[Openswan Users] PAYLOAD_MALFORMED upon attempted tunnel restablishment

Johannes Graumann graumann at caltech.edu
Sat Dec 4 18:44:09 CET 2004 

Hello,

I have the following setup:

         IPSECed wireless
	 x509                        DSL
Laptop <------------------> Server <-----> www
palantir                    morannon
192.168.1.6                 192.168.1.1
Openswan U2.2.0/K2.6.9      Openswan U2.2.0/K2.6.9

My startup script for the laptops wireless connection includes:
	ipsec auto --verbose --up wireless
Which works beautifully initiating the tunnel to the server/router, BUT:
if I shut down the connection on the laptop using 
	ipsec auto --verbose --down wireless
(which seems to work), I'm unable to restart that connection. When I try
I get
	003 "wireless" #3: malformed payload in packet
	002 "wireless" #3: sending encrypted notification 
		PAYLOAD_MALFORMED to 192.168.1.1:500

This is only fixable doing a 
	ipsec auto --verbose --delete wireless-palantir
	ipsec auto --verbose --add wireless-palantir
(which implies a '--remove' as well) on the server, after which my
startup script works again.

This newbie is helpless and confused and would appreciate any nudge into
the direction of cleaning up his follies ... configuration attached
below.

Thanks, Joh


The ipsec.conf of the laptop looks as follows:
	version 2.

	# basic configuration
	config setup
	        interfaces="ipsec0=eth1"
	        nat_traversal=no

	# Add connections here.
	conn  %default
	        keyingtries=1
	        compress=yes
	        authby=rsasig
	        leftrsasigkey=%cert
	        rightrsasigkey=%cert

	conn wireless
	        left=192.168.1.6
	        leftcert=palantir.homenetwork.pem
	        right=192.168.1.1
	        rightcert=morannon.homenetwork.pem
	        rightsubnet=0.0.0.0/0
	        auto=add
	        pfs=yes
	#Disable Opportunistic Encryption
	include /etc/ipsec.d/examples/no_oe.conf

The ipsec.conf on the server looks like this:
	version 2.0
	config setup
	        interfaces="ipsec0=eth1"
	        nat_traversal=yes
	        virtual_private=%v4:192.168.1.0/24
 
	conn %default
	        keyingtries=1
	        compress=yes
	        disablearrivalcheck=no
	        authby=rsasig
	        leftrsasigkey=%cert
	        rightrsasigkey=%cert
 
	conn wireless-palantir
	        left=192.168.1.6
	        leftcert=palantir.homenetwork.pem
	        right=192.168.1.1
	        rightcert=morannon.homenetwork.pem
	        rightsubnet=0.0.0.0/0
	        auto=add
	        pfs=yes

	#Disable Opportunistic Encryption
	include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list