[strongSwan] R_U_THERE_ACK has invalid SPI length (16)

Andreas Steffen andreas.steffen at strongswan.org
Wed Aug 24 06:16:29 CEST 2011

Hello Nan,

the source code in question is

   if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE
* 2)
			, "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
			, n->isan_spisize);

COOKIE_SIZE is a constant with a value of 8 bytes and n->isan_spisize
is output as 16 bytes in the error message. This means that the
second half

  || pbs_left(pbs) < COOKIE_SIZE * 2)

triggers the error. This means that the received R_U_THERE_ACK
message does not contain 2 COOKIES.



On 08/24/2011 03:34 AM, Nan Luo wrote:
> Hi,
> I have seen this error in the pluto debug log "secure" when testing DPD
> against my SeGW, I wonder what this error really means. Per RFC3706, the
> SPI length should be set to 16 in the R_U_THERE/R_U_THERE_ACK messages.
> So does this error mean something else wrong in the R_U_THERE_ACK sent
> by my SeGW? strongSwan sent a MALFORMED-PAYLOAD back to my SeGW after
> printing out this error
> Thanks for your help
> Nan 

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list