<div dir="ltr"><div>Peter,</div>
<div> </div>
<div>I have pfs=no and I have the PSK secret the same on both ends. I have tried reentering it several times. PFS on Vigor is switched on. I am not using DH Group1. It set to Group 2. I have another fixed IP using a different PSK and I have another two openswan on fixed IPs using raw RSA and they are both working fine. This is the only dynamic IP address connecting.<br>
</div>
<div>Any other ideas? Does the error message suggest the wrong key is being used?</div>
<div> </div>
<div>AW<br></div>
<div class="gmail_quote">On Tue, Sep 2, 2008 at 5:26 PM, Peter McGill <span dir="ltr"><<a href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Abdul-Wahid,<br><br>Set pfs=no in ipsec.conf, in ipsec.secrets should have : PSK "secret".<br>Verify that PSK's are the same on both sides, reenter if neccessary.<br>
Make sure the Vigor is using Perfect Forward Secrecy (PFS).<br>(pfs=no, makes pfs optional, it will still use it if Vigor asks for it,<br>but this way if Vigor doesn't the connection will still work.)<br>Make sure that the Vigor isn't using Diffie-Hellman (DH) Group 1 (768 bit), but instead DH Group 2 (1024 bit) or 5 (1536 bit). 1 is obsolete/insecure and openswan will not work with it.<br>
I'm assuming this is your only roadwarrior (dynamic address) client<br>connection. If using psk's, then all roadwarriors must use the same one.<br><br>Peter<br><br>Abdul-Wahid Paterson wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="Ih2E3d">Hi,<br> I have setup my Vigor 2600 for VPN tunnel to openswan but I am receiving malformed payload messages. The ISAKMP AS is established ok but when starting IPSec SA it gets the malformed packets. What could be the possible cause of this.<br>
Conf...<br> <br>conn kscdubai<br> authby=secret<br></div> left=<a href="http://196.202.140.66/" target="_blank">196.202.140.66</a> <<a href="http://196.202.140.66/" target="_blank">http://196.202.140.66</a>><br>
leftsubnet=<a href="http://10.1.0.0/17" target="_blank">10.1.0.0/17</a> <<a href="http://10.1.0.0/17" target="_blank">http://10.1.0.0/17</a>><br> leftnexthop=<a href="http://196.202.140.65/" target="_blank">196.202.140.65</a> <<a href="http://196.202.140.65/" target="_blank">http://196.202.140.65</a>><br>
leftsourceip=<a href="http://10.1.0.1/" target="_blank">10.1.0.1</a> <<a href="http://10.1.0.1/" target="_blank">http://10.1.0.1</a>><br> right=%any<br> rightsubnet=<a href="http://10.0.97.0/24" target="_blank">10.0.97.0/24</a> <<a href="http://10.0.97.0/24" target="_blank">http://10.0.97.0/24</a>>
<div class="Ih2E3d"><br> keyingtries=0<br> keyexchange=ike<br> esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5<br> ike=aes256-sha1,aes128-sha1,aes128-md5,3des-sha1,3des-md5<br> compress=no<br>
pfs=yes<br> auto=add<br></div> Sep 2 15:36:46 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #43: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>
Sep 2 15:36:47 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #44: responding to Quick Mode {msgid:4e9d3b76}<br>
Sep 2 15:36:47 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #44: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow <a href="mailto:tun.10000@196.202.140.66" target="_blank">tun.10000@196.202.140.66</a> <mailto:<a href="mailto:tun.10000@196.202.140.66" target="_blank">tun.10000@196.202.140.66</a>> included errno 17: File exists<br>
Sep 2 15:36:47 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #44: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Sep 2 15:36:47 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #44: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Sep 2 15:36:50 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #44: next payload type of ISAKMP Hash Payload has an unknown value: 206<br>
Sep 2 15:36:50 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #44: malformed payload in packet<br>
Sep 2 15:36:50 ksckhf0101 pluto[15566]: "kscdubai"[1] <a href="http://86.98.26.69/" target="_blank">86.98.26.69</a> <<a href="http://86.98.26.69/" target="_blank">http://86.98.26.69</a>> #44: sending notification PAYLOAD_MALFORMED to <a href="http://86.98.26.69:500/" target="_blank">86.98.26.69:500</a> <<a href="http://86.98.26.69:500/" target="_blank">http://86.98.26.69:500</a>>
<div class="Ih2E3d"><br> Any pointers would be great.<br><br>AW<br><br><br></div>------------------------------------------------------------------------<br><br>_______________________________________________<br><a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>Building and Integrating Virtual Private Networks with Openswan: <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</blockquote></blockquote></div><br></div>