[Openswan Users] Reports of IPSEC tunnels going offline with 2.6.28
Paul Wouters
paul at xelerance.com
Thu Sep 9 09:47:23 EDT 2010
On Thu, 9 Sep 2010, Greg Scott wrote:
> Looking at /var/log/secure – it looks like a problem started on Sep 8 around 27 minutes after midnight. The systems at both sites
> are running ntp, so both clocks are synchronized. At 00:26:44, both HQ and MN report an SA established. At 00:27:14, HQ starts
> reporting “Informational Exchange message must be encrypted” and MN reports a malformed payload. This repeats a few times until
> 00:37:54, when MN reports “too many (17) malformed payloads. Deleting state”. After that, several messages on both sides with
> initiate on demand errors. Around 09:26:00, the folks at the MN site rebooted the MN firewall. After that, the tunnel came back as
> normal. This customer has reported this happening at least twice in the past few days. Again, this is with 2.6.28 at both sites.
Sounds like NETKEY related.
> Could this be a hardware problem?
I doubt it.
> Sep 8 00:26:04 MN-fw1 pluto[2192]: "mn-hq" #441: ERROR: netlink response for Add SA esp.c7d28cc6 at 3.4.
> 177.201 included errno 3: No such process
This is netkey not being happy.
> Sep 8 00:27:14 MN-fw1 pluto[2192]: "mn-hq" #440: byte 2 of ISAKMP Hash Payload must be zero, but is not
> Sep 8 00:27:14 MN-fw1 pluto[2192]: "mn-hq" #440: malformed payload in packet
> Sep 8 00:27:14 MN-fw1 pluto[2192]: | payload malformed after IV
> Sep 8 00:27:14 MN-fw1 pluto[2192]: | c5 15 27 ac 8e a4 30 b7 af 3f 05 d3 57 e3 9b 0a
> Sep 8 00:27:14 MN-fw1 pluto[2192]: "mn-hq" #440: sending notification PAYLOAD_MALFORMED to 1.2.252.17
> 8:500
> Sep 8 00:27:54 MN-fw1 pluto[2192]: "mn-hq" #440: byte 2 of ISAKMP Hash Payload must be zero, but is not
> Sep 8 00:27:54 MN-fw1 pluto[2192]: "mn-hq" #440: malformed payload in packet
> Sep 8 00:27:54 MN-fw1 pluto[2192]: | payload malformed after IV
> Sep 8 00:27:54 MN-fw1 pluto[2192]: | c5 15 27 ac 8e a4 30 b7 af 3f 05 d3 57 e3 9b 0a
> Sep 8 00:27:54 MN-fw1 pluto[2192]: "mn-hq" #440: sending notification PAYLOAD_MALFORMED to 1.2.252.17
> 8:500
I'm not sure how this all of sudden would happen though.
> Sep 8 08:26:44 MN-fw1 pluto[2192]: "mn-hq" #442: IPsec SA expired (LATEST!)
>
> Sep 8 08:26:44 MN-fw1 pluto[2192]: "mn-hq" #442: down-client output: Running mn-updown
>
> Sep 8 08:26:44 MN-fw1 pluto[2192]: initiate on demand from 192.168.0.219:49178 to 10.0.0.1:3389 proto=6
>
> state: fos_start because: acquire
This is the netkey bug unfortunately. At this point you have a bogus %pass route, and you have to restart
openswan. It seems to trigger when the SA expired, and the first encrypted packet then hits the %pass
route causing the bogus acquire.
Paul
More information about the Users
mailing list