[Openswan Users] Re: Aggressive mode client to Netscreen w/ leftid=email

Tibor Incze tibor.incze at eservglobal.com
Tue May 24 09:18:04 CEST 2005


I also sometimes get the following messages from openswan:
byte 2 of ISAKMP Hash Payload must be zero, but is not
003 "esg_rwvpn" #3: malformed payload in packet
003 "esg_rwvpn" #3: byte 2 of ISAKMP Hash Payload must be zero, but is not
003 "esg_rwvpn" #3: malformed payload in packet

</snip>
Some more settings info:
Reserve Private IP for XAuth User 15	Minutes
Replay Protection: On
Remote Auth Server: LDAP

Hope that helps track it down. Thanks in advance!
> On Mon, 23 May 2005, Tibor Incze wrote:
>
>> You also need the ike=(for phase1) and esp=(for phase2) lines in
>> ipsec.conf. I now have:ike=3des-sha1-modp1024
>> esp=3des-sha1
>
> You must specify explicite ike/esp lines, because aggressive mode
> cannot negotiate those paramters. It has to be right in the first
> packet exchange.
>
>> However after putting in the xauth username and password, I now get
>> these errors:---------------------------------
>> 04 "myclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set 228
>> "myclient" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
>> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>> unknown value: 133003 "myclient" #1: malformed payload in packet
>> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>> unknown value: 133003 "myclient" #1: malformed payload in packet
>> ------------------------------------------
>
> I am not sure. Your remote end wants a certificate? Do you have one?
> Did it load? Are you sending it?
>
>> The "unknown value:" number changes on each attempt, so I'm not sure
>> what the problem is. Any ideas? I'm not using certs btw, should I be?
>> On the netscreen for phase2 I have it set to 3des-sha1(with pfs) and
>> as a second option 3des-md5(with pfs)
>
> I don't know what the netscreen wants.
>
>> Another question: does openswan support "CHAP" for Xauth?
>
> No, XAUTH currently only supports passwords in /etc/ipsec.d/passwd or
> PAM. You should be able to hook up PAM to other things, such as radius
> though. See docs/README.XAUTH
>
> Paul





More information about the Users mailing list