Re: [Ipsec-tools-devel] two hosts both behind NAT's not able to connect - isakmp header is too big

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

More data: I'm looking at racoon isakmp data under gdb, and it looks =
like all isakmp_natt packets coming into racoon are trash at the time =
they are read off the pipe in isakmp_handler.

Breakpoint 1, plog (pri=3D4, func=3D0x8092b80 =
"isakmp.c:225:isakmp_handler()",=20
    sa=3D0x0, fmt=3D0x807e934 "the length in the isakmp header is too =
big.\n")
    at plog.c:138
138             va_start(ap, fmt);
(gdb) up
#1  0x0804be79 in isakmp_handler (so_isakmp=3D9) at isakmp.c:225
225                     plog(LLV_ERROR, LOCATION, NULL,
(gdb) p isakmp
$1 =3D {i_ck =3D "\006=DC\213=A9\000\000\000\004", r_ck =3D =
"=FB\vx=A31\223s\227",=20
  np =3D 226 '=E2', v =3D 224 '=E0', etype =3D 55 '7', flags =3D 13 =
'\r',=20
  msgid =3D 1573560306, len =3D 2586529492}
(gdb) p extralen
$2 =3D 0

Is extralen supposed to be zero?

Ethereal shows the packets as ESP encapsulated in UDP (as I'd expect), =
which means they need to be decrypted, yes?

Could the keys be wrong?  Could the decryption and de-encapsulation be =
stepping on each other?  Am I going about this the wrong way?

Any suggestions or advice, as always, most welcome. =20

Regards,
Brad Rubenstein

----- Original Message -----=20
From: "Michal Ludvig" <mi...@lo...>
To: "Brad Rubenstein" <Br...@br...>
Cc: <ips...@li...>
Sent: Thursday, August 05, 2004 3:32 PM
Subject: Re: [Ipsec-tools-devel] two hosts both behind NAT's not able to =
connect - isakmp header is too big

> On Thu, 5 Aug 2004, Brad Rubenstein wrote:
>=20
> > I'm seeing an error I don't see anyone else getting:
> >
> > I have two Fedora Core 2 boxes running IPSEC 0.3.3, each behind a =
Linksys
> > router with NAT, and I want to bridge the two private networks =
together.
> > Seemed pretty straightforward, I thought.
> >
> > HOST1            LINKSYS ROUTER+NAT                LINKSYS =
ROUTER+NAT
> > HOST2
> > 192.168.1.2 ->  192.168.1.1+24.6.117.151    ->...->
> > 66.108.19.182+192.168.2.1 -> 192.168.2.3
>=20
> Does it mean that you have a port forwarding or something on the =
routers?
> Or how do you enable incomming connections to the inside hosts?
>=20
> > When the SPD policies are set and racoon is started on both sides, =
and I try
> > to ping host2 from host1, I get this in the error log:
> > 2004-08-05 13:52:45: ERROR: the length in the isakmp header is too =
big.
>=20
> Hmm, this shouldn't happen because of the misconfiguration. What =
OpenSSL
> do you use?
>=20
> > The rest of the negotiation is error-free (I'm not going to post =
volumes of
> > log info yet, but if anyone thinks it might help, I'm happy to do =
so).
>=20
> So do the racoons finally negotiate something or not?
> Could you post a terse log at least (run racoon -v).
>=20
> > IPSEC-passthru is disabled on both LINKSYS boxes.
>=20
> What is "IPSEC-passthrough" supposed to do? (I don't have any =
experience
> with Linksys routers)
>=20
> Michal Ludvig
> --=20
> * A mouse is a device used to point at the xterm you want to type in.
> * Personal homepage - http://www.logix.cz/michal
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes =
on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source =
Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>=20
> 