[Swan] Ignore particular ISAKMP Payload

Paul Wouters paul at nohats.ca
Tue Feb 12 16:43:41 EET 2013


On Tue, 12 Feb 2013, Elison Niven wrote:

> While testing a certain Avaya phone with Libreswan, I see this in the logs:
>
> Feb 07 13:54:00 "test_avaya-1"[23] 10.103.6.114 #340: message ignored because 
> it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the 
> outermost level
>
> Phase 1 cannot be established because we receive and unexpected payload type.
>
> How can I teach libreswan to just ignore this payload?

I'd have to see more logs to give a better answer, but the issue is that
payloads are sent in chains. The header contains the first "next payload
type", then that payload has a "next payload type" field as well. If one
of these is wrong, you really cannot continue with parsing the next
payload (and subsequent types) because you don't know which payload is
next, and therefor not how to parse the "next payload type" out of it.

So probably doing a step back and seeing what's happening and why. If it
is a known payload at the wrong time we might be able to ignore it, but
it would better to process it if we can. Sometimes we cannot, for
instance if a payload requires to be protected by encryption but it is
send before encryption has been set up.

Paul


More information about the Swan mailing list