[Openswan Users] Openswan and Netgear SRXN3205

JT Edwards tstrike34 at gmail.com
Sun Aug 23 19:20:40 EDT 2009


I think I almost got this thing licked.... I built certs and applied them to the cacert and certs directory... My ipsec.conf looks like this (IPs hidden to protect the innocent):

##################### openswan config ##########################
# file: /etc/ipsec.conf
#
# openswan config for connecting openswan <-> netgear srxn3250

version 2.0     # conforms to version 2.0 and newer

config setup
    plutodebug="none"

conn srxn3250
    type=tunnel
    authby=secret
    keyexchange=ike
    auto=start
    pfs=no
    aggrmode=yes
    ike=3des-sha1-modp1024
    esp=3des-sha1
    # LOCAL
    left=%defaultroute
    leftsubnet=192.168.22.0/24
    leftid=me at test1.me.org
    # REMOTE
    right=nextwave.org
    rightsubnet=192.168.0.0/24
    rightnexthop=%defaultroute   # might be not necessary
    rightid=tstrike29 at tordenlyn.org
###############################################################


################# openswan preshared key ######################
# file: /etc/ipsec.secrets
#
: PSK "yuckmiestersblahblah"

###############################################################


Ok I have the cert loaded into the Netgear router... I configured it's mode as aggressive and lined it up to match the settings from Openswan... when I make the VPN connection I get these in my secure log:

ransition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 22 12:06:08 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: ignoring Vendor ID payload [KAME/racoon]
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: I am sending my cert
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: I am sending a certificate request
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: next payload type of ISAKMP Hash Payload has an unknown value: 61
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: malformed payload in packet
Aug 22 12:06:09 whiskers8 pluto[18642]: | payload malformed after IV
Aug 22 12:06:09 whiskers8 pluto[18642]: |   31 8a 4a f0  bd 04 24 f0
Aug 22 12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: sending notification PAYLOAD_MALFORMED to 12.234.22.224:500
Aug 22 12:06:19 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: discarding duplicate packet; already STATE_MAIN_I3
Aug 22 12:06:59 whiskers8 last message repeated 4 times
Aug 22 12:07:19 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down
Aug 22 13:31:29 whiskers8 pluto[18642]: forgetting secrets
Aug 22 13:31:29 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear": deleting connection
Aug 22 13:31:29 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear": request to delete a unrouted policy with netkey kernel --- experimental
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface lo/lo ::1:500
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface lo/lo 127.0.0.1:4500
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface lo/lo 127.0.0.1:500
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface virbr0/virbr0 192.168.122.1:4500
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface virbr0/virbr0 192.168.122.1:500
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface eth0/eth0 22.123.34.56:4500
Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface eth0/eth0 22.123.34.56:500
Aug 22 13:32:08 whiskers8 sshd[1899]: Accepted password for root from 12.234.22.224 port 55104 ssh2
Aug 22 13:32:08 whiskers8 sshd[1899]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 22 13:32:53 whiskers8 sshd[2776]: Accepted password for root from 12.234.22.224 port 55124 ssh2
Aug 22 13:32:53 whiskers8 sshd[2776]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 22 13:39:50 whiskers8 ipsec__plutorun: Starting Pluto subsystem...
Aug 22 13:39:50 whiskers8 pluto[9419]: Starting Pluto (Openswan Version 2.6.14; Vendor ID OEoSJUweaqAX) pid:9419
Aug 22 13:39:50 whiskers8 pluto[9419]: Setting NAT-Traversal port-4500 floating to on
Aug 22 13:39:50 whiskers8 pluto[9419]:    port floating activation criteria nat_t=1/port_float=1
Aug 22 13:39:50 whiskers8 pluto[9419]:    including NAT-Traversal patch (Version 0.6c)
Aug 22 13:39:50 whiskers8 pluto[9419]: using /dev/urandom as source of random entropy
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: starting up 3 cryptographic helpers
Aug 22 13:39:50 whiskers8 pluto[9425]: using /dev/urandom as source of random entropy
Aug 22 13:39:50 whiskers8 pluto[9419]: started helper pid=9425 (fd:7)
Aug 22 13:39:50 whiskers8 pluto[9427]: using /dev/urandom as source of random entropy
Aug 22 13:39:50 whiskers8 pluto[9419]: started helper pid=9427 (fd:8)
Aug 22 13:39:50 whiskers8 pluto[9433]: using /dev/urandom as source of random entropy
Aug 22 13:39:50 whiskers8 pluto[9419]: started helper pid=9433 (fd:9)
Aug 22 13:39:50 whiskers8 pluto[9419]: Using Linux 2.6 IPsec interface code on 2.6.18-128.2.1.el5xen (experimental code)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_add(): ERROR: Algorithm already exists
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_add(): ERROR: Algorithm already exists
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_add(): ERROR: Algorithm already exists
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_add(): ERROR: Algorithm already exists
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_add(): ERROR: Algorithm already exists
Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 22 13:39:50 whiskers8 pluto[9419]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug 22 13:39:50 whiskers8 pluto[9419]:   loaded CA cert file 'ca-cert.pem' (1114 bytes)
Aug 22 13:39:50 whiskers8 pluto[9419]:   no passphrase available
Aug 22 13:39:50 whiskers8 pluto[9419]: Could not change to directory '/etc/ipsec.d/aacerts': /
Aug 22 13:39:50 whiskers8 pluto[9419]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Aug 22 13:39:50 whiskers8 pluto[9419]: Could not change to directory '/etc/ipsec.d/crls'
Aug 22 13:39:50 whiskers8 pluto[9419]: Changing back to directory '/' failed - (2 No such file or directory)
Aug 22 13:39:50 whiskers8 pluto[9419]: Changing back to directory '/' failed - (2 No such file or directory)
Aug 22 13:39:50 whiskers8 pluto[9419]: loading certificate from ca-crl.pem 
Aug 22 13:39:50 whiskers8 pluto[9419]:   loaded host cert file '/etc/ipsec.d/certs/ca-crl.pem' (2476 bytes)
Aug 22 13:39:50 whiskers8 pluto[9419]: added connection description "openswan-whiskers8-whiskerslyn-netgear"
Aug 22 13:39:50 whiskers8 pluto[9419]: listening for IKE messages
Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface eth0/eth0 22.123.34.56:500
Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface eth0/eth0 22.123.34.56:4500
Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface virbr0/virbr0 192.168.122.1:500
Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface virbr0/virbr0 192.168.122.1:4500
Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface lo/lo 127.0.0.1:500
Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface lo/lo 127.0.0.1:4500
Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface lo/lo ::1:500
Aug 22 13:39:50 whiskers8 pluto[9419]: loading secrets from "/etc/ipsec.secrets"
Aug 22 13:39:50 whiskers8 pluto[9419]: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Aug 22 13:39:50 whiskers8 pluto[9419]:   loaded private key file '/etc/ipsec.d/openswan.pem' (887 bytes)
Aug 22 13:39:50 whiskers8 pluto[9419]: loaded private key for keyid: PPK_RSA:AwEAAejdU
Aug 22 13:39:50 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 22 13:39:50 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: initiating Main Mode
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: I am sending my cert
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: I am sending a certificate request
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: next payload type of ISAKMP Hash Payload has an unknown value: 67
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: malformed payload in packet
Aug 22 13:39:51 whiskers8 pluto[9419]: | payload malformed after IV
Aug 22 13:39:51 whiskers8 pluto[9419]: |   6b c1 3c 13  9b 4f 55 03
Aug 22 13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: sending notification PAYLOAD_MALFORMED to 12.234.22.224:500
Aug 22 13:40:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: discarding duplicate packet; already STATE_MAIN_I3
Aug 22 13:40:41 whiskers8 last message repeated 4 times
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: starting keying attempt 2 of at most 3
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: initiating Main Mode to replace #1
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: I am sending my cert
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: I am sending a certificate request
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: next payload type of ISAKMP Hash Payload has an unknown value: 65
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: malformed payload in packet
Aug 22 13:41:02 whiskers8 pluto[9419]: | payload malformed after IV
Aug 22 13:41:02 whiskers8 pluto[9419]: |   e7 c7 a5 28  42 12 59 b4
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: sending notification PAYLOAD_MALFORMED to 12.234.22.224:500


