[Openswan Users]
Windows 2000 & next payload type of ISAKMP Hash Payload has anunknown
value
Matt Reeve
spam at mreeve.com
Thu Jul 13 15:45:37 CEST 2006
Hi,
Fedora Core 5
Kernel 2.6.17-1.2145_FC5
openswan-2.4.6rc2 using NETKEY
Windows 2000 w/ SP4 & Q818043
I am trying to make a connection using the Microsoft client using L2TP
and certificates but with a "Error 786: The L2TP connection attempt
failed because there is no valid machine certificate on your computer
for security authentication" every time. I installed the certificate
using MMC taking great care to make sure it is on the computer account
and not the user account. I tried 3 different W2K boxes with the same
result. Using the same certificate on an XP SP2 machine, also installed
with MMC in the same way works fine.
Here is the openswan conf and log, I've highlighted the line which looks
suspicious compared with the (working) log from my XP connection below.
Note that the "unknown value" number changes each time I try to connect.
I've also tried openswan versions 2.4.6rc1, 2.4.5 and 2.4.0 with the
same result.
Any thoughts greatly appreciated!
Cheers,
Matt.
conn L2TP-X.509
authby=rsasig
pfs=no
auto=add
rekey=no
left=%defaultroute
#left=192.168.1.2
#leftnexthop=192.168.1.1
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/server.pem
leftprotoport=17/1701
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
#plutodebug=all
The failed W2K connection attempt:
Jul 13 11:12:56 server pluto[20986]: packet from 192.168.1.249:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Jul 13 11:12:56 server pluto[20986]: packet from 192.168.1.249:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jul 13 11:12:56 server pluto[20986]: packet from 192.168.1.249:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jul 13 11:12:56 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
responding to Main Mode from unknown peer 192.168.1.249
Jul 13 11:12:56 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 13 11:12:56 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
STATE_MAIN_R2: sent MR2, expecting MI3
******* Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5]
192.168.1.249 #5: next payload type of ISAKMP Hash Payload has an
unknown value: 194 ******
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
malformed payload in packet
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
sending notification PAYLOAD_MALFORMED to 192.168.1.249:500
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
next payload type of ISAKMP Hash Payload has an unknown value: 127
Jul 13 11:12:57 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
malformed payload in packet
Jul 13 11:13:07 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
ignoring informational payload, type INVALID_COOKIE
Jul 13 11:13:07 server pluto[20986]: "L2TP-X.509"[5] 192.168.1.249 #5:
received and ignored informational message
For reference, a successful XP connection to the same system:
Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jul 13 11:27:58 server pluto[20986]: packet from 192.168.1.251:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 13 11:27:58 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
responding to Main Mode from unknown peer 192.168.1.251
Jul 13 11:27:58 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 13 11:27:58 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
Main mode peer ID is ID_DER_ASN1_DN: 'C=GB, ST=Midlothian, L=Edinburgh,
O=Home, CN=w2k'
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
no crl from issuer "C=GB, ST=Midlothian, O=Home, CN=serverCA,
E=xxx at mreeve.com" found (strict=no)
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[6] 192.168.1.251 #6:
switched from "L2TP-X.509" to "L2TP-X.509"
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6:
deleting connection "L2TP-X.509" instance with peer 192.168.1.251
{isakmp=#0/ipsec=#0}
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6: I
am sending my cert
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #6:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7:
responding to Quick Mode {msgid:3400ec3d}
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 13 11:27:59 server pluto[20986]: "L2TP-X.509"[7] 192.168.1.251 #7:
STATE_QUICK_R2: IPsec SA established {ESP=>0x12f74c7a <0xc0cd672d
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
More information about the Users
mailing list