Trouble with juniper connection - invalid HMAC

Gaute Amundsen gaute at div.org
Wed Nov 30 02:46:46 PST 2016 

Hi.

I've compiled the latest version from git and was finally able to 
connect, but I'm having problems that look related to MTU.
A http connection seems to work, but ping with -s > 1394 fails with a 
message to the console "Received ESP packet with invalid HMAC".
The rdp connection that I'm really after fails and Wireshark claims 
malformed packets.

I'm all out of ideas at this point, so I'm grateful for any help.


Here are the details. ( there’s more where these come from! )

With -v -v it looks like this

ping -c1 -W 2 -s 1395 host.tld

No work to do; sleeping for 15000 ms...
Sent ESP packet of 1444 bytes
Sent ESP packet of 100 bytes
No work to do; sleeping for 15000 ms...
Received ESP packet of 1460 bytes
Received ESP packet with invalid HMAC
No work to do; sleeping for 15000 ms...

ping -c1 -W 2 -s 1394 host.tld

No work to do; sleeping for 15000 ms...
Sent ESP packet of 1444 bytes
Sent ESP packet of 84 bytes
No work to do; sleeping for 15000 ms...
Received ESP packet of 1460 bytes
No work to do; sleeping for 15000 ms...

I presume the error message originates here:
https://github.com/nmav/openconnect-mine/blob/master/gnutls-esp.c#L153

The mtu on tun0 is 1400 and --mtu 1200 did nothing to change that.

I'm on Ubuntu 14.04.5 LTS

openconnect is
v7.07-187-gb8d3971
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP 
software token, TOTP software token, DTLS

./configure --with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script 
--without-gnutls

with or without --without-gnutls seems to make no difference

BUILD OPTIONS:
   SSL library:            OpenSSL
   PKCS#11 support:        no
   DTLS support:           yes
   ESP support:            yes
   libproxy support:       no
   RSA SecurID support:    no
   PSKC OATH file support: no
   GSSAPI support:         no
   Yubikey support:        no
   LZ4 compression:        no
   Java bindings:          no
   Build docs:             no
   Unit tests:             no

make check
PASS: lzstest
PASS: seqtest
FAIL: bad_dtls_test

That may be because I don't have everything mentioned in README.TESTS

G.

More information about the openconnect-devel mailing list