[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

Fri Mar 7 14:56:30 UTC 2014
Radu Radutiu <rradutiu at gmail.com>

Does anyone else noticed problems after updating openswan to
openswan-2.6.32-27.2.el6_5.i686 ? In our case a connection to Cisco VPN
3000 Series would no longer work. I can see in the log an ASSERTION FAILED
error and the connection would remain in Pending phase 2.


Mar  7 16:24:40 firewall pluto[7647]: "ciscovpntest" #2: discarding
duplicate packet; already STATE_MAIN_I1
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: ASSERTION FAILED
at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/ikev1_main.c:1112:
st->st_sec_in_use==FALSE
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: using kernel
interface: netkey
....
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: #2:
"ciscovpntest":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 39s; nodpd; idle; import:admin initiate
Mar  7 16:24:53 firewall pluto[7647]: "ciscovpntest" #2: #2: pending Phase
2 for "ciscovpntest" replacing #0

Downgrading openswan to openswan-2.6.32-27.el6.i686 solves the problem. The
problem is restricted to this VPN connection, other 2 VPNs continue to work
fine with the new version.

Radu