<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=FR link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>I am using an cisco RV215W (runnning openswan)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I have two VPN server each behind xDSL router (NAT enabled)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I cannot get the raw open swan file<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>But here are my logs<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>6 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500 <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>7 2014-04-02 0:08:05 AM debug pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>8 2014-04-02 0:08:05 AM debug pluto[22201]: | payload malformed after IV <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>9 2014-04-02 0:08:05 AM info pluto[22201]: "rabat" #2: malformed payload in packet <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>10 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: malformed payload in packet <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>11 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>12 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>13 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>It seems that a parameter is wrong between both sites that lead to <b>byte 2 of ISAKMP Hash Payload must be zero, but is not<o:p></o:p></b></span></p><p class=MsoNormal><span lang=EN-US>But I cannot identify wich parameter is wrong<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Here is the xetract from cisco GUI<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>On Site G<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> (LAN)192.168.25.0/24 === 192.168.25.1(CISCO)192.168.10.161 192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>On Site R<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> (LAN)192.168.15.0/24 === 192.168.15.1(CISCO)192.168.1.2 192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> So I have NAT (So I have activated NAT traveral on both side)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> On the RV215W (Site G)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> IKE Policy Table<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Mode:main<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Local identifier : 192.168.10.161<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Remote identifier 192.168.1.2<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> AES128/SHA1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> DH Group2<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> xauth disabled<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> VPN policy table<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Type:autopolicy<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> remote endpoint 41.F.G.H<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Local 192.168.25.1/255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> remote 192.168.15.1/255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> AES128/SHA1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> PFS Keygroup: disable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> On site R (SRP521W)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> IKE<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Policy Name gnt<o:p></o:p></span></p><p class=MsoNormal>Exchange Mode Main<o:p></o:p></p><p class=MsoNormal>Encryption Algorithm AES128<o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Authentication Algorithm SHA-1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Diffie-Hellman (DH) Group Group 2 (1024 bit)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Auto Pre-Shared Key XXXXXXXXXX<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Enable Dead Peer Detection Enable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>DPD Interval 3600<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>DPD Timeout 3600<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>XAUTH client Disable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>IP Sec<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Status Enable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Policy Name rabat<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Local Group Type IP Address & Subnet<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Local Group IP Address 192.168.15.1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Local Group IP Subnet 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Remote Endpoint IP Address<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Remote security gateway address 192.168.10.161<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Remote security domain name <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Remote group type IP Address & Subnet<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Remote group IP 192.168.25.1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Remote group Subnet Mask 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Encrypted algorithm 3DES<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Integrity algorithm SHA-1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Police type Auto<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Manual encryption key <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Manual auth key <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Inbound SPI <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Outbound SPI <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>PFS Disable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Key life time 7800<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Now using IKE police gnt<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I have been struggling for many days, and forums did not help me identify the problem<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks for your help<o:p></o:p></span></p></div></body></html>