Hi Paul,<br>thanks for your help. You lost a mail, no problem, here is the data that you requested:<br><br>I've set up a test machine. The current configuration is:<br><br>- Linux fwclient 2.6.26-2-686 #1 SMP i686 GNU/Linux (Debian Lenny)<br>
- Openswan IPsec U2.6.25/K2.6.26-2-686<br><br>I include in this message the portion of logs that shows the error. Let me know if you need other infos.<br>
<br>CONFIG:<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>config setup<br> plutodebug="all"<br> # plutoopts="--perpeerlog"<br>
nat_traversal=yes<br> #virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br> oe=off<br> protostack=netkey<br>
<br>## RoadWarrior to Net behind Gateway: FreeS/WAN X.509 <-> Check Point<br>conn openswan-checkpoint<br> # Right side is FreeS/WAN RoadWarrior<br> right=%defaultroute<br> rightrsasigkey=%cert<br>
rightcert=/etc/ipsec.d/certs/fwclient-crt.pem<br> # Left side is Check Point<br> left=fwserver<br> leftsubnet=<a href="http://192.168.255.0/24" target="_blank">192.168.255.0/24</a> ## subnet behind the gateway<br>
leftcert=/etc/ipsec.d/certs/fwserver-crt.pem<br> leftrsasigkey=%cert<br> auto=start<br><br>LOGS:<br><br>May 12 16:52:10 fwclient pluto[19602]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #6<br>
May 12 16:52:10 fwclient pluto[19602]: | event added after event EVENT_PENDING_PHASE2<br>May 12 16:52:10 fwclient pluto[19602]: "openswan-checkpoint" #6: STATE_MAIN_I2: sent MI2, expecting MR2<br>May 12 16:52:10 fwclient pluto[19602]: | modecfg pull: noquirk policy:push not-client<br>
May 12 16:52:10 fwclient pluto[19602]: | phase 1 is done, looking for phase 2 to unpend<br>May 12 16:52:10 fwclient pluto[19602]: | * processed 1 messages from cryptographic helpers<br>May 12 16:52:10 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 9 seconds<br>
May 12 16:52:10 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 9 seconds<br>May 12 16:52:11 fwclient pluto[19602]: |<br>May 12 16:52:11 fwclient pluto[19602]: | *received 40 bytes from x.y.z.w:500 on eth0 (port=500)<br>
May 12 16:52:11 fwclient pluto[19602]: | 76 31 8f 3c 49 ba 7c 88 2d b7 41 57 a5 13 58 34<br>May 12 16:52:11 fwclient pluto[19602]: | 0b 10 05 00 b7 8b 29 04 00 00 00 28 00 00 00 0c<br>May 12 16:52:11 fwclient pluto[19602]: | 00 00 00 00 01 00 00 10<br>
May 12 16:52:11 fwclient pluto[19602]: | **parse ISAKMP Message:<br>May 12 16:52:11 fwclient pluto[19602]: | initiator cookie:<br>May 12 16:52:11 fwclient pluto[19602]: | 76 31 8f 3c 49 ba 7c 88<br>May 12 16:52:11 fwclient pluto[19602]: | responder cookie:<br>
May 12 16:52:11 fwclient pluto[19602]: | 2d b7 41 57 a5 13 58 34<br>May 12 16:52:11 fwclient pluto[19602]: | next payload type: ISAKMP_NEXT_N<br>May 12 16:52:11 fwclient pluto[19602]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407)<br>
May 12 16:52:11 fwclient pluto[19602]: | exchange type: ISAKMP_XCHG_INFO<br>May 12 16:52:11 fwclient pluto[19602]: | flags: none<br>May 12 16:52:11 fwclient pluto[19602]: | message ID: b7 8b 29 04<br>May 12 16:52:11 fwclient pluto[19602]: | length: 40<br>
May 12 16:52:11 fwclient pluto[19602]: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)<br>May 12 16:52:11 fwclient pluto[19602]: | ICOOKIE: 76 31 8f 3c 49 ba 7c 88<br>May 12 16:52:11 fwclient pluto[19602]: | RCOOKIE: 2d b7 41 57 a5 13 58 34<br>
May 12 16:52:11 fwclient pluto[19602]: | state hash entry 7<br>May 12 16:52:11 fwclient pluto[19602]: | peer and cookies match on #6, provided msgid 00000000 vs 00000000/00000000<br>May 12 16:52:11 fwclient pluto[19602]: | p15 state object #6 found, in STATE_MAIN_I2<br>
May 12 16:52:11 fwclient pluto[19602]: | processing connection openswan-checkpoint<br>May 12 16:52:11 fwclient pluto[19602]: | got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0<br>May 12 16:52:11 fwclient pluto[19602]: | ***parse ISAKMP Notification Payload:<br>
May 12 16:52:11 fwclient pluto[19602]: | next payload type: ISAKMP_NEXT_NONE<br>May 12 16:52:11 fwclient pluto[19602]: | length: 12<br>May 12 16:52:11 fwclient pluto[19602]: | DOI: ISAKMP_DOI_ISAKMP<br>May 12 16:52:11 fwclient pluto[19602]: | protocol ID: 1<br>
May 12 16:52:11 fwclient pluto[19602]: | SPI size: 0<br>May 12 16:52:11 fwclient pluto[19602]: | Notify Message Type: PAYLOAD_MALFORMED<br>May 12 16:52:11 fwclient pluto[19602]: | info:<br>May 12 16:52:11 fwclient pluto[19602]: | processing informational PAYLOAD_MALFORMED (16)<br>
May 12 16:52:11 fwclient pluto[19602]: "openswan-checkpoint" #6: received 1 malformed payload notifies<br>May 12 16:52:11 fwclient pluto[19602]: | complete state transition with STF_IGNORE<br>May 12 16:52:11 fwclient pluto[19602]: | * processed 0 messages from cryptographic helpers<br>
May 12 16:52:11 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 8 seconds<br>May 12 16:52:11 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 8 seconds<br><br><br><div class="gmail_quote">On Wed, May 12, 2010 at 8:48 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">On Wed, 12 May 2010, Luca Arzeni wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
just to be sure, I've set up a CentOS machine with vmware player, and tried a connection using exactly the same configuration<br>
that you used (Openswan IPsec U2.6.21/K2.6.18-164.el5), but I had no luck... same failure that I received under Lenny...<br>
</blockquote>
<br></div>
vmware is known the mess with packets. You might be looking at a vmware bug.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
May 12 19:02:25 fwcentos pluto[3807]: "openswan-checkpoint" #2: received 1 malformed payload notifies<br>
<br>
I don't know what else could be the cause of the problems...<br>
<br>
Your, faithfully (and desperately), Luca<br>
</blockquote>
<br></div>
Didn't I request a plutodebug=all with the actual malformed payloads before?<br>
Did I miss an email?<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>