[Openswan Users] linux box <> WinXP/SP2 problem (NAT-T, LTPD)

Radek Antoniuk r.antoniuk at pixel.com.pl
Tue Jan 17 18:56:07 CET 2006 

Paul Wouters wrote:
> On Tue, 17 Jan 2006, Radek Antoniuk wrote:
> The last line suggestions you have an old nat-t patch? Or somehow not
> enabled nat_traversal?

my fault. when changing configs i didn't paste
nat_traversal=yes
line.
I've just added it but the final result is the same, as follows (still
fragmentation issue maybe):

Jan 17 12:59:45 fufu pluto[13154]: packet from 1.2.3.4:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 17 12:59:45 fufu pluto[13154]: packet from 1.2.3.4:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jan 17 12:59:45 fufu pluto[13154]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 17 12:59:45 fufu pluto[13154]: packet from 1.2.3.4:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: responding to
Main Mode from unknown peer 1.2.3.4
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: STATE_MAIN_R1:
sent MR1, expecting MI2
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: STATE_MAIN_R2:
sent MR2, expecting MI3
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: next payload
type of ISAKMP Hash Payload has an unknown value: 202
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: malformed
payload in packet
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: sending
notification PAYLOAD_MALFORMED to 1.2.3.4:500
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: next payload
type of ISAKMP Hash Payload has an unknown value: 230
Jan 17 12:59:45 fufu pluto[13154]: "X509"[1] 1.2.3.4 #5: malformed
payload in packet

> Is this a PSK based connection (despite being called X509?)
> This error also shows up when you do not have the proper PSK
> in ipsec.secrets?

Nope, it's not. It's the example from sources:
version 2

config setup
        plutodebug=none
        nat_traversal=yes

conn X509
        authby=rsasig
        pfs=no
        auto=add
        rekey=no
        left=%defaultroute
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/gate.cert
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/1701
        rightsubnet=vhost:%priv,%no

include /etc/ipsec.d/examples/no_oe.conf


and my ipsec.secrets :
fufu:~# cat /etc/ipsec.secrets
: RSA gate.key  "****"


Maybe another hint would be the error message on windows:
translated: "the connection failed because there is no valid certificate
on this machine to authorize the connection".
Of course the cert was imported using certimport.exe and it is in the
storage in fact. Moreover I've checked plutodebug and phase MAIN_I2
MAIN_R2 was checking the CA cert match if I remember right, and it moved
on to MI3, so supposingly that's not the case?


Thanks in advance.
-- 
Greets,
Radek

More information about the Users mailing list