[Openswan Users] Problem with Openswan beyond NAT
Rodolfo Giometti
giometti at enneenne.com
Wed Oct 16 14:22:49 UTC 2013
On Mon, Oct 14, 2013 at 03:20:29PM +0200, Rodolfo Giometti wrote:
> Hello,
>
> I need some advice about strange problem...
>
> I'm using openswan 2.6.39 on a system beyond a NAT.
>
> [Ascii art time]
>
> | | | | | |
> | cisco |----<<Internet>>----| NAT |------| openswan |
> | ASR1000 | | | | |
>
> 172.21.59.66 out: 192.168.10.2 10.1.1.50
> in: 10.1.1.54
>
> After a while communication stops with the following messages on Cisco
>
> *Oct 11 13:34:43.628: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from
> 192.168.10.2 failed its sanity check or is malformed
> *Oct 11 13:36:16.072: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=172.21.59.66, prot=17,
> spi=0xC6F485A2(3337913762), srcaddr=192.168.10.2
>
> On my platform pluto doesn't reconize that the comunication to the
> peer has throubles and it continues to send ESP and keepalive packets.
Looking better at the pluto's messages I see:
pluto[1029]: "selta_0" #17: DPD: could not find newest phase 1 state
pluto[1029]: "selta_1" #19: DPD: could not find newest phase 1 state
pluto[1029]: "selta_0" #20: DPD: could not find newest phase 1 state
Can this problem be related to Dead Peer Detection beyound NAT-T?
Thanks in advance,
Rodolfo
--
GNU/Linux Solutions e-mail: giometti at enneenne.com
Linux Device Driver giometti at linux.it
Embedded Systems phone: +39 349 2432127
UNIX programming skype: rodolfo.giometti
Freelance ICT Italia - Consulente ICT Italia - www.consulenti-ict.it
More information about the Users
mailing list