[Vpn-help] Juniper SSG Commercial IPsec Gateway

mgrooms mgrooms at shrew.net
Fri Dec 14 16:50:36 CST 2007


On Fri, 14 Dec 2007 11:31:17 +0100, "Stefan Bauer" <Bauer at puhlmann.net>
wrote:
>> -----Original Message-----
>> From: Matthew Grooms [mailto:mgrooms at shrew.net]
>> Sent: Friday, December 14, 2007 11:11 AM
>> To: Stefan Bauer
>> Cc: vpn-help at lists.shrew.net
>> Subject: Re: [Vpn-help] Juniper SSG Commercial IPsec Gateway
>>
>>
>> Matthew Grooms wrote:
>> In any case, please give this build a whirl and let me know
>> how it turns
>> out.
> 
> Hi, here is the output:
> 
...
> <- : recv IKE packet 62.245.200.not-public:500 -> 192.168.1.12:500 ( 204
> bytes )
> DB : phase1 found
> ii : processing phase2 packet ( 204 bytes )
> DB : phase2 found
> =< : decrypt iv ( 8 bytes )
> <= : decrypt packet ( 204 bytes )
> <= : trimmed packet padding ( 8 bytes )
> == : stored iv ( 8 bytes )
> << : hash payload
> << : security association payload
> << : - propsal #1 payload
> << : -- transform #205 payload
> 
> !! : rejecting phase2 proposal
> !! : unhandled attribute type ( 32682 )
> 
> XX : warning, unprocessed payload data !!!

This output is quite puzzling. To be processed, the packet has to pass an
integrity check post decryption which means that all payloads and their
lengths look reasonable. If the decryption process fails, the payload
headers will be garbage and the packet will be rejected. Next, the payloads
are parsed. The first is a hash payload which is also checked to have a
data length appropriate for the negotiated algorithm. So, we pass the
integrity check, read the hash value and then start to parse the SA payload
which starts to show errors. This leads me to believe that either ...

A) The payload was corrupted below the SA payload header.
B) We are parsing the SA payload incorrectly somehow.

The first possibility will show unpredictable results while the second
possibility should show predictable results. Can you determine if the
output shows the same error, with the same unhandled attribute type over
several attempts please?

Thanks,

-Matthew




More information about the vpn-help mailing list