Trouble with juniper connection - invalid HMAC
Gaute Amundsen
gaute at div.org
Wed Nov 30 02:46:46 PST 2016
Hi.
I've compiled the latest version from git and was finally able to
connect, but I'm having problems that look related to MTU.
A http connection seems to work, but ping with -s > 1394 fails with a
message to the console "Received ESP packet with invalid HMAC".
The rdp connection that I'm really after fails and Wireshark claims
malformed packets.
I'm all out of ideas at this point, so I'm grateful for any help.
Here are the details. ( there’s more where these come from! )
With -v -v it looks like this
ping -c1 -W 2 -s 1395 host.tld
No work to do; sleeping for 15000 ms...
Sent ESP packet of 1444 bytes
Sent ESP packet of 100 bytes
No work to do; sleeping for 15000 ms...
Received ESP packet of 1460 bytes
Received ESP packet with invalid HMAC
No work to do; sleeping for 15000 ms...
ping -c1 -W 2 -s 1394 host.tld
No work to do; sleeping for 15000 ms...
Sent ESP packet of 1444 bytes
Sent ESP packet of 84 bytes
No work to do; sleeping for 15000 ms...
Received ESP packet of 1460 bytes
No work to do; sleeping for 15000 ms...
I presume the error message originates here:
https://github.com/nmav/openconnect-mine/blob/master/gnutls-esp.c#L153
The mtu on tun0 is 1400 and --mtu 1200 did nothing to change that.
I'm on Ubuntu 14.04.5 LTS
openconnect is
v7.07-187-gb8d3971
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP
software token, TOTP software token, DTLS
./configure --with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script
--without-gnutls
with or without --without-gnutls seems to make no difference
BUILD OPTIONS:
SSL library: OpenSSL
PKCS#11 support: no
DTLS support: yes
ESP support: yes
libproxy support: no
RSA SecurID support: no
PSKC OATH file support: no
GSSAPI support: no
Yubikey support: no
LZ4 compression: no
Java bindings: no
Build docs: no
Unit tests: no
make check
PASS: lzstest
PASS: seqtest
FAIL: bad_dtls_test
That may be because I don't have everything mentioned in README.TESTS
G.
More information about the openconnect-devel
mailing list