[Openswan Users] PAYLOAD_MALFORMED to lsipsectool
Mihajlo Cvetanović
mac at netset.co.yu
Thu Jun 15 18:15:53 CEST 2006
I'm trying to establish a road warrior connection from win200 to FC5,
with certificates and lsipsectool. Openswan keeps complaining about some
malformed payloads. What is wrong here? I've put root certificate and
certificate with CN=mac22 into Windows repository via lsipsectools, but
they both appear in "Root Certificates" list. Desired network
configuration is:
80.80.80.0/24...[80.80.80.53/24(eth0),10.0.0.3/8(eth1)]===10.0.0.22/8(win2000)
Ethereal capture file is also attached.
/etc/ipsec.conf
=================================
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=eth1"
conn mihajlo-sale
left=10.0.0.3
leftcert=/etc/ipsec.d/certs/westCert.pem
rightrsasigkey=%cert
right=%any
rightid="C=SR, ST=srbija, O=netset, CN=mac22"
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
=================================
/var/log/secure
=================================
Jun 15 16:31:34 localhost ipsec__plutorun: Starting Pluto subsystem...
Jun 15 16:31:34 localhost pluto[3525]: Starting Pluto (Openswan Version
2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c)
Jun 15 16:31:34 localhost pluto[3525]: Setting NAT-Traversal port-4500
floating to off
Jun 15 16:31:34 localhost pluto[3525]: port floating activation
criteria nat_t=0/port_fload=1
Jun 15 16:31:34 localhost pluto[3525]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jun 15 16:31:34 localhost pluto[3525]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 15 16:31:34 localhost pluto[3525]: starting up 1 cryptographic helpers
Jun 15 16:31:34 localhost pluto[3525]: started helper pid=3526 (fd:6)
Jun 15 16:31:34 localhost pluto[3525]: Using KLIPS IPsec interface code
on 2.6.15
Jun 15 16:31:34 localhost pluto[3525]: Changing to directory
'/etc/ipsec.d/cacerts'
Jun 15 16:31:34 localhost pluto[3525]: loaded CA cert file
'caCert.pem' (1127 bytes)
Jun 15 16:31:34 localhost pluto[3525]: Changing to directory
'/etc/ipsec.d/aacerts'
Jun 15 16:31:34 localhost pluto[3525]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jun 15 16:31:34 localhost pluto[3525]: Changing to directory
'/etc/ipsec.d/crls'
Jun 15 16:31:34 localhost pluto[3525]: Warning: empty directory
Jun 15 16:31:34 localhost pluto[3525]: loaded host cert file
'/etc/ipsec.d/certs/westCert.pem' (960 bytes)
Jun 15 16:31:34 localhost pluto[3525]: added connection description
"mihajlo-sale"
Jun 15 16:31:34 localhost pluto[3525]: listening for IKE messages
Jun 15 16:31:34 localhost pluto[3525]: adding interface ipsec0/eth1
10.0.0.3:500
Jun 15 16:31:34 localhost pluto[3525]: loading secrets from
"/etc/ipsec.secrets"
Jun 15 16:31:34 localhost pluto[3525]: loaded private key file
'/etc/ipsec.d/private/west.key' (963 bytes)
Jun 15 16:31:41 localhost pluto[3525]: packet from 10.0.0.22:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
responding to Main Mode from unknown peer 10.0.0.22
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
next payload type of ISAKMP Hash Payload has an unknown value: 116
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
malformed payload in packet
Jun 15 16:31:41 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
sending notification PAYLOAD_MALFORMED to 10.0.0.22:500
Jun 15 16:31:52 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
byte 2 of ISAKMP Hash Payload must be zero, but is not
Jun 15 16:31:52 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
malformed payload in packet
Jun 15 16:31:52 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
sending notification PAYLOAD_MALFORMED to 10.0.0.22:500
Jun 15 16:32:11 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
ignoring informational payload, type INVALID_COOKIE
Jun 15 16:32:11 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
received and ignored informational message
Jun 15 16:32:51 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22 #1:
max number of retransmissions (2) reached STATE_MAIN_R2
Jun 15 16:32:51 localhost pluto[3525]: "mihajlo-sale"[1] 10.0.0.22:
deleting connection "mihajlo-sale" instance with peer 10.0.0.22
{isakmp=#0/ipsec=#0}
Jun 15 16:36:44 localhost pluto[3525]: shutting down
Jun 15 16:36:44 localhost pluto[3525]: forgetting secrets
Jun 15 16:36:44 localhost pluto[3525]: "mihajlo-sale": deleting connection
Jun 15 16:36:44 localhost pluto[3525]: shutting down interface
ipsec0/eth1 10.0.0.3:500
=================================
Log file of lsipsectool (from Win2000)
=================================
16:33:01: Starting Tunnel
16:33:01: IKE Encryption: 3des
IKE Integrity: md5
Remote Gateway Address: 10.0.0.3
Remote Monitor Address: 80.80.80.53
Remote Network: 80.80.80.0/255.255.255.0
Local Address: 10.0.0.22
Local Network: 10.0.0.0/255.0.0.0
16:33:02: 15 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...
16:33:07: 30 Consecutive Unsuccessfull ECHO REQUEST [ Waiting 5 Secs ]...
16:33:10: Stoping Tunnel
=================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rw_lsipsectool.cap
Type: application/octet-stream
Size: 1566 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060615/3e7f6774/rw_lsipsectool.obj
More information about the Users
mailing list