thr3ads.net - CentOS - [CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series [Mar 2014]

If this information is useful, please help other people find it:
Share via:

Radu Radutiu

2014-Mar-07 14:56 UTC

[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

Does anyone else noticed problems after updating openswan to
openswan-2.6.32-27.2.el6_5.i686 ? In our case a connection to Cisco VPN
3000 Series would no longer work. I can see in the log an ASSERTION FAILED
error and the connection would remain in Pending phase 2.


Mar  7 16:24:40 firewall pluto[7647]: "ciscovpntest" #2: discarding
duplicate packet; already STATE_MAIN_I1
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: received
Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: ignoring
Vendor ID
payload [FRAGMENTATION c0000000]
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: enabling
possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: ASSERTION
FAILED
at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/ikev1_main.c:1112:
st->st_sec_in_use==FALSE
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: using kernel
interface: netkey
....
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: #2:
"ciscovpntest":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 39s; nodpd; idle; import:admin initiate
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: #2: pending
Phase
2 for "ciscovpntest" replacing #0

Downgrading openswan to openswan-2.6.32-27.el6.i686 solves the problem. The
problem is restricted to this VPN connection, other 2 VPNs continue to work
fine with the new version.

Radu

John Doe

2014-Mar-07 15:55 UTC

head link

[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

From: Radu Radutiu <rradutiu at gmail.com>
> Does anyone else noticed problems after updating openswan to
> openswan-2.6.32-27.2.el6_5.i686 ?
Not the solution but here is what was fixed:

# rpm -qp --changelog openswan-2.6.32-27.2.el6_5.x86_64.rpm
* Thu Feb 06 2014 Paul Wouters <pwouters at redhat.com> - 2.6.32-27.2
- Resolves: rhbz#1050337 (CVE-2013-6466 refix for delete/notify code)

* Wed Jan 22 2014 Paul Wouters <pwouters at redhat.com> - 2.6.32-27.1
- Resolves: rhbz#1050337 (CVE-2013-6466)

https://access.redhat.com/security/cve/CVE-2013-6466

JD

SilverTip257

2014-Mar-07 17:40 UTC

head link

[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

On Fri, Mar 7, 2014 at 9:56 AM, Radu Radutiu <rradutiu at gmail.com>
wrote:
> Does anyone else noticed problems after updating openswan to
> openswan-2.6.32-27.2.el6_5.i686 ? In our case a connection to Cisco VPN
>
https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&content=openswan&no_redirect=1&order=changeddate%20DESC%2C&product=&query_based_on=&query_format=specific

Bug 1070358 - openswan breaks NAT-T draft clients (and possibly ike
fragmentation) [NEEDINFO]
https://bugzilla.redhat.com/show_bug.cgi?id=1070358

Bug 1070356 - openswan breaks NAT-T draft clients (and possibly ike
fragmentation)
https://bugzilla.redhat.com/show_bug.cgi?id=1070356

Maybe you've been bitten by that bug.



-- 
---~~.~~---
Mike
//  SilverTip257  //

Maybe Matching Threads

Search for more possibly parallel threads

CentOS - Mar 2014 - Latest openswan update does no longer connect to Cisco VPN 3000 Series

[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

Maybe Matching Threads