[Openswan Users] WG: Problems connecting to IPSec server

Martin Krellmann martin at krellmann.net
Fri Sep 28 08:04:18 EDT 2007


Hi.

Okay... i'd already a new client certificate from my ca, so I've just
created a new certificate for the server (with CA.sh)
So now both certs are surely from the same CA.
The timestamps are now equal too.

But the error is still the same
Sep 28 13:30:32 vpngate pluto[6185]: "l2tp-cert-orgWIN2KXP" #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 28 13:30:32 vpngate pluto[6185]: "l2tp-cert-orgWIN2KXP" #3: next payload
type of ISAKMP Hash Payload has an unknown value: 126
Sep 28 13:30:32 vpngate pluto[6185]: "l2tp-cert-orgWIN2KXP" #3: malformed
payload in packet
Sep 28 13:30:32 vpngate pluto[6185]: | payload malformed after IV
Sep 28 13:30:32 vpngate pluto[6185]: |   8c 9d 7b 15  9e 87 d5 37  d3 0a 67
2a  a4 16 52 63
Sep 28 13:30:32 vpngate pluto[6185]: |   73 46 47 40
Sep 28 13:30:32 vpngate pluto[6185]: "l2tp-cert-orgWIN2KXP" #3: sending
notification PAYLOAD_MALFORMED to 192.168.10.11:500
Sep 28 13:30:32 vpngate pluto[6185]: "l2tp-cert-orgWIN2KXP" #3: byte 2 of
ISAKMP Hash Payload must be zero, but is not
Sep 28 13:30:32 vpngate pluto[6185]: "l2tp-cert-orgWIN2KXP" #3: malformed
payload in packet

I noticed, that the IPSec daemon fails on startup in runlevel 3. I've to
start it manually after bootup.
Log: ipsec_setup: no default route, %defaultroute cannot cope!!!
Don't know if this prevents it from starting or operating

Oh... btw I imported the client cert with certimport, but it saves the cert
in the machines trusted root CA store... So XP cannot find it for use with
the IPSec connection. I'd to move it to the machines and users certificate
store before the windows client found it.

Greetings
Martin.

-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im
Auftrag von Martin Krellmann
Gesendet: Montag, 24. September 2007 23:50
An: 'Jacco de Leeuw'; users at openswan.org
Betreff: Re: [Openswan Users] WG: Problems connecting to IPSec server

Hi.

Just to be sure I'll recreate the certificates... And will use certimport
for importing the client certificate
I'll also check the time settings (yes I'am in MESZ)

I'll post the results at the end of the week, because at the moment I've no
time to do this...

Thank you
Martin.

-----Ursprüngliche Nachricht-----
Von: Jacco de Leeuw [mailto:jacco2 at dds.nl] 
Gesendet: Sonntag, 23. September 2007 12:57
An: users at openswan.org
Betreff: Re: [Openswan Users] WG: Problems connecting to IPSec server

Martin Krellmann wrote:

> I already checked that it is really there
> and the key is associated with the cert (I've created a pfx for the
> certificate installation on the client)

Are you absolutely sure it was issued by the same CA that issued the
server cert? Was the client cert imported to 'Computer Account'?
Are the clocks of the client and the server set correctly? The log
you sent was timestamped in the future (assuming your timezone is
CEST/MESZ).

> windows tells me at the connection attempt is: 786 ... failed
> ... Because no valid certificate was found on the computer.

Can you try certimport?
ftp://ftp.openswan.org/openswan/windows/certimport/

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list