[Vpn-help] what is an UNSPEC pfkey message
Matthew Grooms
mgrooms at shrew.net
Fri Nov 30 19:49:30 CST 2007
Mark Voltz wrote:
> K< : recv X_SPDADD UNSPEC pfkey message
> DB : policy added
> K< : recv X_SPDADD UNSPEC pfkey message
> DB : policy added
> K< : recv X_SPDADD UNSPEC pfkey message
> DB : policy added
>
> When connecting to my VPN at work, I sometimes don't get a tunnel
> established. When it does work, I often get a few dozen of the entries
> shown above. I'm curious as to what these iked.log lines mean.
>
Mark,
The "sometimes don't get a tunnel established" is probably due to the
client processing a duplicate exchange packet. This can happen when a
packet is dropped due to poor connectivity. Please see the "Reliability
Improvements" section of this post for more details ...
http://lists.shrew.net/pipermail/vpn-help/2007-November/000832.html
The 2.0.3 code is very prone to this problem but the 2.1.0 branch has
extensive support for preventing this from occurring. You can try
updating to the head version or downloading the 2.1.0 alpha release. It
should actually be quite stable ( unless you install on a windows box
with the Cisco client installed apparently :) ).
> If these are non-specific messages coming from the remote end, is there
> any way to decipher the content?
>
These are normal messages that get passed between the IKE daemon and the
IPsec policy management system via the pfkey interface. If you set the
log output level to decode, you would see more information. The UNSPEC
tag is normal for policy messages. If it was an SA message, that would
read something like ESP or AH.
Thanks,
-Matthew
More information about the vpn-help
mailing list