[Swan-dev] IPSec restarts intermittently and crashes sometimes, PAYLOAD_MALFORMED issue observed: resend without logs

Paul Wouters paul at nohats.ca
Fri Jan 29 11:07:25 UTC 2016

You should not have that many instances of the same connection. It also seems these are both initiating and responding and all of these hang in quick mode, so phase 2 negotiation (rekeying)

Possibly your problems start when timing causes the end points to switch roles from initiating to responding. One common cause is pfs= mismatch where one end is tolerant for a mismatch. But perhaps in your case there is a bad selection of PSK when switching between initiating or responding. You can try setting rekey=no with ikelifetime= and salifetime= set to 24h and hope hst the Cisco will initiate to you for rekey. Or try the reverse and set the lifetimes to 45m to ensure libreswan always initiates before Cisco.

It looks like a Cisco bug


Sent from my iPhone

> On Jan 29, 2016, at 11:17, Rajeev Gaur <rajeev.gaur at niyuj.com> wrote:
> Hi Paul
> I have attached "ipsec status" output, do you feel the AUTH algos used here could be an issue?
> Thanks
> Rajeev
>> On Wed, Jan 27, 2016 at 3:57 PM, Rajeev Gaur <rajeev.gaur at niyuj.com> wrote:
>> Hi Paul
>> One request here, did you had chance to look at 24 and 96 site logs?
>> Do you find this same behavior being depicted by the logs?
>> If yes, in that case, let me see and check "ipsec status".
>> But, if you find it different, please do suggest what difference you found.
>> Then, I will dig that matter.
>> Thanks
>> Rajeev
>>> On Wed, Jan 27, 2016 at 3:07 AM, Paul Wouters <paul at nohats.ca> wrote:
>>> On Tue, 26 Jan 2016, Rajeev Gaur wrote:
>>> Hi Rajeev,
>>> I wrote:
>>>>       PAYLOAD_MALFORMED message is received quite sometimes.
>>>> That could be because the other end still has state which the restarted
>>>> end does not have.
>>>>       process_packet_tail() -> in_struct() -> [%s of %s has an unknown value = next payload type of ISAKMP Hash Payload has
>>>>       an unknown value: 201]
>>>> It usually signifies an error in PSK/crypto, so the entire message is
>>>> garbage. (you can tell too because 201 is not defined, although it
>>>> is in the space of "private use" numbers as listed at
>>>> http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-21
>>>> [RG]:
>>>> As I found further the problem is at following place in programs/pluto/ikev1.c:
>>>>     if (!in_struct(&pd->payload, sd, &md->message_pbs,
>>>>                        &pd->pbs)) {
>>>>                 loglog(RC_LOG_SERIOUS,
>>>>                        "%smalformed payload in packet",
>>>>                        excuse);
>>>>                 status_update(STATE_PROBABLE_AUTH_FAILURE, ip_str(&md->sender), md->sender_port);
>>>>                 return;
>>>>             }
>>>> What does the status_update as STATE_PROBABLE_AUTH_FAILURE mean here?
>>>> Also, I have checked and rechecked PSK and config, I did not found any issue?
>>>> Please suggest something here.
>>> As I said, a mismatching AUTH can use this when using PSK, because the
>>> packet will just become something encrypted to the wrong PSK. So it is
>>> decrypted but then becomes nonsense, and we can only try to interpret
>>> it, which then fails on the first or second payload.
>>> Paul
> <sites_ipsec_status.txt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20160129/712be245/attachment-0001.html>

More information about the Swan-dev mailing list