[Openswan Users] Windows 2000 & next payload type of ISAKMP Hash Payload has anunknown value

Matt Reeve spam at mreeve.com
Thu Jul 13 15:45:37 CEST 2006 

Hi,

Fedora Core 5
Kernel 2.6.17-1.2145_FC5
openswan-2.4.6rc2 using NETKEY
Windows 2000 w/ SP4 & Q818043

I am trying to make a connection using the Microsoft client using L2TP 
and certificates but with a "Error 786: The L2TP connection attempt 
failed because there is no valid machine certificate on your computer 
for security authentication" every time. I installed the certificate 
using MMC taking great care to make sure it is on the computer account 
and not the user account. I tried 3 different W2K boxes with the same 
result. Using the same certificate on an XP SP2 machine, also installed 
with MMC in the same way works fine.

Here is the openswan conf and log, I've highlighted the line which looks 
suspicious compared with the (working) log from my XP connection below. 
Note that the "unknown value" number changes each time I try to connect. 
I've also tried openswan versions 2.4.6rc1, 2.4.5 and 2.4.0 with the 
same result.

Any thoughts greatly appreciated!
Cheers,
Matt.

conn L2TP-X.509
       authby=rsasig
       pfs=no
       auto=add
       rekey=no
       left=%defaultroute
       #left=192.168.1.2
       #leftnexthop=192.168.1.1
       leftrsasigkey=%cert
       leftcert=/etc/ipsec.d/certs/server.pem
       leftprotoport=17/1701
       right=%any
       rightca=%same
       rightrsasigkey=%cert
       rightprotoport=17/1701
       rightsubnet=vhost:%priv,%no
       #plutodebug=all

The failed W2K connection attempt:

Jul 13 11:12:56 server pluto[20986]: packet from 192.168.1.249:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Jul 13 11:12:56 server pluto[20986]: packet from 192.168.1.249:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jul 13 11:12:56 server pluto[20986]: packet from 192.168.1.249:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set 
to=106
Jul 13 11:12:56 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
responding to Main Mode from unknown peer 192.168.1.249
Jul 13 11:12:56 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 13 11:12:56 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT 
detected
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
STATE_MAIN_R2: sent MR2, expecting MI3
******* Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 
192.168.1.249 #5: next payload type of ISAKMP Hash Payload has an 
unknown value: 194 ******
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
malformed payload in packet
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
sending notification PAYLOAD_MALFORMED to 192.168.1.249:500
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
next payload type of ISAKMP Hash Payload has an unknown value: 127
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
malformed payload in packet
Jul 13 11:13:07 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
ignoring informational payload, type INVALID_COOKIE
Jul 13 11:13:07 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5: 
received and ignored informational message

For reference, a successful XP connection to the same system:

Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set 
to=106
Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 13 11:27:58 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
responding to Main Mode from unknown peer 192.168.1.251
Jul 13 11:27:58 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 13 11:27:58 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT 
detected
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
Main mode peer ID is ID_DER_ASN1_DN: 'C=GB, ST=Midlothian, L=Edinburgh, 
O=Home, CN=w2k'
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
no crl from issuer "C=GB, ST=Midlothian, O=Home, CN=serverCA, 
E=xxx at mreeve.com" found (strict=no)
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6: 
switched from "L2TP-X.509" to "L2TP-X.509"
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6: 
deleting connection "L2TP-X.509" instance with peer 192.168.1.251 
{isakmp=#0/ipsec=#0}
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6: I 
am sending my cert
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7: 
responding to Quick Mode {msgid:3400ec3d}
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7: 
STATE_QUICK_R2: IPsec SA established {ESP=>0x12f74c7a <0xc0cd672d 
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

More information about the Users mailing list