[Swan] Looking for assistance: libreswan pluto 3.15 interop with vxWorks (Interpeak) 6.5 ipsec
Paul Wouters
paul at nohats.ca
Tue Feb 27 17:08:00 UTC 2018
On Tue, 27 Feb 2018, Sadler, Jonathan B. wrote:
> Please point me to a troubleshooting guide if you feel it would help my debugging.
>
> I’m attempting to get a tunnel using IKEv2 and x509 certs established between a linux system with pluto 3.15 and an embedded system using
> vxWorks 6.5. I have the certificates incorporated in the NSS database and am having issues getting to phase2.
> Feb 27 11:32:58 Linux69 pluto[26056]: "target" #2: missing payload(s)
> (ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2IDr+ISAKMP_NEXT_v2AUTH+ISAKMP_NEXT_v2TSi+ISAKMP_NEXT_v2TSr). Message dropped.
>
> Feb 27 11:32:58 Linux69 pluto[26056]: packet from 172.23.129.50:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to
> 172.23.129.50:500
This means it throws an error to libreswan.
> TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Message 172.22.103.146[500] already processed, (IKE_SA_INIT), #2(4), ID 0
>
> TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Resending message 172.22.103.146[500], (IKE_AUTH), #2(4), ID 0, 1(5)
>
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_AUTH, #3(4), ID 1
>
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: the payloads extends beyond the end of the ISAKMP package
>
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Warning: ISAKMP message dropped, error code 20
that's weird. It claims we sent a badly formed IKE packet?
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_AUTH, #3(4), ID 1
>
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: payload check failed since 53 is an unsupported payload type
Type 53 is an encrypted fragment (see RFC 7383). If it does not support
that, then why was FRAGMENTATION performed. libreswan has an "override"
when using fragmentation=force which obviously should not be used with
implementations that do not support fragmentation.
> Here is the config I’m using:
>
> conn target
> type=tunnel
> fragmentation=force
So remove this fragmentation=force line :)
Paul
More information about the Swan
mailing list