[Openswan Users] PAYLOAD_MALFORMED upon attempted tunnel restablishment

Johannes Graumann graumann at caltech.edu
Wed Dec 15 20:52:43 CET 2004 

Sorry for being a pest, but I still didn't get this working and I really
would like to ... is this too dumb a question or am I asking the wrong
folks? If the second case applies: which NG might be more appropriate?

Cheers, Joh

On Sat, 4 Dec 2004 18:44:09 -0800
Johannes Graumann <graumann at caltech.edu> wrote:

> Hello,
> 
> I have the following setup:
> 
>          IPSECed wireless
> 	 x509                        DSL
> Laptop <------------------> Server <-----> www
> palantir                    morannon
> 192.168.1.6                 192.168.1.1
> Openswan U2.2.0/K2.6.9      Openswan U2.2.0/K2.6.9
> 
> My startup script for the laptops wireless connection includes:
> 	ipsec auto --verbose --up wireless
> Which works beautifully initiating the tunnel to the server/router,
> BUT: if I shut down the connection on the laptop using 
> 	ipsec auto --verbose --down wireless
> (which seems to work), I'm unable to restart that connection. When I
> try I get
> 	003 "wireless" #3: malformed payload in packet
> 	002 "wireless" #3: sending encrypted notification 
> 		PAYLOAD_MALFORMED to 192.168.1.1:500
> 
> This is only fixable doing a 
> 	ipsec auto --verbose --delete wireless-palantir
> 	ipsec auto --verbose --add wireless-palantir
> (which implies a '--remove' as well) on the server, after which my
> startup script works again.
> 
> This newbie is helpless and confused and would appreciate any nudge
> into the direction of cleaning up his follies ... configuration
> attached below.
> 
> Thanks, Joh
> 
> 
> The ipsec.conf of the laptop looks as follows:
> 	version 2.
> 
> 	# basic configuration
> 	config setup
> 	        interfaces="ipsec0=eth1"
> 	        nat_traversal=no
> 
> 	# Add connections here.
> 	conn  %default
> 	        keyingtries=1
> 	        compress=yes
> 	        authby=rsasig
> 	        leftrsasigkey=%cert
> 	        rightrsasigkey=%cert
> 
> 	conn wireless
> 	        left=192.168.1.6
> 	        leftcert=palantir.homenetwork.pem
> 	        right=192.168.1.1
> 	        rightcert=morannon.homenetwork.pem
> 	        rightsubnet=0.0.0.0/0
> 	        auto=add
> 	        pfs=yes
> 	#Disable Opportunistic Encryption
> 	include /etc/ipsec.d/examples/no_oe.conf
> 
> The ipsec.conf on the server looks like this:
> 	version 2.0
> 	config setup
> 	        interfaces="ipsec0=eth1"
> 	        nat_traversal=yes
> 	        virtual_private=%v4:192.168.1.0/24
>  
> 	conn %default
> 	        keyingtries=1
> 	        compress=yes
> 	        disablearrivalcheck=no
> 	        authby=rsasig
> 	        leftrsasigkey=%cert
> 	        rightrsasigkey=%cert
>  
> 	conn wireless-palantir
> 	        left=192.168.1.6
> 	        leftcert=palantir.homenetwork.pem
> 	        right=192.168.1.1
> 	        rightcert=morannon.homenetwork.pem
> 	        rightsubnet=0.0.0.0/0
> 	        auto=add
> 	        pfs=yes
> 
> 	#Disable Opportunistic Encryption
> 	include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list