From: Brad R. <Brad@BradRubenstein.com> - 2004-08-07 04:57:24
|
More data: I'm looking at racoon isakmp data under gdb, and it looks = like all isakmp_natt packets coming into racoon are trash at the time = they are read off the pipe in isakmp_handler. Breakpoint 1, plog (pri=3D4, func=3D0x8092b80 = "isakmp.c:225:isakmp_handler()",=20 sa=3D0x0, fmt=3D0x807e934 "the length in the isakmp header is too = big.\n") at plog.c:138 138 va_start(ap, fmt); (gdb) up #1 0x0804be79 in isakmp_handler (so_isakmp=3D9) at isakmp.c:225 225 plog(LLV_ERROR, LOCATION, NULL, (gdb) p isakmp $1 =3D {i_ck =3D "\006=DC\213=A9\000\000\000\004", r_ck =3D = "=FB\vx=A31\223s\227",=20 np =3D 226 '=E2', v =3D 224 '=E0', etype =3D 55 '7', flags =3D 13 = '\r',=20 msgid =3D 1573560306, len =3D 2586529492} (gdb) p extralen $2 =3D 0 Is extralen supposed to be zero? Ethereal shows the packets as ESP encapsulated in UDP (as I'd expect), = which means they need to be decrypted, yes? Could the keys be wrong? Could the decryption and de-encapsulation be = stepping on each other? Am I going about this the wrong way? Any suggestions or advice, as always, most welcome. =20 Regards, Brad Rubenstein ----- Original Message -----=20 From: "Michal Ludvig" <mi...@lo...> To: "Brad Rubenstein" <Br...@br...> Cc: <ips...@li...> Sent: Thursday, August 05, 2004 3:32 PM Subject: Re: [Ipsec-tools-devel] two hosts both behind NAT's not able to = connect - isakmp header is too big > On Thu, 5 Aug 2004, Brad Rubenstein wrote: >=20 > > I'm seeing an error I don't see anyone else getting: > > > > I have two Fedora Core 2 boxes running IPSEC 0.3.3, each behind a = Linksys > > router with NAT, and I want to bridge the two private networks = together. > > Seemed pretty straightforward, I thought. > > > > HOST1 LINKSYS ROUTER+NAT LINKSYS = ROUTER+NAT > > HOST2 > > 192.168.1.2 -> 192.168.1.1+24.6.117.151 ->...-> > > 66.108.19.182+192.168.2.1 -> 192.168.2.3 >=20 > Does it mean that you have a port forwarding or something on the = routers? > Or how do you enable incomming connections to the inside hosts? >=20 > > When the SPD policies are set and racoon is started on both sides, = and I try > > to ping host2 from host1, I get this in the error log: > > 2004-08-05 13:52:45: ERROR: the length in the isakmp header is too = big. >=20 > Hmm, this shouldn't happen because of the misconfiguration. What = OpenSSL > do you use? >=20 > > The rest of the negotiation is error-free (I'm not going to post = volumes of > > log info yet, but if anyone thinks it might help, I'm happy to do = so). >=20 > So do the racoons finally negotiate something or not? > Could you post a terse log at least (run racoon -v). >=20 > > IPSEC-passthru is disabled on both LINKSYS boxes. >=20 > What is "IPSEC-passthrough" supposed to do? (I don't have any = experience > with Linksys routers) >=20 > Michal Ludvig > --=20 > * A mouse is a device used to point at the xterm you want to type in. > * Personal homepage - http://www.logix.cz/michal >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by OSTG. Have you noticed the changes = on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source = Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >=20 > |