Bug #108
V 4.3.6 'responding to Quick Mode' causing INVALID_HASH_INFORMATION
| Status: | New | Start date: | 26.02.2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Affected version: | 4.6.1 |
Description
Server running Linux strongSwan U4.3.6/K2.6.31.12-174.2.22.fc12.i686
Client running XP, L2TP-IPSec
After updating server to 4.3.6 the negotiations stops in 'responding to Quick Mode'
where client response to first message is: INVALID_HASH_INFORMATION
I saw a new message in 'responding to Quick Mode': '***emit ISAKMP Nonce Payload' sent by
lines 5073 - 5082 in ./pluto/ipsec_doi.c
Disabling these lines solved the problem so I presume it's wrong to include '***emit ISAKMP Nonce Payload' in this message
(? ..at least against xp)
History
Updated by Terje Rosenlund almost 2 years ago
It's line 5079 in function quick_inI1_outR1_tail() that seems to be the problem:
nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &md->rbody, md->st)The problem occurs when xp-client is behind nat only
This is a bit strange since same code exists in 4.3.6rc2 without causing trouble (?)
UPDATE: Not sure whether the problem is the same in 4.3.6rc2 (may have tested un-nated only, must test again)