[Openswan Users] Strange IP behaviour

Mike C smith.not.western at gmail.com
Thu Jul 4 15:04:24 UTC 2013


Hi,

I'm using openswan 2.6.37 (looking to move to .38 sometime this year) with
klips and linux kernel 2.6.32.60, and noticed a very strange set of log
messages the other day.

I've got a dozen or so remote sites connecting into the main office, each
with 3 different tunnels. For various reasons, all the remote sites are
NAT'd. At one point the vpn server saw one tunnel supposedly receive
packets from 6 vary different IP addresses.

Each tunnel uses PSKs, and the remote end uses %any for the remote sites
IP. All tunnels use symbolic names to identify endpoints.

At the time of these logs the main office vpn server was under significant
load. The server was restarted and the problem went away before I was able
to access it to try other commands.

(IPs have been masked.)

 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #13:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #13:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #13:
STATE_MAIN_R2: sent MR2, expecting MI3
 2013-07-01 14:22:39      pluto            "tunnel100"[1] 2.2.2.2 #11: next
payload type of ISAKMP Identification Payload has an unknown value: 127
 2013-07-01 14:22:39      pluto            "tunnel100"[1] 2.2.2.2 #11:
probable authentication failure (mismatch of preshared secrets?): malformed
payload in packet
 2013-07-01 14:22:39      pluto            "tunnel100"[1] 2.2.2.2 #11:
sending notification PAYLOAD_MALFORMED to 2.2.2.2:500
 2013-07-01 14:22:39      pluto            "tunnel100"[5] 3.3.3.3 #15:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
 2013-07-01 14:22:39      pluto            "tunnel100"[5] 3.3.3.3 #15:
STATE_MAIN_R1: sent MR1, expecting MI2
 2013-07-01 14:22:39      pluto            "tunnel100"[2] 4.4.4.4 #12: next
payload type of ISAKMP Identification Payload has an unknown value: 125
 2013-07-01 14:22:39      pluto            "tunnel100"[2] 4.4.4.4 #12:
probable authentication failure (mismatch of preshared secrets?): malformed
payload in packet
 2013-07-01 14:22:39      pluto            "tunnel100"[4] 5.5.5.5 #14:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
 2013-07-01 14:22:39      pluto            "tunnel100"[4] 5.5.5.5 #14:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
 2013-07-01 14:22:39      pluto            "tunnel100"[4] 5.5.5.5 #14:
STATE_MAIN_R2: sent MR2, expecting MI3
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #13: Main
mode peer ID is ID_FQDN: '@tunnel100.left'
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #13: no
suitable connection for peer '@tunnel100.left'
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #13:
sending encrypted notification INVALID_ID_INFORMATION to 1.1.1.1:500
 2013-07-01 14:22:39      pluto            "tunnel100"[4] 5.5.5.5 #16:
responding to Main Mode from unknown peer 5.5.5.5
 2013-07-01 14:22:39      pluto            "tunnel100"[4] 5.5.5.5 #16:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
 2013-07-01 14:22:39      pluto            "tunnel100"[4] 5.5.5.5 #16:
STATE_MAIN_R1: sent MR1, expecting MI2
 2013-07-01 14:22:39      pluto            packet from 6.6.6.6:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
 2013-07-01 14:22:39      pluto            "tunnel100"[6] 6.6.6.6 #17:
responding to Main Mode from unknown peer 6.6.6.6
 2013-07-01 14:22:39      pluto            "tunnel100"[6] 6.6.6.6 #17:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
 2013-07-01 14:22:39      pluto            "tunnel100"[6] 6.6.6.6 #17:
STATE_MAIN_R1: sent MR1, expecting MI2
 2013-07-01 14:22:39      pluto            packet from 1.1.1.1:500:
ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
 2013-07-01 14:22:39      pluto            packet from 1.1.1.1:500:
received Vendor ID payload [Dead Peer Detection]
 2013-07-01 14:22:39      pluto            packet from 1.1.1.1:500:
received Vendor ID payload [RFC 3947] method set to=109
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #18:
responding to Main Mode from unknown peer 1.1.1.1
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #18:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
 2013-07-01 14:22:39      pluto            "tunnel100"[3] 1.1.1.1 #18:
STATE_MAIN_R1: sent MR1, expecting MI2
 2013-07-01 14:22:39      pluto            packet from 1.1.1.1:500: phase 1
message is part of an unknown exchange
 2013-07-01 14:22:39      pluto            packet from 6.6.6.6:500:
ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
 2013-07-01 14:22:39      pluto            "tunnel100"[6] 6.6.6.6 #19:
responding to Main Mode from unknown peer 6.6.6.6
 2013-07-01 14:22:39      pluto            "tunnel100"[6] 6.6.6.6 #19:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
 2013-07-01 14:22:39      pluto            "tunnel100"[6] 6.6.6.6 #19:
STATE_MAIN_R1: sent MR1, expecting MI2

Does anyone know what could have caused this / have seen this before?

Kind Regards,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130704/404ad390/attachment.html>


More information about the Users mailing list