[Openswan Users] Pluto Error

Peter McGill petermcgill at goco.net
Mon Dec 12 09:58:10 CET 2005

> on the other end point in secure log I have:
> initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Dec  9 13:23:08 fw1 pluto[23188]: "na-mi" #3: byte 2 of ISAKMP Hash 
> Payload must be zero, but is not
> Dec  9 13:23:08 fw1 pluto[23188]: "na-mi" #3: malformed payload in packet
> Dec  9 13:23:08 fw1 pluto[23188]: "na-mi" #3: sending notification 
> Dec  9 13:23:16 fw1 pluto[23188]: "na-mi" #1: Informational Exchange 
> message must be encrypted

It looks like your key negotiation phase 1 is working.
But the tunnel traffic is not, phase 2.

what are your ike=, and esp= lines?
ike= is working, don't change it.
esp= might be the cause.

What does your log tell you your connecting ike with?
Dec 11 03:47:54 sheridan pluto[1661]: 
"paris-office-server-to-london-office-server" #46: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
This one is one of mine, the {...} is the part were interrested in.
3des, md5, modp-1536 (yours might be different)
try setting, your esp= setting to match the ike= setting or these ciphers.
ie) esp=3des-md5 or esp=3des-md5-modp1536 (use setting from your conf/log.)

> ..but I can replacement of 'rsasig' I can use the 'psk' like 
> authentication
> mode ??
> thanks again.

If phase 1 is working, that's your authentication, and there is no need to 
If it's trying phase 2, phase 1 should be working.

If that doesn't work, try sending the conf section(s) for this connection,
including the global sections, setup, etc...
Also include the complete log for this tunnel, from Initiating to failure.
(There should be at least another 8 or so lines above the ones you
already included, everything that matches approximate time and connection 
For both sides, right now your not sending enough information.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 

More information about the Users mailing list