[Openswan Users] XP client quit connecting - more info

Brian Hoover brian_hoover at verizon.net
Wed Apr 18 11:42:46 EDT 2007 

Brian Hoover wrote:
> Hello,
>
> My openswan (2.4.7) installation serves as a road warrior gateway.
>
> After many weeks and many users one user does not connect any longer.  A clip of the log follows.
>
> I did just change the corporate ISP connection from a single T1 to 2 bonded T1s using Cisco CEF in per-packet mode.  This has not effected 
> other clients.
>
>   
I shut down one of the T1 circuits and this client can now connect. 

Does anyone know why Cisco per-packet load sharing might effect ISAKMP?

Could the 2048 bit key be causing this?

I'm reading the IPSEC RFCs as fast as I can digest them, is this the 
best place to gain understanding of the negotiation process? 

Will Paul's book give me some insight?

Thanks,

Brian

> The problem client is XP SP2 native L2TP client, via a Netgear WGT624 (wired) and COX cable.
>
> Any help would be appreciated.
>
> Brian
>
> Apr 17 08:26:22 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: I am sending my cert
> Apr 17 08:26:22 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr 17 08:26:22 rio pluto[10427]: | NAT-T: new mapping cli.ent.ipa.ddr:500/3017)
> Apr 17 08:26:22 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
> Apr 17 08:26:23 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Apr 17 08:26:25 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Apr 17 08:26:29 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
> Apr 17 08:26:53 rio last message repeated 2 times
> Apr 17 08:27:25 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: next payload type of ISAKMP Hash Payload has an unknown value: 208 
> #comment# 208 varies attempt to attempt
> Apr 17 08:27:25 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: malformed payload in packet
> Apr 17 08:27:25 rio pluto[10427]: | payload malformed after IV
> Apr 17 08:27:25 rio pluto[10427]: |   8d ff 47 36  82 bf 01 e2
> #comment# data varies attempt to attempt
> Apr 17 08:27:25 rio pluto[10427]: "L2TP-CERT-NAT"[3] cli.ent.ipa.ddr #3: sending notification PAYLOAD_MALFORMED to cli.ent.ipa.ddr:3017
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>

More information about the Users mailing list