Doug Wilson wrote:
>
> I'm now able to import my 1024 bit key into softpk. When I try to
> initiate the connection however, I see the following behavior.
> Strangely, it looks to me like FreeS/WAN thinks the connection has been
> established, but softpk doesn't (freeswan says "sent MR3, ISAKMP SA
> established."). Maybe softpk fails because it sends
> NOTIFY:STATUS_INITIAL_CONTACT and never gets an answer from freeswan
> since freeswan says
> ignoring informational payload, type IPSEC_INITIAL_CONTACT?
>
> ########softpk log:
> 15:56:17.071 My Connections\Alex FSWAN - SENDING>>>> ISAKMP OAK MM *(ID,
> CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
> 15:56:32.624 My Connections\Alex FSWAN - message not received!
> Retransmitting!
> ###########end softpk log
>
> #####what I believe are the relevant parts of the FreeS/WAN log (with
> Mar 16 11:20:09 deunan Pluto[4287]: | sending 1556 bytes for retransmit
> in response to duplicate through eth0 to 209.70.116.116:500:
The last message FreeS/WAN sends has a size of 1556 bytes.
This means that this UDP datagram is going to be fragmented.
Either you have a firewall in between which is discarding the IP fragment
or it is Soft-PK itself that dumps it. I deposited a bug report with
SafeNet more than a year ago, saying that Soft-PK cannot handle IP fragments
in reverse order (Linux sends the second fragment first and the main fragment
with the UDP header afterwards). So it seems that SafeNet still has not
solved this bug.