[Openswan Users] Problems with openswan tunnel on Fedora

Matthew Claridge mclaridge at rwa-net.co.uk
Tue Aug 24 18:33:28 CEST 2004

on 24/08/2004 17:13 Paul Wouters said the following:

> On Tue, 24 Aug 2004, Matthew Claridge wrote:
>> I have transferred this working configuration onto a new box running 
>> Fedora Core 2 and just changed the 'left' ip addresses. This box has 
>> been running
> I assume you also changed the "left" ip address on the Cisco end?

yep ;)

>> "ignoring informational payload, type PAYLOAD_MALFORMED"
> It seems openswan expects plaintext isakmp negotiation messages, while
> getting crypted 'established' messages.
>> "encrypted Informational Exchange message is invalid because it is 
>> for incomplete ISAKMP SA"
> The last line normally means that two instances of isakmp are 
> competing against
> each other, or that one end thinks the isakmp negotiation succeeded 
> (and goes crypto) while the other end does not (and wants plaintext 
> and refuses crypto).
> Sometimes this happens when one end reboots/reloads and the other end 
> still has an isakmp SA established. Sometimes this happens when both 
> ends initiate
> and respond interleaved. This last can be prevented by telling 
> openswan to use auto=add instead of auto=start, so that it becomes a 
> passive responder only.

The cisco works passively anyway and never tries to initiate the tunnel.

> Did you update your cisco configuration if it is not treating the 
> openswan end as
> roadwarrior? Did you reload the connection if you changed it?

well, the cisco admin at the other end did, with an exact copy of the
working config (with different ip address)

My worry is, that if I spend the time installing RHEL on this box, it
still won't work and I'll have wasted another day....arghhhhh

More information about the Users mailing list