[Openswan Users] Tunnel fails after OpenSSL patch

Simon Deziel simon at xelerance.com
Wed Apr 9 15:06:31 EDT 2014 

Amazon probably backported some security fixes in their version of
OpenSwan 2.6.37. This would explain why you got a new build from them.

Since 2.6.37 contains known vulnerabilities, you should probably report
the issue you ran into to Amazon or go with a fresher version (Fedora 16
is long EOL I think).

Regards,
Simon

On 14-04-09 03:01 PM, Ed Ng wrote:
> Thanks Simon.  I just solved the issue by downgrading OpenSwan version.
>  Just realized that the system update also updated OpenSwan
> from openswan-2.6.37-2.16.amzn1.x86_64 to
> openswan-2.6.37-3.17.amzn1.x86_64.  There are probably some
> incompatibility in how the keys are generated between these versions
> hence the connectivity issue.  I couldn't find the previous version from
> anywhere so I installed a Fedora build
> (openswan-2.6.37-1.fc16.x86_64.rpm) instead.  That resolved the issue.  
> 
> -Ed
> 
> 
> On Wed, Apr 9, 2014 at 2:45 PM, Simon Deziel <simon at xelerance.com
> <mailto:simon at xelerance.com>> wrote:
> 
>     Hi Ed,
> 
>     We had no such issue with our environment:
> 
>     OpenSwan 2.6.41
>     OpenSSL 1.0.1-4ubuntu5.12  (Ubuntu patched version)
> 
>     Simon
> 
>     On 14-04-09 01:51 PM, Ed Ng wrote:
>     > Anyone experienced any problem after the recent OpenSSL patch
>     > (Heartbleed bug)?  We have a tunnel that's been running fine for a
>     while
>     > until we did a system update yesterday.  The server runs Amazon Linux
>     > AMI release 2014.03 with OpenSSL 1:1.0.1e-37.66.amzn1 and
>     > OpenSwan 2.6.37-3.17.amzn1.
>     >
>     > I found some logs that looks abnormal after the patch.
>     >
>     > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: responding to Main Mode
>     > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: transition from state
>     > STATE_MAIN_R0 to state STATE_MAIN_R1
>     > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: STATE_MAIN_R1: sent MR1,
>     > expecting MI2
>     > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: next payload type of
>     ISAKMP
>     > Nonce Payload has an unknown value: 130
>     > Apr 10 01:21:55 pluto[1230]: "mytunnel" #43: malformed payload in
>     packet
>     >
>     > It now says "next payload type of ISAKMP Nonce Payload has an unknown
>     > value: 130".  Anybody has any clue on how to fix this issue?  The
>     tunnel
>     > is currently down and we want to bring it back up asap.
>     >
>     > Thanks!
>     >
>     > -Ed
>     >
>     >
>     > _______________________________________________
>     > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>     > https://lists.openswan.org/mailman/listinfo/users
>     > Micropayments:
>     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>     > Building and Integrating Virtual Private Networks with Openswan:
>     >
>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>     >
> 
>     _______________________________________________
>     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>     https://lists.openswan.org/mailman/listinfo/users
>     Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>     Building and Integrating Virtual Private Networks with Openswan:
>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
>

More information about the Users mailing list