[Openswan Users] payload problem
sasa
sasa at shoponweb.it
Thu Nov 10 19:25:22 CET 2005
"Paul Wouters" wrote:
> Can you tell me the 'ipsec --version' output on both ends of this
> connection?
[root at fw root]# ipsec version
Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
See `ipsec --copyright' for copyright information.
[root at fw root]# rpm -qa|grep openswan
openswan-2.4.0-23.rhfc1.at
openswan-kmdl-2.4.22-1.2199.nptl_53.rhfc1.at-2.3.1-21.rhfc1.at
[root at fw4 ~]# ipsec version
Linux Openswan U2.4.0/K2.6.12-1.1381_FC3 (netkey)
See `ipsec --copyright' for copyright information.
[root at fw4 ~]# rpm -qa|grep openswan
openswan-2.4.0-1
openswan-klips-2.4.0-2.6.12_1.1378_FC3_1
> Also, could there be a router between these machines that might have the
> "IPsec passthrough" feature?
I don't know, tomorrow I can verify but I don't think.
thanks again.
------
Salvatore.
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "sasa" <sasa at shoponweb.it>
Cc: <users at openswan.org>
Sent: Thursday, November 10, 2005 6:42 PM
Subject: Re: [Openswan Users] payload problem
> On Thu, 10 Nov 2005, sasa wrote:
>
>> Hi, I have a vpn site-to-site but from same days I have a problem, in
>> particular on one end-point I have:
>
> [ config shows a really simple raw rsasig openswan-openswan interop config
>
>> Nov 10 13:48:15 fw4 pluto[2956]: "sedeprinsedesecond" #46: byte 2 of
>> ISAKMP
>> Hash Payload must be zero, but is not
>> Nov 10 13:48:15 fw4 pluto[2956]: "sedeprinsedesecond" #46: malformed
>> payload
>> in packet
>> Nov 10 13:48:15 fw4 pluto[2956]: "sedeprinsedesecond" #46: sending
>> notification PAYLOAD_MALFORMED to x.x.x.x:500
>> Nov 10 13:48:15 fw4 pluto[2956]: "sedeprinsedesecond" #47: next payload
>> type
>> of ISAKMP Hash Payload has an unknown value: 173
>
> That's strange. Either we don't interop with ourselves (have a bug) or
> some
> machine in the middle is messing with IKE packets.
>
> Can you tell me the 'ipsec --version' output on both ends of this
> connection?
> Also, could there be a router between these machines that might have the
> "IPsec passthrough" feature?
>
> Paul
> (please leave most of this message intact when replying, so I have all the
> information
> for the bug report in this email if I need to file one)
>
>> ..and another end-point I have:
>>
>> Nov 10 13:42:36 fw pluto[1062]: "sedeprinsedesecond" #38: Quick Mode I1
>> message is unacceptable because it uses a previously used Message ID
>> 0x2d0b2e24 (perhaps this is a duplicated packet)
>> Nov 10 13:42:36 fw pluto[1062]: "sedeprinsedesecond" #38: sending
>> encrypted
>> notification INVALID_MESSAGE_ID to y.y.y.y:500
>> Nov 10 13:42:39 fw pluto[1062]: "sedeprinsedesecond" #69: next payload
>> type of
>> ISAKMP Hash Payload has an unknown value: 66
>> Nov 10 13:42:39 fw pluto[1062]: "sedeprinsedesecond" #69: malformed
>> payload in
>> packet
>> Nov 10 13:42:39 fw pluto[1062]: "sedeprinsedesecond" #69: sending
>> notification
>> PAYLOAD_MALFORMED to y.y.y.y:500
>>
>> ..my ipsec.conf is:
>>
>> config setup
>> interfaces="ipsec0=eth0"
>> conn %default
>> authby=rsasig
>> conn sedeprinsedesecond
>> auto=start
>> pfs=yes
>> left=x.x.x.x
>> leftsubnet=192.168.1.0/24
>> leftnexthop=x.x.x.z
>> leftrsasigkey=0sAQO...
>> right=y.y.y.y
>> rightsubnet=10.0.0.0/24
>> rightnexthop=y.y.y.z
>> rightrsasigkey=0sAQNQB...
>>
>> thanks.
>>
>> ------
>> Salvatore.
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>>
>
> --
>
> "Happiness is never grand"
>
> --- Mustapha Mond, World Controller (Brave New World)
>
More information about the Users
mailing list