<div dir="ltr"><span style="font-size:12.8px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[As advised by Paul removed log attachments]<br></blockquote><br></span><span style="font-size:12.8px">Although you did not provide a link to the logs for me to look at.</span><span style="font-size:12.8px"><br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I have received a problem scenario from my company regarding IPSec VPN.<br><br>Important Points:<br>1) The problem involves Openswan 2.6.31 or Libreswan 3.12.<br>2) Problem is intermittent, does not have a specific interval for occurence.<br>3) This is a hub and spoke problem. Having hub and 3 spokes.<br>4) NAT is not involved. All the connections are through public IPs.<br>5) All connections involve PRESHARED KEYS ONLY.<br>6) This all is phase 1 - packet 5 or 6.<br><br><br>Problem:<br>Intermittently, out of the three spokes two spokes just restart ipsec daemon.<br></blockquote><br></span><span style="font-size:12.8px">You mean a operator induced restart, or a crash+restart? If there is a</span><br style="font-size:12.8px"><span style="font-size:12.8px">crash, there should be log messages about what caused it.</span><div><span style="font-size:12.8px"><font color="#222222"><br></font></span></div><div><span style="font-size:12.8px"><font color="#990000">[RG] No, as I understand it is crash and restart. Please do see the logs.</font><br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">PAYLOAD_MALFORMED message is received quite sometimes.<br></blockquote><br></span><span style="font-size:12.8px">That could be because the other end still has state which the restarted</span><br style="font-size:12.8px"><span style="font-size:12.8px">end does not have.</span><span style="font-size:12.8px"><br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">process_packet_tail() -> in_struct() -> [%s of %s has an unknown value = next payload type of ISAKMP Hash Payload has an unknown value: 201]<br></blockquote><br></span><span style="font-size:12.8px">It usually signifies an error in PSK/crypto, so the entire message is</span><br style="font-size:12.8px"><span style="font-size:12.8px">garbage. (you can tell too because 201 is not defined, although it</span><br style="font-size:12.8px"><span style="font-size:12.8px">is in the space of "private use" numbers as listed at</span><br style="font-size:12.8px"><br style="font-size:12.8px"><a href="http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-21" rel="noreferrer" style="font-size:12.8px" target="_blank">http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-21</a><span style="font-size:12.8px"><br><br></span></div><div><span style="color:rgb(153,0,0)"><span style="font-size:12.8px">[RG]:<br></span></span></div><div><span style="color:rgb(153,0,0)"><span style="font-size:12.8px">As I found further the problem is at following place in programs/pluto/ikev1.c:<br><br> if (!in_struct(&pd->payload, sd, &md->message_pbs,<br> &pd->pbs)) {<br> loglog(RC_LOG_SERIOUS,<br> "%smalformed payload in packet",<br> excuse);<br> status_update(STATE_PROBABLE_AUTH_FAILURE, ip_str(&md->sender), md->sender_port);<br> SEND_NOTIFICATION(PAYLOAD_MALFORMED);<br> return;<br> }<br><br></span></span></div><div><span style="color:rgb(153,0,0)"><span style="font-size:12.8px">What does the status_update as </span><span style="font-size:12.8px">STATE_PROBABLE_AUTH_FAILURE mean here?<br></span></span></div><div><span style="color:rgb(153,0,0)"><span style="font-size:12.8px">Also, I have checked and rechecked PSK and config, I did not found any issue?<br></span></span></div><div><span style="font-size:12.8px"><span style="color:rgb(153,0,0)">Please suggest something here.</span><br></span></div><div><span style="font-size:12.8px"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Our problem is at 4) point.<br><br>Yesterday, I went to <a href="https://libreswan.org/" rel="noreferrer" target="_blank">https://libreswan.org/</a> and saw the following text mentioned in red:<br><br>August 24st, 2015: CVE-2015-3240: Receiving a bad DH gx causes IKE daemon restart<br>Libreswan up to 3.14 is vulnerable to unauthenticated packets with a malicious DH gx payload causing the daemon to hit a passert() and restart. See our CVE-2015-3240 page for details. No<br>remote code execution is possible. Please upgrade libreswan to version 3.15 or later.<br><br>Also looked into:<br><a href="https://libreswan.org/security/CVE-2015-3240/CVE-2015-3240.txt" rel="noreferrer" target="_blank">https://libreswan.org/security/CVE-2015-3240/CVE-2015-3240.txt</a><br><br>So, do you feel in this case also the problem is above vulnerability (the bad DH issue).<br></blockquote><br></span><span style="font-size:12.8px">No that has nothing to do with it.</span><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 26, 2016 at 12:54 AM, Rajeev Gaur <span dir="ltr"><<a href="mailto:rajeev.gaur@niyuj.com" target="_blank">rajeev.gaur@niyuj.