[Swan-dev] test failure: IPsec encryption transform rejected: 3DES_CBC key_len 0 is incorrect
D. Hugh Redelmeier
hugh at mimosa.com
Mon Jul 9 05:36:44 UTC 2018
I got a number of test failures with this in the pluto log (not the
console log), repeated a lot:
"westnet-eastnet-ipv4-psk-ikev1" #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0
"westnet-eastnet-ipv4-psk-ikev1" #2: IPsec encryption transform rejected: 3DES_CBC key_len 0 is incorrect
"westnet-eastnet-ipv4-psk-ikev1" #2: sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.1.2.45:500
"westnet-eastnet-ipv4-psk-ikev1" #2: deleting state (STATE_QUICK_R0) and NOT sending notification
The other side ignores it (again, from the pluto log). Nothing
helpful showed up in the console (whack) log, I guess because the
informational was ignored, even though it was encrypted.
"westnet-eastnet-ipv4-psk-ikev1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgi!
"westnet-eastnet-ipv4-psk-ikev1" #1: ignoring informational payload BAD_PROPOSAL_SYNTAX, msgid=00000000, length=12
"westnet-eastnet-ipv4-psk-ikev1" #1: received and ignored informational message
"westnet-eastnet-ipv4-psk-ikev1" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
This affected at least:
algo-pluto-08
fips-06-ikev1-3des-sha1
ikev1-algo-05-3des-sha2
ikev1-algo-ike-aes-02
================
A slightly different failure: I also got this message in several pluto logs:
"westnet-eastnet-null" #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0
"westnet-eastnet-null" #2: IPsec encryption transform rejected: NULL key_len 0 is incorrect
"westnet-eastnet-null" #2: sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.1.2.45:500
"westnet-eastnet-null" #2: deleting state (STATE_QUICK_R0) and NOT sending notification
This affected at least:
netkey-algo-null-01
netkey-algo-null-02
More information about the Swan-dev
mailing list