[Openswan Users] Problem with an old version de openswan

Eduard Lucena eduardlucena at gmail.com
Wed Mar 9 18:45:33 EST 2016 

Hello,

I'm having a problem with an IPSec VPN. The problem is as follow:

The client sent to my server 10 proposal of configurations for phase 1:
- AES MD5 PSK 1024modp
- AES SHA1 PSK 1024modp
- 3DES MD5 PSK 1024modp
- 3DES SHA1 PSK 1024modp
- CAST MD5 PSK 1024modp
- CAST SHA1 PSK 1024modp
- Blowfish MD5 PSK 1024modp
- Blowfish SHA1 PSK 1024modp
- Unknown-65289 MD5 PSK 1024modp
- Unknown-65289 SHA1 PSK 1024modp

My configuration for phase 1 is:

3DES SHA1 PSK 1024modp

But i make a tcpdump in the interface, and i see my server answering the
proposals with the proposal 0 (AES MD5 PSK 1024modp), after this, some more
packages are exchanged, but finally at some point my server sent an
PAYLOAD_MALFORMED.


The pluto log show:
Mar  9 20:01:08 server01 pluto[16625]: | handling event EVENT_RETRANSMIT
for 10.10.10.10 "conn/1x1" #29547
Mar  9 20:01:08 server01 pluto[16625]: | sending 220 bytes for
EVENT_RETRANSMIT through eth2:500 to 10.10.10.10:500 (using #29547)
Mar  9 20:01:08 server01 pluto[16625]: | inserting event EVENT_RETRANSMIT,
timeout in 20 seconds for #29547
Mar  9 20:01:08 server01 pluto[16625]: | handling event EVENT_RETRANSMIT
Mar  9 20:01:08 server01 pluto[16625]: | event after this is
EVENT_RETRANSMIT in 0 seconds
Mar  9 20:01:08 server01 pluto[16625]: | processing connection conn/1x1
Mar  9 20:01:08 server01 pluto[16625]: | handling event EVENT_RETRANSMIT
for 10.10.10.10 "conn/1x1" #29542
Mar  9 20:01:08 server01 pluto[16625]: | sending 220 bytes for
EVENT_RETRANSMIT through eth2:500 to 10.10.10.10:500 (using #29542)
Mar  9 20:01:08 server01 pluto[16625]: | inserting event EVENT_RETRANSMIT,
timeout in 40 seconds for #29542
Mar  9 20:01:08 server01 pluto[16625]: | handling event EVENT_RETRANSMIT
Mar  9 20:01:08 server01 pluto[16625]: | event after this is
EVENT_RETRANSMIT in 1 seconds
Mar  9 20:01:08 server01 pluto[16625]: | processing connection conn/1x1
Mar  9 20:01:08 server01 pluto[16625]: | handling event EVENT_RETRANSMIT
for 10.10.10.10 "conn/1x1" #29526

The ipsec auto --status show:
000 #33992: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 6s; nodpd; idle; import:not set
000 #33987: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 1s; nodpd; idle; import:not set
000 #33970: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 1s; nodpd; idle; import:not set
000 #33975: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 21s; nodpd; idle; import:not set
000 #33973: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 11s; nodpd; idle; import:not set
000 #33980: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 26s; nodpd; idle; import:not set
000 #33972: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 6s; nodpd; idle; import:not set
000 #33988: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 6s; nodpd; idle; import:not set
000 #33974: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 16s; nodpd; idle; import:not set
000 #33991: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 1s; nodpd; idle; import:not set
000 #33986: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 36s; nodpd; idle; import:not set
000 #33981: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 31s; nodpd; idle; import:not set
000 #33990: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 16s; nodpd; idle; import:not set
000 #33989: "conn/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 11s; nodpd; idle; import:not set
000 #33971: "conn/1x5":500 STATE_MAIN_I3 (sent MI3, expecting MR3);
EVENT_RETRANSMIT in 1s; nodpd; idle; import:admin initiate
000 #33971: pending Phase 2 for "conn/1x1" replacing #0
000 #33971: pending Phase 2 for "conn/1x2" replacing #0
000 #33971: pending Phase 2 for "conn/1x3" replacing #0
000 #33971: pending Phase 2 for "conn/1x4" replacing #0
000 #33971: pending Phase 2 for "conn/1x5" replacing #0

Finally the connection can't be stablished.

My version (that i can't update, neither openswan nor kernel) is:
Linux Openswan U2.6.32/K2.6.32-279.el6.x86_64 (netkey)

Thanks in advance for any clue,
Best Regards,
-- 
Eduard Lucena
Móvil: +56962318010
GNU/Linux User #589060
Ubuntu User #8749
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160309/4afca34c/attachment-0001.html>

More information about the Users mailing list