[Openswan Users] Problem with Openswan 2.3.0 and Windows XP SP2

Olivier JAVAUX lejav at ibs-tls.com
Sat Jan 15 09:39:37 CET 2005 

Hello,

I have problems to set a tunnel NAT-T between a Windows XP SP2 and an Openswan 2.3.0.

The server is Linux 7.3 with 2.4.20-35.7 kernel patched with NAT-T
Openswan 2.3.0 is installed.
It is a firewall with iptables.

My client is Windows XP SP2

On the server, everything seems to start correctly, until I get :

Jan 15 08:55:04 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 15 08:55:29 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #2: next payload type of ISAKMP Hash Payload has an unknown 
value: 115
Jan 15 08:55:29 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #2: malformed payload in packet
Jan 15 08:55:29 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #2: sending notification PAYLOAD_MALFORMED to 82.254.69.108:500
Jan 15 08:55:36 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #2: max number of retransmissions (2) reached STATE_MAIN_R2
Jan 15 08:55:55 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #3: next payload type of ISAKMP Hash Payload has an unknown 
value: 178
Jan 15 08:55:55 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #3: malformed payload in packet
Jan 15 08:55:55 firewall pluto[1039]: "roadwarrior"[1] 82.254.69.108 #3: sending notification PAYLOAD_MALFORMED to 82.254.69.108:500


On the client, I have in the Oackley log for this step:

  1-15: 09:00:13:374:3dc Sending: SA = 0x000C8770 to 213.56.232.64:Type 2.4500
  1-15: 09:00:13:374:3dc ISAKMP Header: (V1.0), len = 1596
  1-15: 09:00:13:374:3dc   I-COOKIE 156f544377549fa8
  1-15: 09:00:13:374:3dc   R-COOKIE 776d3d7576c3e137
  1-15: 09:00:13:374:3dc   exchange: Oakley Main Mode
  1-15: 09:00:13:374:3dc   flags: 1 ( encrypted )
  1-15: 09:00:13:374:3dc   next payload: ID
  1-15: 09:00:13:374:3dc   message ID: 00000000
  1-15: 09:00:13:374:3dc Ports S:9411 D:9411
  1-15: 09:00:14:375:268 retransmit: sa = 000C8770 centry 00000000 , count = 1
  1-15: 09:00:14:375:268
  1-15: 09:00:14:375:268 Sending: SA = 0x000C8770 to 213.56.232.64:Type 2.4500
  1-15: 09:00:14:375:268 ISAKMP Header: (V1.0), len = 1596
  1-15: 09:00:14:375:268   I-COOKIE 156f544377549fa8
  1-15: 09:00:14:375:268   R-COOKIE 776d3d7576c3e137
  1-15: 09:00:14:375:268   exchange: Oakley Main Mode
  1-15: 09:00:14:375:268   flags: 1 ( encrypted )
  1-15: 09:00:14:375:268   next payload: ID
  1-15: 09:00:14:375:268   message ID: 00000000
  1-15: 09:00:14:375:268 Ports S:9411 D:9411



The problem is that the len of the packet is 1596, and the packet is IP fragmented.
But the fragment never reaches the server (it must be filtered by some router / firewall ?)

What can I do ????????

Thanks for your help.

	Olivier

More information about the Users mailing list