[strongSwan] R_U_THERE_ACK has invalid SPI length (16)
Andreas Steffen
andreas.steffen at strongswan.org
Wed Aug 24 06:16:29 CEST 2011
Hello Nan,
the source code in question is
if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE
* 2)
{
loglog(RC_LOG_SERIOUS
, "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
, n->isan_spisize);
return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
}
COOKIE_SIZE is a constant with a value of 8 bytes and n->isan_spisize
is output as 16 bytes in the error message. This means that the
second half
|| pbs_left(pbs) < COOKIE_SIZE * 2)
triggers the error. This means that the received R_U_THERE_ACK
message does not contain 2 COOKIES.
Regards
Andreas
On 08/24/2011 03:34 AM, Nan Luo wrote:
> Hi,
>
> I have seen this error in the pluto debug log "secure" when testing DPD
> against my SeGW, I wonder what this error really means. Per RFC3706, the
> SPI length should be set to 16 in the R_U_THERE/R_U_THERE_ACK messages.
> So does this error mean something else wrong in the R_U_THERE_ACK sent
> by my SeGW? strongSwan sent a MALFORMED-PAYLOAD back to my SeGW after
> printing out this error
>
> Thanks for your help
>
> Nan
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list