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Paul<div><br></div><div>Please find below the links for logs for the two sites:</div><div><br></div><div><div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,'Segoe UI','Segoe WP',Tahoma,Arial,sans-serif;font-size:15px;margin:0px"><font face="Times New Roman,serif" size="3"><span style="font-size:12pt"><font color="#1F497D" face="Calibri,sans-serif" size="2"><span style="font-size:11pt"><a href="ftp://40.140.44.12/pub/docs/TAC/site24_logs.txt" target="_blank">ftp://40.140.44.12/pub/docs/TAC/site24_logs.txt</a></span></font></span></font></div><div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,'Segoe UI','Segoe WP',Tahoma,Arial,sans-serif;font-size:15px;margin:0px"><font face="Times New Roman,serif" size="3"><span style="font-size:12pt"><font face="Calibri,sans-serif" size="2"><span style="font-size:11pt"><a href="ftp://40.140.44.12/pub/docs/TAC/site96_logs.txt" target="_blank">ftp://40.140.44.12/pub/docs/TAC/site96_logs.txt</a></span></font></span></font></div></div><div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,'Segoe UI','Segoe WP',Tahoma,Arial,sans-serif;font-size:15px;margin:0px"><font face="Times New Roman,serif" size="3"><span style="font-size:12pt"><font face="Calibri,sans-serif" size="2"><br></font></span></font></div><div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,'Segoe UI','Segoe WP',Tahoma,Arial,sans-serif;font-size:15px;margin:0px"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small">For other points, I am answering inline, please see the last message.</span></div><div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,'Segoe UI','Segoe WP',Tahoma,Arial,sans-serif;font-size:15px;margin:0px"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small"><br></span></div><div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,'Segoe UI','Segoe WP',Tahoma,Arial,sans-serif;font-size:15px;margin:0px"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small">Thanks</span><span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888"><div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,'Segoe UI','Segoe WP',Tahoma,Arial,sans-serif;font-size:15px;margin:0px"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small">Rajeev</span></div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 25, 2016 at 11:50 AM, Rajeev Gaur <span dir="ltr"><<a href="mailto:rajeev.gaur@niyuj.com" target="_blank">rajeev.gaur@niyuj.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div>Thank you for the reply Paul,<br></div>Yes, I understand that I have not placed logs for you.<br></div>I am also looking for some space, to provide you a public access.<br></div>Please hold on.<br><br></div>Thanks<span><font color="#888888"><br></font></span></div><span><font color="#888888">Rajeev<br></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 25, 2016 at 1:07 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Fri, 22 Jan 2016, Rajeev Gaur wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
[As advised by Paul removed log attachments]<br>
</blockquote>
<br></span>
Although you did not provide a link to the logs for me to look at.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have received a problem scenario from my company regarding IPSec VPN.<br>
<br>
Important Points:<br>
1) The problem involves Openswan 2.6.31 or Libreswan 3.12.<br>
2) Problem is intermittent, does not have a specific interval for occurence.<br>
3) This is a hub and spoke problem. Having hub and 3 spokes.<br>
4) NAT is not involved. All the connections are through public IPs.<br>
5) All connections involve PRESHARED KEYS ONLY.<br>
6) This all is phase 1 - packet 5 or 6.<br>
<br>
<br>
Problem:<br>
Intermittently, out of the three spokes two spokes just restart ipsec daemon.<br>
</blockquote>
<br></span>
You mean a operator induced restart, or a crash+restart? If there is a<br>
crash, there should be log messages about what caused it.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
PAYLOAD_MALFORMED message is received quite sometimes.<br>
</blockquote>
<br></span>
That could be because the other end still has state which the restarted<br>
end does not have.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
process_packet_tail() -> in_struct() -> [%s of %s has an unknown value = next payload type of ISAKMP Hash Payload has an unknown value: 201]<br>
</blockquote>
<br></span>
It usually signifies an error in PSK/crypto, so the entire message is<br>
garbage. (you can tell too because 201 is not defined, although it<br>
is in the space of "private use" numbers as listed at<br>
<br>
<a href="http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-21" rel="noreferrer" target="_blank">http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-21</a><span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Our problem is at 4) point.<br>
<br>
Yesterday, I went to <a href="https://libreswan.org/" rel="noreferrer" target="_blank">https://libreswan.org/</a> and saw the following text mentioned in red:<br>
<br>
August 24st, 2015: CVE-2015-3240: Receiving a bad DH gx causes IKE daemon restart<br>
Libreswan up to 3.14 is vulnerable to unauthenticated packets with a malicious DH gx payload causing the daemon to hit a passert() and restart. See our CVE-2015-3240 page for details. No<br>
remote code execution is possible. Please upgrade libreswan to version 3.15 or later.<br>
<br>
Also looked into:<br>
<a href="https://libreswan.org/security/CVE-2015-3240/CVE-2015-3240.txt" rel="noreferrer" target="_blank">https://libreswan.org/security/CVE-2015-3240/CVE-2015-3240.txt</a><br>
<br>
So, do you feel in this case also the problem is above vulnerability (the bad DH issue).<br>
</blockquote>
<br></span>
No that has nothing to do with it.<span><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>