[Openswan Users]

Paul Wouters paul at xelerance.com
Mon Aug 30 23:59:07 CEST 2004 

On Mon, 30 Aug 2004, Robert W. Burgholzer wrote:

> LapTop Windows XP to freeswan 2.04

freeswan-2.04 does not support certicates. Did you patch it with an X509
patch? Lookng at hte oakley log further down, it seems you did. Regardless, 
you are better of upgrading to Openswan-2, especially if you later need 
NAT-traversal as well. No one is maintaining freeswan anymore and 2.04 is
about a year old.

> "received an unencrypted packet when crypto active".

This usually happens when one of the two ends drops out of negotiating
a valid ISAKMP (phase 1). It is likely a configuration error on the Linux
end, or missing ServicePack on the client end.

> fragmentation was occuring (which is beyond my knowledge), so I regenerated 
> the client certificate with 1024 bits, as this was a solution that supposedly 
> worked before.

I don't think that is you problem at this point. Using smaller certificates
is a kludge anyway, not a real solution. Proper settings of mtu would be
better, but as I said, I doubt that is your problem here.

> Aug 30 16:23:01 www2 pluto[2485]: packet from 66.207.89.15:500: received 
> Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
> Aug 30 16:23:01 www2 pluto[2485]: "maptech-client"[132] 66.207.89.15 #4623: 
> responding to Main Mode from unknown peer 66.207.89.15
> Aug 30 16:24:05 www2 pluto[2485]: "maptech-client"[132] 66.207.89.15 #4623: 
> encrypted Informational Exchange message is invalid because it is for 
> incomplete ISAKMP SA

This is not an entire log. Please restart both ends completely and show us
the log, or use 'ipsec barf' to privde us with more details.

> Client oakley.log:

I'll read that only if I *really* have to :)

> 8-30: 15:58:18:421:714 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA

I guess you do have all the service packs you need.

> 8-30: 15:58:18:421:714 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
> 8-30: 15:58:18:421:714 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1

> 8-30: 15:58:18:421:714  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5

> 8-30: 15:58:18:542:714 Phase 1 SA accepted: transform=1
> 8-30: 15:58:18:542:714 SA - Oakley proposal accepted

Looks good.

> 8-30: 15:58:28:856:714   I-COOKIE 72db281985c1bc2a
> 8-30: 15:58:28:856:714   R-COOKIE 1830a6b579ac5c77
> 8-30: 15:58:28:856:714   exchange: Oakley Main Mode
> 8-30: 15:58:28:856:714   flags: 0
> 8-30: 15:58:28:856:714   next payload: KE
> 8-30: 15:58:28:856:714   message ID: 00000000
> 8-30: 15:58:28:856:714 received an unencrypted packet when crypto active
> 8-30: 15:58:28:856:714 GetPacket failed 35ec

Something failed here. Freeswan will have logged what happened.  But your
logs just show the new attempt at starting from scratch, but it doesn't
show the actual reason freeswan rejected the phase 2 paramters.

Paul

More information about the Users mailing list