[Openswan Users] openswan with sonicwall, payload malformed

paul pantages pdp at centinasystems.com
Sat Sep 29 13:50:38 EDT 2007 

Hello,

I am trying to get an ipsec vpn client connected to a SonicWall
appliance as per the instructions at:
http://wiki.openswan.org/index.php/Openswan/SonicWall

In particular, this page refs a tech note from SonicWall
http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf

I am able to make it through phase I (reaching STATE_MAIN_I4) but get
the old "Hash Payload has an unknown value: xx" / PAYLOAD_MALFORMED
error. (below)

I am not prompted for uid/password,
so I am assuming that the preamble to the Xauth is what is failing.

I also saw the notes at
http://wiki.openswan.org/index.php/Openswan/QuickProblemSolvingGuide
and have switched to

    Basic Constraints: CA:TRUE
    keyUsage = cRLSign, keyCertSign, digitalSignature, *keyEncipherment

etc. in openssl.cnf as directed, but this did not change the behaviour
at all.

Any ideas would be much appreciated.

Thank you, PdP

8<-------------------------------------------------------------------------------------------------------------
Client Side:

> uname -a
Linux rigel 2.6.20-1.2962.fc6 #1 SMP Tue Jun 19 18:50:05 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux

> ipsec version
Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
See `ipsec --copyright' for copyright information.

Sonicwall:

PRO 1260 Enhanced
SonicOS Enhanced 3.2.3.0-6e
SonicROM 3.1.0.4

8<-------------------------------------------------------------------------------------------------------------

[root at rigel pdp]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
[root at rigel pdp]#

8<-------------------------------------------------------------------------------------------------------------

conn myclient
      left=172.16.1.35
      leftsubnet=172.16.1.35/32
      leftxauthclient=yes
      right=sonicwall.wan.addr
      rightsubnet=172.30.0.0/24	 # corporate private network
      rightxauthserver=yes
      keyingtries=1
      pfs=no
      auto=add
      auth=esp
      esp=3des-sha1
      ike=3des-sha1
      xauth=yes
      authby=secret
      aggrmode=no
      rightid=@sonicwall.unique.firewall.identifier

8<-------------------------------------------------------------------------------------------------------------

[root at rigel cisco-vpnclient]# ipsec whack --name myclient --xauthuser
user --xauthpass pass --initiate

002 "myclient" #1: initiating Main Mode
104 "myclient" #1: STATE_MAIN_I1: initiate
003 "myclient" #1: ignoring unknown Vendor ID payload [5b362bc820f60003]
003 "myclient" #1: received Vendor ID payload [RFC 3947] method set to=110
002 "myclient" #1: enabling possible NAT-traversal with method 3
002 "myclient" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "myclient" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "myclient" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "myclient" #1: received Vendor ID payload [XAUTH]
003 "myclient" #1: received Vendor ID payload [Dead Peer Detection]
002 "myclient" #1: I did not send a certificate because I do not have one.
003 "myclient" #1: NAT-Traversal: Result using 3: i am NATed
002 "myclient" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "myclient" #1: Mode Config message is unacceptable because it is for
an incomplete ISAKMP SA (state=STATE_MAIN_I3)
010 "myclient" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
002 "myclient" #1: Main mode peer ID is ID_FQDN:
'@sonicwall.unique.firewall.identifier'
002 "myclient" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "myclient" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
unknown value: 120
003 "myclient" #1: malformed payload in packet
002 "myclient" #1: sending notification PAYLOAD_MALFORMED to
sonicwall.wan.addr:4500
003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
unknown value: 120
003 "myclient" #1: malformed payload in packet
002 "myclient" #1: sending notification PAYLOAD_MALFORMED to
sonicwall.wan.addr:4500

8<-------------------------------------------------------------------------------------------------------------

More information about the Users mailing list