sha1
> #
> # Specifiy liftime of ike and key management
> # Note: Should match values on remote end
> ikelifetime=3600s
> salifetime=600s
> #
> # Keep connection alive through DPD (Dead Peer Detection)
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> #
> #
> # Try XAUTH authentication
> #leftxauthclient=yes
> # ----------------------------------------------------------
> # The local Linux machine that connects as a client.
> #
> # The external network interface is used to connect to the server.
> # If you want to use a different interface or if there is no
> # defaultroute, you can use: left=your.ip.addr.ess
> #left=87.106.244.79
>
left=???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????




More information about the Users mailing list