[Swan] Looking for assistance: libreswan pluto 3.15 interop with vxWorks (Interpeak) 6.5 ipsec

Paul Wouters paul at nohats.ca
Tue Feb 27 17:08:00 UTC 2018


On Tue, 27 Feb 2018, Sadler, Jonathan B. wrote:

> Please point me to a troubleshooting guide if you feel it would help my debugging.
> 
> I’m attempting to get a tunnel using IKEv2 and x509 certs established between a linux system with pluto 3.15 and an embedded system using
> vxWorks 6.5.  I have the certificates incorporated in the NSS database and am having issues getting to phase2.

> Feb 27 11:32:58 Linux69 pluto[26056]: "target" #2: missing payload(s)
> (ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2IDr+ISAKMP_NEXT_v2AUTH+ISAKMP_NEXT_v2TSi+ISAKMP_NEXT_v2TSr). Message dropped.
> 
> Feb 27 11:32:58 Linux69 pluto[26056]: packet from 172.23.129.50:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to
> 172.23.129.50:500

This means it throws an error to libreswan.

> TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Message 172.22.103.146[500] already processed, (IKE_SA_INIT), #2(4), ID 0
> 
> TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Resending message 172.22.103.146[500], (IKE_AUTH), #2(4), ID 0, 1(5)
> 
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_AUTH, #3(4), ID 1
> 
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: the payloads extends beyond the end of the ISAKMP package
> 
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Warning: ISAKMP message dropped, error code 20

that's weird. It claims we sent a badly formed IKE packet?

> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_AUTH, #3(4), ID 1
> 
> TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: payload check failed since 53 is an unsupported payload type

Type 53 is an encrypted fragment (see RFC 7383). If it does not support
that, then why was FRAGMENTATION performed. libreswan has an "override"
when using fragmentation=force which obviously should not be used with
implementations that do not support fragmentation.

> Here is the config I’m using:
> 
> conn target
>         type=tunnel
>         fragmentation=force

So remove this fragmentation=force line :)

Paul


More information about the Swan mailing list