[Vpn-help] Shrew v. 2.1.4 Openswan 2.4.6.1

Matthew Grooms mgrooms at shrew.net
Thu Nov 20 13:46:14 CST 2008


Stefan Bauer wrote:
> Hi,
> 
> i step in a problem during setup of a roadwarrior vpn gateway with
> shrew 2.1.4 client on winxp.
> 
> RW 192.168.0.111
> -NAT-BOX-192.168.0.23 / external-NAT-BOX ip
> |
> |
> |
> Internet
> |
> |
> |
> -NAT-BOX- 10.8.0.254 / external-natbox-ip
> |
> IPSEC-GW with 10.8.0.1 / 10.10.0.1 (ipsec0 is bind to 10.10.0.1)
> |
> Roadwarrior-Pool 192.168.100.0/24
> 
> Please see the shrew log's attached:
> thanks in advance!
> 

Stefan,

As far as I can tell, the client appears to be operating as it should 
be. My guess is that there is some sort of configuration mismatch 
between the client and the gateway. In your log output, the client is 
using main mode ( identity protect ) and the first four packets in the 
exchange are being processed rather slowly, but without issue.

08/11/20 12:33:08 -> : send IKE packet ...
08/11/20 12:33:09 <- : recv IKE packet ...
08/11/20 12:33:11 -> : send IKE packet ...
08/11/20 12:33:14 <- : recv IKE packet ...

The problem occurs when the client sends the fifth exchange packet which 
contains the identification and certificate information.

08/11/20 12:33:15 >> : identification payload
08/11/20 12:33:15 >> : certificate payload
08/11/20 12:33:15 == : phase1 hash_i ( computed ) ( 20 bytes )
08/11/20 12:33:16 >> : signature payload
08/11/20 12:33:16 >= : cookies 80f125fcb8a977d7:b0fec90cbc5f28b2
08/11/20 12:33:16 >= : message 00000000
08/11/20 12:33:16 >= : encrypt iv ( 8 bytes )
08/11/20 12:33:16 == : encrypt packet ( 1636 bytes )
08/11/20 12:33:16 == : stored iv ( 8 bytes )
08/11/20 12:33:16 DB : phase1 resend event canceled ( ref count = 1 )
08/11/20 12:33:16 -> : send NAT-T:IKE packet ...

First of all, the gateway is sending a new notification packet using UDP 
port 500 after we have switched to port 4500 which, I believe, is a 
violation of the RFC. But this is quite likely a result of the failed 
negotiation. Secondly, the notification message is encrypted.

08/11/20 12:33:20 <- : recv IKE packet 91.8.45.163:500 -> 
192.168.0.111:500 ( 68 bytes )
08/11/20 12:33:20 DB : phase1 found
08/11/20 12:33:20 ww : initiator port values should only float once per 
session
08/11/20 12:33:20 ii : processing informational packet ( 68 bytes )
08/11/20 12:33:20 == : new informational iv ( 8 bytes )
08/11/20 12:33:20 =< : cookies 80f125fcb8a977d7:b0fec90cbc5f28b2
08/11/20 12:33:20 =< : message faa76d62
08/11/20 12:33:20 =< : decrypt iv ( 8 bytes )
08/11/20 12:33:20 == : decrypt packet ( 68 bytes )
08/11/20 12:33:20 !! : validate packet failed ( reserved value is non-null )
08/11/20 12:33:20 !! : informational packet ignored ( packet decryption 
error )

We can't decrypt this message but I'm not sure if thats really an issue 
at this point since its probably also a result of failed negotiations. 
After the notification, we receive a re-transmission of the 4th packet 
in the exchange which is consistent with the notion that it rejected a 
parameter sent in our fifth packet.

08/11/20 12:33:24 <- : recv IKE packet 91.8.45.163:500 -> 
192.168.0.111:500 ( 484 bytes )
08/11/20 12:33:24 DB : phase1 found
08/11/20 12:33:24 ww : initiator port values should only float once per 
session
08/11/20 12:33:24 ii : processing phase1 packet ( 484 bytes )
08/11/20 12:33:24 =< : cookies 80f125fcb8a977d7:b0fec90cbc5f28b2
08/11/20 12:33:24 =< : message 00000000
08/11/20 12:33:24 << : ignoring duplicate key excahnge payload
08/11/20 12:33:24 !! : unprocessed payload data

The best advice I can give you is to examine the OpenSWAN log output on 
the Linux host. My hunch is that it failed to validate the certificate 
for some reason, sends a notification to that effect and re-transmits 
the 4th packet. All of this seems very reasonable. Sorry I can't offer a 
more specific solution to your problem :/

Hope this helps,

-Matthew



More information about the vpn-help mailing list