On Tue, 26 Jan 2016, Rajeev Gaur wrote:
Hi Rajeev,
I wrote:
PAYLOAD_MALFORMED message is received quite sometimes.
That could be because the other end still has state which the restarted
end does not have.
process_packet_tail() -> in_struct() -> [%s of %s has an unknown value =
next payload type of ISAKMP Hash Payload has
an unknown value: 201]
It usually signifies an error in PSK/crypto, so the entire message is
garbage. (you can tell too because 201 is not defined, although it
is in the space of "private use" numbers as listed at
http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-21
[RG]:
As I found further the problem is at following place in programs/pluto/ikev1.c:
if (!in_struct(&pd->payload, sd, &md->message_pbs,
&pd->pbs)) {
loglog(RC_LOG_SERIOUS,
"%smalformed payload in packet",
excuse);
status_update(STATE_PROBABLE_AUTH_FAILURE, ip_str(&md->sender),
md->sender_port);
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
return;
}
What does the status_update as STATE_PROBABLE_AUTH_FAILURE mean here?
Also, I have checked and rechecked PSK and config, I did not found any issue?
Please suggest something here.
As I said, a mismatching AUTH can use this when using PSK, because the
packet will just become something encrypted to the wrong PSK. So it is
decrypted but then becomes nonsense, and we can only try to interpret
it, which then fails on the first or second payload.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
