Project

General

Profile

Issue #3570

IPSec Packets dropped on windows. "Bad SPI Pckt" Error

Added by Rohit Magdum about 1 month ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Category:
libipsec
Affected version:
5.7.0
Resolution:
No change required

Description

I am working on a TAP device on windows. I use libipsec/kernel_libipsec plugin of strongswan for implementation of IPSec. I am able to successfully send the ESP packets to my server. When I receive response from Server Windows detect the packets as ESP packets and tries to make sense of the SPI Number of the packet.
Since I am not using Window's implementation for IPSec, there are no SA policy set in Kernel IPSec. So Windows fails to find any SA associated with the SPI and discards that packets saying "Bad SPI Pckt"
Hence the application that waiting on Receive socket never receive the packet.
I am able to capture the ESP packets in Wireshark. I can see the SPI number and the ESP header as well.
The netsh command "netsh IPsec dynamic show all" shows the error "Bad SPI Pckts Count" which match the packets captured in Wireshark.

I expect windows to just pass on the packets to the application and interfere with the communication. Is there some way I can disable the IPSec on windows or is this some other issue that I am not able to understand. Can anyone help me out here please.

Note:- I have disable the wfp plugin of strongswan and in the netsh command to show policy I do not see any policies set for Inbound/Outbound traffic.

Thank you in advance.

History

#1 Updated by Tobias Brunner about 1 month ago

  • Category set to libipsec
  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal

You obviously have to use UDP encapsulation without enabling UDP decapsulation for the client socket/port so the packets are delivered to the userland.

#2 Updated by Rohit Magdum about 1 month ago

Hello Tobias,

Thank you for your quick reply. Pardon my ignorance, can you please let me know how this encapsulation works? I mean is it expected happen at the server end from where the packets are sent, or at the receiving end on windows we can do anything for the encapsulation. Again pardon me for dumb questions.

Thank you,
Rohit

#3 Updated by Tobias Brunner about 1 month ago

Pardon my ignorance, can you please let me know how this encapsulation works?

Maybe search for and learn about it?

I mean is it expected happen at the server end from where the packets are sent, or at the receiving end on windows we can do anything for the encapsulation.

Both ends have to use UDP encapsulation.

#4 Updated by Tobias Brunner 23 days ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF