Greetings Openswan Users,<br><br>Configuring openswan to work with an Iphone has lead to some problems.<br><br>Currently I have made a few changes to ipsec.conf to enable Xauth, which IOS apparently requires to connect. It looks like Apple is using Cisco software to connect. I am using the standard IPSec software of IOS.<br>
<br>My configuration is IPSec with Xl2tpd and now with Xauth.I have never worked with Xauth before, so I have no point of reference with a working situation. It could be that most settings are incorrect or inappropriate.<br>
<br>The Iphone is giving the following warning: Could not validate the server certificate.<br>I don't know what this means, because I have installed the certificate of the client and I have installed the Root CA.<br>
<br>The server is telling that there is an malformed payload in packet, byte 2 of ISAKMP Hash Payload must be zero, but is not.<br><br>The phone is connecting through an telecom provider, when using the same connection with an Android device it works just fine. I come to the conclusion that i have made some mistakes in my configuration with Xauth.<br>
<br>If anyone could take a look at it, it would be appreciated.<br><br>Greetings,<br><br>Bart Smink<br><br><br>The config files:<br><br>/etc/ipsec.conf:<br>config setup<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16,%v4:%21172.28.0.0/16" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16,%v4:!172.28.0.0/16</a><br>
oe=off<br> protostack=netkey<br> dumpdir=/var/tmp<br>conn l2tp-X.509-Iphone<br> #<br> # Configuration for one user with any type of IPsec/L2TP client<br> # including the updated Windows 2000/XP (MS KB Q818043), but<br>
# excluding the non-updated Windows 2000/XP.<br> #<br> #<br> # Use a certificate. Disable Perfect Forward Secrecy.<br> #<br> authby=rsasig<br> pfs=no<br> auto=add<br>
# we cannot rekey for %any, let client rekey<br> rekey=no<br> ikelifetime=8h<br> keylife=1h<br> type=transport<br> left=129.125.xxx.yyy<br> leftid=%fromcert<br> leftrsasigkey=%cert<br>
leftcert=/etc/ipsec.d/certs/HeliosnetGateway.pem<br> leftprotoport=17/0<br> leftxauthserver=yes<br> leftmodecfgserver=yes<br> leftxauthusername=user1<br> # The remote user.<br> right=%any<br>
rightid="E=<a href="mailto:bartsmink@gmail.com">bartsmink@gmail.com</a>, CN=Iphone, O=<a href="http://heliosnet.nl" target="_blank">heliosnet.nl</a>, L=Groningen, ST=Groningen, C=Netherlands"<br> rightca=%same<br>
rightrsasigkey=%cert<br> rightprotoport=17/%any<br> rightsubnet=vhost:%priv,%no<br> rightmodecfgclient=yes<br> modecfgpull=yes<br> rightxauthclient=yes<br><br>/etc/ipsec.secrets:<br>
: RSA /etc/ipsec.d/private/HeliosnetGateway.pem.new "AM0mUuia9L"<br>@user1 : XAUTH "password1"<br><br>My Logs:<br>/var/log/secure<br><br><br>Oct 7 17:57:46 gateway pluto[7032]: Starting Pluto (Openswan Version 2.6.36; Vendor ID OEqltr]KZl]_) pid:7032<br>
Oct 7 17:57:46 gateway pluto[7032]: LEAK_DETECTIVE support [disabled]<br>Oct 7 17:57:46 gateway pluto[7032]: OCF support for IKE [disabled]<br>Oct 7 17:57:46 gateway pluto[7032]: SAref support [disabled]: Protocol not available<br>
Oct 7 17:57:46 gateway pluto[7032]: SAbind support [disabled]: Protocol not available<br>Oct 7 17:57:46 gateway pluto[7032]: NSS support [disabled]<br>Oct 7 17:57:46 gateway pluto[7032]: HAVE_STATSD notification support not compiled in<br>
Oct 7 17:57:46 gateway pluto[7032]: Setting NAT-Traversal port-4500 floating to on<br>Oct 7 17:57:46 gateway pluto[7032]: port floating activation criteria nat_t=1/port_float=1<br>Oct 7 17:57:46 gateway pluto[7032]: NAT-Traversal support [enabled]<br>
Oct 7 17:57:46 gateway pluto[7032]: using /dev/urandom as source of random entropy<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>Oct 7 17:57:46 gateway pluto[7032]: starting up 1 cryptographic helpers<br>
Oct 7 17:57:46 gateway pluto[7032]: started helper pid=7038 (fd:6)<br>Oct 7 17:57:46 gateway pluto[7032]: Using Linux 2.6 IPsec interface code on 2.6.18-194.8.1.v5 (experimental code)<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)<br>
Oct 7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already exists<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already exists<br>
Oct 7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already exists<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)<br>
Oct 7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already exists<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)<br>Oct 7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already exists<br>
Oct 7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)<br>Oct 7 17:57:46 gateway pluto[7038]: using /dev/urandom as source of random entropy<br>Oct 7 17:57:46 gateway pluto[7032]: Changed path to directory '/etc/ipsec.d/cacerts'<br>
Oct 7 17:57:46 gateway pluto[7032]: loaded CA cert file 'HeliosnetRootCA.pem' (1270 bytes)<br>Oct 7 17:57:46 gateway pluto[7032]: Changed path to directory '/etc/ipsec.d/aacerts'<br>Oct 7 17:57:46 gateway pluto[7032]: Changed path to directory '/etc/ipsec.d/ocspcerts'<br>
Oct 7 17:57:46 gateway pluto[7032]: Changing to directory '/etc/ipsec.d/crls'<br>Oct 7 17:57:46 gateway pluto[7032]: loaded crl file 'heliosnetnlRootCertificate.crl' (733 bytes)<br>Oct 7 17:57:47 gateway pluto[7032]: loading certificate from /etc/ipsec.d/certs/HeliosnetGateway.pem<br>
Oct 7 17:57:47 gateway pluto[7032]: loaded host cert file '/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)<br>Oct 7 17:57:47 gateway pluto[7032]: no subjectAltName matches ID '%fromcert', replaced by subject DN<br>
Oct 7 17:57:47 gateway pluto[7032]: added connection description "l2tp-X.509-Iphone"<br>Oct 7 17:57:47 gateway pluto[7032]: loading certificate from /etc/ipsec.d/certs/HeliosnetGateway.pem<br>Oct 7 17:57:47 gateway pluto[7032]: loaded host cert file '/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)<br>
Oct 7 17:57:47 gateway pluto[7032]: no subjectAltName matches ID '%fromcert', replaced by subject DN<br>Oct 7 17:57:47 gateway pluto[7032]: added connection description "l2tp-X.509"<br>Oct 7 17:57:47 gateway pluto[7032]: loading certificate from /etc/ipsec.d/certs/HeliosnetGateway.pem<br>
Oct 7 17:57:47 gateway pluto[7032]: loaded host cert file '/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)<br>Oct 7 17:57:47 gateway pluto[7032]: no subjectAltName matches ID '%fromcert', replaced by subject DN<br>
Oct 7 17:57:47 gateway pluto[7032]: added connection description "l2tp-X.509-Android"<br>Oct 7 17:57:47 gateway pluto[7032]: listening for IKE messages<br>Oct 7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0 <a href="http://129.125.102.34:500">129.125.102.34:500</a><br>
Oct 7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0 <a href="http://129.125.102.34:4500">129.125.102.34:4500</a><br>Oct 7 17:57:47 gateway pluto[7032]: adding interface eth1/eth1 <a href="http://172.28.1.1:500">172.28.1.1:500</a><br>
Oct 7 17:57:47 gateway pluto[7032]: adding interface eth1/eth1 <a href="http://172.28.1.1:4500">172.28.1.1:4500</a><br>Oct 7 17:57:47 gateway pluto[7032]: adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a><br>
Oct 7 17:57:47 gateway pluto[7032]: adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a><br>Oct 7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0 2002:817d:68ab:b:204:75ff:fee5:5b18:500<br>
Oct 7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0 fec0::b:204:75ff:fee5:5b18:500<br>Oct 7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0 2002:817d:65a6:b:204:75ff:fee5:5b18:500<br>Oct 7 17:57:47 gateway pluto[7032]: adding interface lo/lo ::1:500<br>
Oct 7 17:57:47 gateway pluto[7032]: loading secrets from "/etc/ipsec.secrets"<br>Oct 7 17:57:47 gateway pluto[7032]: loaded private key file '/etc/ipsec.d/private/HeliosnetGateway.pem.new' (1743 bytes)<br>
Oct 7 17:57:47 gateway pluto[7032]: loaded private key for keyid: PPK_RSA:AwEAAYWrN<br>Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [RFC 3947] method set to=109<br>
Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110<br>Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<br>
Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<br>Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<br>
Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<br>Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<br>
Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<br>Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<br>
Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<br>Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [XAUTH]<br>
Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [Cisco-Unity]<br>Oct 7 17:57:51 gateway pluto[7032]: packet from <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>: received Vendor ID payload [Dead Peer Detection]<br>
Oct 7 17:57:51 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: responding to Main Mode from unknown peer 62.140.137.81<br>Oct 7 17:57:51 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Oct 7 17:57:51 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Oct 7 17:57:52 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed<br>
Oct 7 17:57:52 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Oct 7 17:57:52 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: Main mode peer ID is ID_DER_ASN1_DN: 'E=<a href="mailto:bartsmink@gmail.com">bartsmink@gmail.com</a>, CN=Iphone, O=<a href="http://heliosnet.nl">heliosnet.nl</a>, L=Groningen, ST=Groningen, C=Netherlands'<br>
Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: crl update for "CN=<a href="http://heliosnet.nl">heliosnet.nl</a> Root Certificate, O=<a href="http://heliosnet.nl">heliosnet.nl</a>, C=NL" is overdue since Feb 24 16:18:33 UTC 2011<br>
Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: I am sending my cert<br>Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: new NAT mapping for #1, was <a href="http://62.140.137.81:53742">62.140.137.81:53742</a>, now <a href="http://62.140.137.81:53598">62.140.137.81:53598</a><br>
Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536}<br>Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: XAUTH: Sending XAUTH Login/Password Request<br>
Oct 7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: XAUTH: Sending Username/Password request (XAUTH_R0)<br>Oct 7 17:57:54 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: byte 2 of ISAKMP Hash Payload must be zero, but is not<br>
Oct 7 17:57:54 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: malformed payload in packet<br>Oct 7 17:57:54 gateway pluto[7032]: | payload malformed after IV<br>Oct 7 17:57:54 gateway pluto[7032]: | b1 4b 37 18 e6 58 1d a1 88 57 93 05 b5 23 6b d2<br>
Oct 7 17:57:54 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81 #1: sending notification PAYLOAD_MALFORMED to <a href="http://62.140.137.81:53598">62.140.137.81:53598</a><br>Oct 7 17:57:54 gateway pluto[7032]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 62.140.137.81 port 53598, complainant <a href="http://62.140.137.81">62.140.137.81</a>: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]<br>
<br clear="all"><br>-- <br><span style="font-family:Calibri, sans-serif;font-size:14px;border-collapse:collapse">**** DISCLAIMER ****<br>
<br>"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. <br>Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. <br>
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".<br><br>Thank you for your cooperation.</span><br>