[Openswan Users] Tunnel fails after OpenSSL patch

Ed Ng draco12345 at gmail.com
Wed Apr 9 15:01:53 EDT 2014 

Thanks Simon.  I just solved the issue by downgrading OpenSwan version.
 Just realized that the system update also updated OpenSwan
from openswan-2.6.37-2.16.amzn1.x86_64 to
openswan-2.6.37-3.17.amzn1.x86_64.  There are probably some incompatibility
in how the keys are generated between these versions hence the connectivity
issue.  I couldn't find the previous version from anywhere so I installed a
Fedora build (openswan-2.6.37-1.fc16.x86_64.rpm) instead.  That resolved
the issue.

-Ed


On Wed, Apr 9, 2014 at 2:45 PM, Simon Deziel <simon at xelerance.com> wrote:

> Hi Ed,
>
> We had no such issue with our environment:
>
> OpenSwan 2.6.41
> OpenSSL 1.0.1-4ubuntu5.12  (Ubuntu patched version)
>
> Simon
>
> On 14-04-09 01:51 PM, Ed Ng wrote:
> > Anyone experienced any problem after the recent OpenSSL patch
> > (Heartbleed bug)?  We have a tunnel that's been running fine for a while
> > until we did a system update yesterday.  The server runs Amazon Linux
> > AMI release 2014.03 with OpenSSL 1:1.0.1e-37.66.amzn1 and
> > OpenSwan 2.6.37-3.17.amzn1.
> >
> > I found some logs that looks abnormal after the patch.
> >
> > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: responding to Main Mode
> > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: transition from state
> > STATE_MAIN_R0 to state STATE_MAIN_R1
> > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: STATE_MAIN_R1: sent MR1,
> > expecting MI2
> > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: next payload type of ISAKMP
> > Nonce Payload has an unknown value: 130
> > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: malformed payload in packet
> >
> > It now says "next payload type of ISAKMP Nonce Payload has an unknown
> > value: 130".  Anybody has any clue on how to fix this issue?  The tunnel
> > is currently down and we want to bring it back up asap.
> >
> > Thanks!
> >
> > -Ed
> >
> >
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140409/88084fb2/attachment-0001.html>

More information about the Users mailing list