[Openswan Users] PAYLOAD_MALFORMED error with cisco PIX
Tharanga
tharanga at roomsnet.com
Thu Jun 5 21:48:39 EDT 2008
Hi Peter,
Thxs for the mail. and i have verified all the settings with the cisco end.
i have changed my esp, and ike settings as follows.
esp=3des-sha1-modp1535
ike=3des-sha1-modp1535
now its not starting it says
un 6 07:07:29 SMS-GW ipsec__plutorun: 034 esp string error: modp group not
found, enc_alg="3des", auth_alg="sha1", modp="modp1535"
Jun 6 07:07:29 SMS-GW ipsec__plutorun: ...could not add conn "tunnelipsec"
Jun 6 07:07:29 SMS-GW ipsec__plutorun: 021 no connection named
"tunnelipsec"
Jun 6 07:07:29 SMS-GW ipsec__plutorun: ...could not route conn
"tunnelipsec"
Jun 6 07:07:29 SMS-GW ipsec__plutorun: 021 no connection named
"tunnelipsec"
Jun 6 07:07:29 SMS-GW ipsec__plutorun: ...could not start conn
"tunnelipsec"
sould it be modp1535 or 1536 ?
please let me know.
many thanks,
Tharanga
Tharanga,
Check that all your settings match the other end, including...
Aggressive Mode: Off (aggrmode=no, note: turning this on decreases
security.)
Perfect Forward Secrecy: Off (pfs=no, note: turning this on increases
security.)
Phase1 & Phase2: 3DES SHA1 Diffie Helman Group 5
(ike=3des-sha1-modp1535 and esp=3des-sha1, note esp does not show the
dh group, instead it inherits the dh group from phase1/ike.)
No NAT-T, each IPSec endpoint has a public internet IP address.
Key in ipsec.secrets is specified by ip addresses of endpoints, not
hostname/ids.
(this is a limitation of psk keys.)
left and right are the public internet ip addresses of the two ipsec
computers.
leftsubnet and rightsubnet are private lan networks behind the ipsec
computers.
Are you sure you intended to comment out the leftsubnet line?
(leftsubnet defaults to left, if not specified.)
Also aggrmode defaults to no, if not specified.
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
More information about the Users
mailing list