[Openswan Users] pluto won't talk over port 500 on very old system

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri Aug 23 04:29:32 UTC 2013


Howdy!

I've been preparing Smoothwall Express v3.1 for some time. (Linux 3.4, GCC 
4.7, Openswan 2.6.38, et alia). IPSEC has been working well between newer 
systems during my testing all along. Atoms, Athlons and PhenomIIs all behave 
well. VPNs come up right away, no troubles. Express 3.1 still uses only the 
old "ike=3des-md5" and "esp=3des-md5". (Yes, this really needs to be 
modernized.)

But I just ran into a problem I don't understand. A user has a Latitude C510 
(PIII-1200) that won't bring up VPN; but a marginally newer D600 (Celeron) 
does work. So I finally loaded 3.1-rc2 onto a year 2000 Gateway (PIII-600). 
And pluto doesn't want to talk over port 500 (ISAKMP). The same ISO installed 
on a PhenomII in KVMs (32- and 64-bit) work fine. I think I can rule out bad 
hardware.

I do see pluto respond with its "Huh?" packet when it receives a bogus packet 
on UDP port 500. But it never acknowledges the STATE_MAIN_I1 packets it 
receives, and I think it almost never sends any packets out. That is, it 
doesn't 'speak the protocol'.

I *think* I see that the old Gateway does not load some of the crypto modules. 
I suspect it is related to the ARCH I use to build the system, and/or how the 
kernel is built. But I'm really at a loss.

Do any of you have any clues, any pointers? Ever run into something like this 
before? Any thoughts as to why pluto on an old PIII would silently not 
communicate over port 500, but does work well on newer CPUs?

Thanks,
Neal


More information about the Users mailing list