[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-dev
Subject: Re: [Openswan dev] IPSec restarts intermittently and PAYLOAD_MALFORMED issue observed
From: Rajeev Gaur <rajeev.gaur () niyuj ! com>
Date: 2016-01-04 13:11:58
Message-ID: CAKX-g_Uo0f8Tp9k-UJDRTuhX2fe=EiXQw_zp_VJx96DmUS3U7Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello Sir
Please have a look into this issue. It will be great if you can suggest
some hints here.
Thanks
On Mon, Dec 28, 2015 at 6:07 PM, Rajeev Gaur <rajeev.gaur@niyuj.com> wrote:
> Hello Sir
>
> Please have a look into this issue. It will be great if you can suggest
> some hints here.
>
> Thanks
> Rajeev
>
> On Tue, Dec 22, 2015 at 5:26 PM, Rajeev Gaur <rajeev.gaur@niyuj.com>
> wrote:
>
>> Hello,
>>
>> I have received a problem scenario from my company regarding IPSec VPN.
>>
>> Important Points:
>> The problem involves openswan-2.6.31
>> Problem is intermittent, does not have a specific interval for occurence.
>> This is a hub and spoke problem. Having hub and 3 spokes.
>> NAT is not involved. All the connections are through public IPs.
>> All connections involve PRESHARED KEYS ONLY.
>>
>> Problem:
>> Intermittently, out of the three spokes two spokes just restart ipsec
>> daemon.
>> (I am sending the specific logs, if you want any other information please
>> do revert)
>>
>> PAYLOAD_MALFORMED message is received quite sometimes.
>>
>> This has already taken aaproximately 2 months. Now, it is troubling.
>>
>> I am attaching the [ipsec whack --debug-all] logs.
>> There are two logs for two ends. But ipsec whack logs are quite big so
>> I am sending information for specific session ID #180934 which shows
>> PAYLOAD_MALFORMED.
>>
>> If you can suggest something here it will be great.
>>
>> Please see the config below:
>>
>> config setup
>> protostack = netkey
>> klipsdebug = none
>> plutodebug = none
>> uniqueids = yes
>> hidetos = no
>>
>> conn XXX
>> type = tunnel
>> left = X-X-X-X-X
>> right = Y-Y-Y-Y-Y
>> leftnexthop = Z-Z-Z-Z-Z
>> leftsubnet = 10.50.3.0/24
>> rightsubnet = 10.50.1.0/24
>> auto = start
>> keyexchange = ike
>> authby = secret
>> auth = esp
>> keyingtries = 0
>> esp = AES128-SHA1
>> pfs = yes
>> rekey = yes
>> leftid = X-X-X-X-X
>> rightid = Y-Y-Y-Y-Y
>> ike = 3DES-SHA-MODP1024
>> ikelifetime = 28800s
>> keylife = 14400s
>> rekeymargin = 10m
>> rekeyfuzz = 20%
>> X-early = yes
>> dpddelay = 10
>> dpdtimeout = 120
>> dpdaction = restart
>> X-custadmin = off
>>
>>
>>
>> config setup
>> protostack = netkey
>> klipsdebug = none
>> plutodebug = none
>> uniqueids = yes
>> hidetos = no
>>
>> conn YYY
>> type = tunnel
>> left = Y-Y-Y-Y-Y
>> right = %any
>> leftnexthop = Z-Z-Z-Z-Z
>> leftsubnet = 10.50.1.0/24
>> rightsubnet = 10.50.3.0/24
>> auto = add
>> keyexchange = ike
>> authby = secret
>> auth = esp
>> keyingtries = 0
>> esp = AES128-SHA1
>> pfs = yes
>> rekey = yes
>> leftid = 174.47.49.246
>> rightid = %any
>> ike = 3DES-SHA-MODP1024
>> ikelifetime = 28800s
>> keylife = 14400s
>> rekeymargin = 10m
>> rekeyfuzz = 20%
>> X-early =
>> dpddelay = 10
>> dpdtimeout = 120
>> dpdaction = restart
>> X-custadmin = off
>>
>> In case you want any other information, please do revert.
