[Openswan Users] Problem with Openswan 2.4.6 and WinXP roadwarrior PAYLOAD_MALFORMED

Frank Schmirler osusers at schmirler.de
Fri Jun 27 09:07:43 EDT 2008


On Thu, 26 Jun 2008 16:01:40 +0200, beheer wrote
> * Unable to connect (public IP yy.yy.yy.yy):

Here the first packet came in using the NATT port 61347:

> Jun 25 10:37:14 vpnserver pluto[5586]: "roadwarrior-cert-net"[56] 
> yy.yy.yy.yy #102: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> 
> Jun 25 10:37:14 vpnserver pluto[5586]: | NAT-T: new mapping 
> yy.yy.yy.yy:173/61374)

And here Openswan sends out its first reply using port 61347:

> Jun 25 10:37:14 vpnserver pluto[5586]: "roadwarrior-cert-net"[56] 
> yy.yy.yy.yy #102: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

But the client keeps retransmitting the previous message, so obviously
Openswan's first port 61347 didn't reach the client:

> Jun 25 10:37:16 vpnserver pluto[5586]: "roadwarrior-cert-net"[56] 
> yy.yy.yy.yy #102: retransmitting in response to duplicate packet; 
> already STATE_MAIN_R3
> Jun 25 10:37:18 vpnserver pluto[5586]: "roadwarrior-cert-net"[56] 
> yy.yy.yy.yy #102: retransmitting in response to duplicate packet; 
> already STATE_MAIN_R3
> Jun 25 10:37:22 vpnserver pluto[5586]: "roadwarrior-cert-net"[56] 
> yy.yy.yy.yy #102: discarding duplicate packet -- exhausted 
> retransmission; already STATE_MAIN_R3

> I see that on the failing case ports are not 500 and 4500. Can that 
> be the cause? Same laptop can connect from other networks, so I 
> think is something on the firewall/router of the other network-end. 
> Any ideas?

Probably some firewall issue, yes.

Frank



More information about the Users mailing list