On Fri, 22 Jan 2016, Rajeev Gaur wrote:
[As advised by Paul removed log attachments]
Although you did not provide a link to the logs for me to look at.
I have received a problem scenario from my company regarding IPSec VPN. Important Points: 1) The problem involves Openswan 2.6.31 or Libreswan 3.12. 2) Problem is intermittent, does not have a specific interval for occurence. 3) This is a hub and spoke problem. Having hub and 3 spokes. 4) NAT is not involved. All the connections are through public IPs. 5) All connections involve PRESHARED KEYS ONLY. 6) This all is phase 1 - packet 5 or 6. Problem: Intermittently, out of the three spokes two spokes just restart ipsec daemon.
You mean a operator induced restart, or a crash+restart? If there is a crash, there should be log messages about what caused it.
PAYLOAD_MALFORMED message is received quite sometimes.
That could be because the other end still has state which the restarted end does not have.
process_packet_tail() -> in_struct() -> [%s of %s has an unknown value = next payload type of ISAKMP Hash Payload has an unknown value: 201]
It usually signifies an error in PSK/crypto, so the entire message is garbage. (you can tell too because 201 is not defined, although it is in the space of "private use" numbers as listed at http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-21
Our problem is at 4) point. Yesterday, I went to https://libreswan.org/ and saw the following text mentioned in red: August 24st, 2015: CVE-2015-3240: Receiving a bad DH gx causes IKE daemon restart Libreswan up to 3.14 is vulnerable to unauthenticated packets with a malicious DH gx payload causing the daemon to hit a passert() and restart. See our CVE-2015-3240 page for details. No remote code execution is possible. Please upgrade libreswan to version 3.15 or later. Also looked into: https://libreswan.org/security/CVE-2015-3240/CVE-2015-3240.txt So, do you feel in this case also the problem is above vulnerability (the bad DH issue).
No that has nothing to do with it. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
