[Swan-dev] length of ISAKMP Message is larger than can fit

Paul Wouters paul at nohats.ca
Mon Jul 1 17:40:43 UTC 2019


It seems we can end up entering in_struct() when we got an ICMP instead
of an IKE message.

Simply launch pluto against an IP that is not running pluto, and you
will see:

"private#192.1.2.23/32"[1] ...192.1.2.23 #4: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response
length of ISAKMP Message is larger than can fit
"private#192.1.2.23/32"[1] ...192.1.2.23 #4: STATE_PARENT_I1: retransmission; will wait 1 seconds for response
length of ISAKMP Message is larger than can fit
"private#192.1.2.23/32"[1] ...192.1.2.23 #4: STATE_PARENT_I1: retransmission; will wait 2 seconds for response
length of ISAKMP Message is larger than can fit
"private#192.1.2.23/32"[1] ...192.1.2.23 #4: STATE_PARENT_I1: 3 second timeout exceeded after 3 retransmits.  No response (or no acceptable response) to our first IKEv2 message
"private#192.1.2.23/32"[1] ...192.1.2.23 #4: deleting state (STATE_PARENT_I1) aged 4.020s and NOT sending notification
length of ISAKMP Message is larger than can fit


I guess someone changed the err msg queue handling?

Paul


More information about the Swan-dev mailing list