[Openswan Users] WG: Problems connecting to IPSec server

Jacco de Leeuw jacco2 at dds.nl
Fri Sep 21 19:21:12 EDT 2007

Martin Krellmann wrote:

> leftprotoport=17/%any

I'd say: use leftprotoport=17/1701 and phase out non-updated clients.

> Hardware RNG detected, testing if used properly                 [FAILED]
>   Hardware RNG is present but 'rngd' is not running.

Does your CPU have a hardware RNG on board?

>   No harware random used!

Cool, you found a typo in Openswan :-)

> NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
> NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!

Better follow this advice.

> NAT is not involved in the test environment (i'm trying to connect on LAN to
> the server), but later it'll be necessary because the server is behind a
> firewall/router

No gear between the client and the server, except perhaps a switch or
a hub?

> decrypting 56 bytes using algorithm OAKLEY_3DES_CBC
> byte 2 of ISAKMP Hash Payload must be zero, but is not
> malformed payload in packet

Are all certificates generated by the same CA? Did you regenerate
your CA and used an old cert from the previous CA, perhaps?

> Vpn-log.html contains the output of the windows diagnostic log for the vpn
> connection attempt. Maybe this is useful, too.

It's in a weird format, Doesn't ring a bell with me. The Oakley.log might
be more interesting.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list