>>
>> Thanks
>>
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Hello Sir<br><br></div>Please have a look into this issue. \
It will be great if you can suggest some hints here.<br><br></div>Thanks</div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 28, 2015 at 6:07 PM, \
Rajeev Gaur <span dir="ltr"><<a href="mailto:rajeev.gaur@niyuj.com" \
target="_blank">rajeev.gaur@niyuj.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hello Sir<br><br></div>Please \
have a look into this issue. It will be great if you can suggest some hints \
here.<br><br></div>Thanks<span class="HOEnZb"><font \
color="#888888"><br></font></span></div><span class="HOEnZb"><font \
color="#888888">Rajeev<br></font></span></div><div class="HOEnZb"><div \
class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 22, 2015 \
at 5:26 PM, Rajeev Gaur <span dir="ltr"><<a href="mailto:rajeev.gaur@niyuj.com" \
target="_blank">rajeev.gaur@niyuj.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>Hello,</div><div><br></div><div>I have \
received a <span>problem</span> scenario from my company regarding IPSec \
VPN.</div><div><br></div><div>Important Points:</div><div>The <span>problem</span> \
involves openswan-2.6.31</div><div><span>Problem</span> is intermittent, does not \
have a specific interval for occurence.</div><div>This is a hub and spoke \
<span>problem</span>. Having hub and 3 spokes.</div><div>NAT is not involved. All the \
connections are through public IPs.</div><div>All connections involve PRESHARED KEYS \
ONLY.</div><div><br></div><div><span>Problem</span>:</div><div>Intermittently, out of \
the three spokes two spokes just restart ipsec daemon.</div><div>(I am sending the \
specific logs, if you want any other information please do \
revert)</div><div><br></div><div><span>PAYLOAD_MALFORMED</span> message is received \
quite sometimes.</div><div><br></div><div>This has already taken aaproximately 2 \
months. Now, it is troubling.</div><div><br></div><div>I am attaching the [ipsec \
whack --debug-all] logs.</div><div>There are two logs for two ends. But ipsec whack \
logs are quite big so</div><div>I am sending information for specific session ID \
#180934 which shows</div><div><span>PAYLOAD_MALFORMED</span>.</div><div><br></div><div>If \
you can suggest something here it will be great.<br></div><div><br></div><div>Please \
see the config below:<br></div><div><br>config setup<br> protostack = \
netkey<br> klipsdebug = none<br> plutodebug = none<br> uniqueids = \
yes<br> hidetos = no<br><br>conn XXX<br> type = tunnel<br> left = \
X-X-X-X-X<br> right = Y-Y-Y-Y-Y<br> leftnexthop = Z-Z-Z-Z-Z<br> \
leftsubnet = <a href="http://10.50.3.0/24" target="_blank">10.50.3.0/24</a><br> \
rightsubnet = <a href="http://10.50.1.0/24" target="_blank">10.50.1.0/24</a><br> \
auto = start<br> keyexchange = ike<br> authby = secret<br> auth = \
esp<br> keyingtries = 0<br> esp = AES128-SHA1<br> pfs = yes<br> \
rekey = yes<br> leftid = X-X-X-X-X<br> rightid = Y-Y-Y-Y-Y<br> ike \
= 3DES-SHA-MODP1024<br> ikelifetime = 28800s<br> keylife = 14400s<br> \
rekeymargin = 10m<br> rekeyfuzz = 20%<br> X-early = yes<br> \
dpddelay = 10<br> dpdtimeout = 120<br> dpdaction = restart<br> \
X-custadmin = off<br><br><br><br>config setup<br> protostack = netkey<br> \
klipsdebug = none<br> plutodebug = none<br> uniqueids = yes<br> \
hidetos = no<br><br>conn YYY<br> type = tunnel<br> left = Y-Y-Y-Y-Y<br> \
right = %any<br> leftnexthop = Z-Z-Z-Z-Z<br> leftsubnet = <a \
href="http://10.50.1.0/24" target="_blank">10.50.1.0/24</a><br> rightsubnet = \
<a href="http://10.50.3.0/24" target="_blank">10.50.3.0/24</a><br> auto = \
add<br> keyexchange = ike<br> authby = secret<br> auth = esp<br> \
keyingtries = 0<br> esp = AES128-SHA1<br> pfs = yes<br> rekey = \
yes<br> leftid = 174.47.49.246<br> rightid = %any<br> ike = \
3DES-SHA-MODP1024<br> ikelifetime = 28800s<br> keylife = 14400s<br> \
rekeymargin = 10m<br> rekeyfuzz = 20%<br> X-early = <br> dpddelay = \
10<br> dpdtimeout = 120<br> dpdaction = restart<br> \
X-custadmin = off<br><br></div><div>In case you want any other information, please do \
revert.<br><br></div><div>Thanks</div></div> </blockquote></div><br></div>
</div></div></blockquote></div><br></div>
[Attachment #6 (text/plain)]
_______________________________________________
Dev mailing list
Dev@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic