[Openswan Users] Cisco IOS 12.3.2 grief

Ted Kaczmarek tedkaz at optonline.net
Thu Oct 28 22:25:05 CEST 2004 

I have Openswan 2.1.5 running great on a FC1 box.
Kernel 2.4.22-1.2199.nptl. Have a problem connection with a customer
using IOS 12.3.2, he also had issues connecting to a Cisco Pix running
6.3.3 as well.

I get lots of 
not enough room in input packet for ISAKMP Vendor ID Payload
malformed payload in packet

when trying to bring this connection up. The only way I can get it up at
all is to restart ipsec. I do have many other connections to Cisco
Pix'es, another Cisco IOS and netscreen and they all work great.

Doing some googling leads me to believe this is an IOS issue.

auth=esp
esp=3des-md5-96
key exchange=ike
pfs=no
authby=secret

>From barf
This is log after restart

Oct 28 17:19:46 vpn2 pluto[7924]: packet from 208.190.154.239:500:
ignoring Vendor ID payload [439b59f8ba676c4c...]
Oct 28 17:19:46 vpn2 pluto[7924]: packet from 208.190.154.239:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 0
Oct 28 17:19:46 vpn2 pluto[7924]: packet from 208.190.154.239:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 0
Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: responding to Main Mode
Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: transition from state
(null) to state STATE_MAIN_R1
Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: ignoring Vendor ID
payload [Cisco-Unity]
Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: ignoring Vendor ID
payload [Dead Peer Detection]
Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: ignoring Vendor ID
payload [bd60a6abc5405c70...]
Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: received Vendor ID
payload [XAUTH]
Oct 28 17:19:46 vpn2 pluto[7924]: "cust9" #33: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #33: Peer ID is ID_IPV4_ADDR:
'208.190.154.239'
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #33: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #33: sent MR3, ISAKMP SA
established
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: responding to Quick Mode
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: transition from state
(null) to state STATE_QUICK_R1
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: responding to Quick Mode
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: transition from state
(null) to state STATE_QUICK_R1
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #34: IPsec SA established
{ESP=>0xb4131535 <0x8563c295}
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 28 17:19:47 vpn2 pluto[7924]: "cust9" #35: IPsec SA established
{ESP=>0x28cd44a2 <0x8563c296}

After a while it poops out
Oct 28 19:07:57 vpn2 pluto[7924]: "cust9" #94: max number of
retransmissions (20) reached STATE_MAIN_I1.  No response (or no
acceptable response) to our first IKE message
Oct 28 19:07:57 vpn2 pluto[7924]: "cust9" #94: starting keying attempt 5
of an unlimited number
Oct 28 19:07:57 vpn2 pluto[7924]: "cust9" #106: initiating Main Mode to
replace #94
Oct 28 19:07:58 vpn2 pluto[7924]: "cust9" #106: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:07:58 vpn2 pluto[7924]: "cust9" #106: malformed payload in
packet
Oct 28 19:07:59 vpn2 pluto[7924]: "cust9" #105: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:07:59 vpn2 pluto[7924]: "cust9" #105: malformed payload in
packet
Oct 28 19:08:07 vpn2 pluto[7924]: "cust9" #106: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:08:07 vpn2 pluto[7924]: "cust9" #106: malformed payload in
packet
Oct 28 19:08:09 vpn2 pluto[7924]: "cust9" #105: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:08:09 vpn2 pluto[7924]: "cust9" #105: malformed payload in
packet
Oct 28 19:08:17 vpn2 pluto[7924]: "cust9" #106: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:08:17 vpn2 pluto[7924]: "cust9" #106: malformed payload in
packet
Oct 28 19:08:27 vpn2 pluto[7924]: "cust9" #106: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:08:27 vpn2 pluto[7924]: "cust9" #106: malformed payload in
packet
Oct 28 19:08:49 vpn2 pluto[7924]: "cust9" #105: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:08:49 vpn2 pluto[7924]: "cust9" #105: malformed payload in
packet
Oct 28 19:09:08 vpn2 pluto[7924]: "cust9" #106: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:09:08 vpn2 pluto[7924]: "cust9" #106: malformed payload in
packet
Oct 28 19:09:18 vpn2 pluto[7924]: "cust9" #106: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:09:18 vpn2 pluto[7924]: "cust9" #106: malformed payload in
packet
Oct 28 19:10:09 vpn2 pluto[7924]: "cust9" #105: not enough room in input
packet for ISAKMP Vendor ID Payload
Oct 28 19:10:09 vpn2 pluto[7924]: "cust9" #105: malformed payload in
packet




Anything I can try to set in ipsec.conf anyone can recommend?
Was trying to keep all my configs generic bu Cisco has a tendency to
make things like that impossible :-)





Thanks,
Ted

More information about the Users mailing list