[Openswan Users] OpenSwan Client sends "Malformed Packet" of typeESP

Paul Wouters paul at xelerance.com
Wed Jan 21 11:22:43 EST 2009 

On Wed, 21 Jan 2009, Markus Locher wrote:

this is most probably bug http://bugs.xelerance.com/view.php?id=1004

You can check with the ip xfrm command. the setkey command is obsolete.

Paul

> Date: Wed, 21 Jan 2009 11:45:45 +0100
> From: Markus Locher <ml at as-support.com>
> To: Openswan Users <users at openswan.org>
> Subject: Re: [Openswan Users] OpenSwan Client sends "Malformed Packet" of
>     typeESP
> 
> Hello list,
> 
> some more information on this problem.
> 
> It's really remarkable, because there is no indication of errors anywhere.
> 
> Problem:
> ==================
> - I can set up a ipsec (transport) connection - packets are encapsulated
> in ESP when they are transported.
> - I can set up a openl2tp connection - when ipsec IS NOT STARTED!
> - The ipsec keys and all following handshake on port 500 (isakmp)
> function properly.
> - Ipsec communicates on port 1701 for both sides (CISCO <---> openswan).
> - The SPI's are equal at the time of communication for inbound and
> outbound on both systems.
> - Setkey -D(P) showing the right routing information (as I can see).
> ---------------------------------------------
> 217.0.0.0[any] 87.0.0.0[any] udp
> fwd prio high + 1073739744 ipsec
> esp/transport//unique#16385
> created: Jan 21 11:08:23 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=4202 seq=12 pid=32726
> refcnt=1
> 87.0.0.0[any] 217.0.0.0[any] udp
> out prio high + 1073739744 ipsec
> esp/transport//unique#16385
> created: Jan 21 11:23:16 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=4209 seq=0 pid=32726
> refcnt=1
> ---------------------------------------------
> - CISCO shows only sendig packages to client on port 1701
> - Client sends 5-6 packages and CISCO does the same, but I don't see any
> incoming on port UDP 1701 __ON BOTH SYSTMES__. So ESP packages are lost
> in space.
> 
> Conclusion:
> ======================
> 1) ESP packets are encrypted correctly, ...
> because the SPI's are equal and none of both systems complain that.
> Except the wireshark of the client, which says some packets are
> malformed, but CISCO has no send or receive errors and has the right
> count of decrypt/encrypt packets.
> 2) ESP packets are send correctly, ...
> because port on both sides is 1701 on any send message.
> 3) The tunnel with l2tp - without ipsec - function properly, so ipsec
> must be the problem.
> 
> 
> Questions:
> =======================
> A) There are my ESP packets and how can I find them?
> B) Is there a way to look into ESP packets except of tcpdump (which I
> can't compile with crypto).
> C) Could it be that the NETKEY module of the kernel is the problem and
> can I trace it's output somehow?
> 
> 
> 
> 
> 
> 
> 
> 
> Am 2009-01-19 11:26, Markus Locher schrieb:
> > Hi list,
> >
> > I found similar but not equal problems in this mailling list so I post
> this.
> >
> > The OpenSwan-Daemon is sending "malformed packages" of type "esp" to a
> > CISCO-router - which the CISCO never gets. That happens when I start
> > openl2tpd to create the tunnel of the VPN.
> >
> > Log of WireShark:
> >
> > The PSK used is absolutely correct. I changed it and ipsec failed with
> > errors
> >
> > "Informational Exchange message is invalid because it has a Message
> > ID of 0" from startup log
> > and
> > "inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for#1"
> > from messages-log with "plutodebug=all" set
> > and
> > "MESZ: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from
> > failed its sanity check or is malformed" from CISCO-log.
> >
> > So this can't be the problem.
> >
> > The SPI's are equal as far as both outputs from "setkey -DP" and "setkey
> > -D" compared to the CISCO's "show crypto ipsec sa" output are the same.
> >
> > The question is : Why is ipsec sending one good ESP packet followed by
> > malformed packages and why are they malformed?
> >
> >
> > ------------IPSEC.CONF------------
> > # basic configuration
> > config setup
> > # Do not set debug= options to debug configuration issues!
> > # plutodebug / klipsdebug = "all", "none" or a combation from below:
> > # "raw crypt parsing emitting control klips pfkey natt x509 dpd
> > private"
> > # eg:
> > #plutodebug="control parsing"
> > plutodebug="all"
> > #klipsdebug="all"
> > #
> > # enable to get logs per-peer
> > #plutoopts="--perpeerlog"
> > #
> > # Only enable *debug=all if you are a developer
> > #
> > # NAT-TRAVERSAL support, see README.NAT-Traversal
> > nat_traversal=yes
> > # exclude networks used on server side by adding %v4:!a.b.c.0/24
> > #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> > virtual_private=%v4:10.255.255.1/32,%v4:192.168.0.0/24
> > #virtual_private=%v4:192.168.0.0/24
> > # OE is now off by default. Uncomment and change to on, to enable.
> > OE=off
> > # which IPsec stack to use. netkey,klips,mast,auto or none
> > #protostack=netkey
> > protostack=auto
> > fragicmp=yes # only for KLIPS - disable PMTU
> > nhelpers=0
> >
> >
> > # Add connections here
> >
> > conn L2TPPSKCLIENT
> > #
> > # ----------------------------------------------------------
> > # Use a Preshared Key. Disable Perfect Forward Secrecy.
> > # Initiate rekeying.
> > # Connection type _must_ be Transport Mode.
> > #
> > authby=secret
> > pfs=no # default is yes
> > rekey=yes
> > keyingtries=3
> > keyexchange=ike
> > type=transport
> > #
> > # Specify type of encryption for ISAKAMP SA (IPsec Phase 1)
> > # Cipher= 3des, Hash = sha, DH-Group = 2
> > ike=3des-sha1-modp1024
> > # Specify type of encryption for IPSEC SA (IPsec Phase 2)
> > # Cipher= 3des, Hash = sha, DH-Group = 2
> > phase2=esp
> > phase2alg=3des-sha1
> > #
> > # Specifiy liftime of ike and key management
> > # Note: Should match values on remote end
> > ikelifetime=3600s
> > salifetime=600s
> > #
> > # Keep connection alive through DPD (Dead Peer Detection)
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=clear
> > #
> > #
> > # Try XAUTH authentication
> > #leftxauthclient=yes
> > # ----------------------------------------------------------
> > # The local Linux machine that connects as a client.
> > #
> > # The external network interface is used to connect to the server.
> > # If you want to use a different interface or if there is no
> > # defaultroute, you can use: left=your.ip.addr.ess
> > #left=87.106.244.79
> >
> left=???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
 ??
>  ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list