itiating Main Mode to replace #1
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 22 13:41:01 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: I am sending my cert
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: I am sending a certificate request
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: next payload type of ISAKMP Hash Payload has an unknown value: 65
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: malformed payload in packet
Aug 22 13:41:02 whiskers8 pluto[9419]: | payload malformed after IV
Aug 22 13:41:02 whiskers8 pluto[9419]: |   e7 c7 a5 28  42 12 59 b4
Aug 22 13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: sending notification PAYLOAD_MALFORMED to 12.234.22.224:500
Aug 22 13:41:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: discarding duplicate packet; already STATE_MAIN_I3
Aug 22 13:41:52 whiskers8 last message repeated 4 times
Aug 22 13:42:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Aug 22 13:42:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: starting keying attempt 3 of at most 3
Aug 22 13:42:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: initiating Main Mode to replace #2
Aug 22 13:42:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Aug 22 13:42:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:42:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 22 13:42:12 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: ignoring Vendor ID payload [KAME/racoon]
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: I am sending my cert
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: I am sending a certificate request
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: byte 2 of ISAKMP Hash Payload must be zero, but is not
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: malformed payload in packet
Aug 22 13:42:13 whiskers8 pluto[9419]: | payload malformed after IV
Aug 22 13:42:13 whiskers8 pluto[9419]: |   94 39 d3 e8  8f b2 15 46
Aug 22 13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: sending notification PAYLOAD_MALFORMED to 12.234.22.224:500

Ok this is what I get from Netgear:

2009 Aug 22 13:39:50 [SRXN3205] [IKE] Configuration found for 22.123.34.56[500]._
2009 Aug 22 13:39:50 [SRXN3205] [IKE] Received request for new phase 1 negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
2009 Aug 22 13:39:50 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Aug 22 13:39:50 [SRXN3205] [IKE] Received unknown Vendor ID_
                - Last output repeated 3 times -
2009 Aug 22 13:39:50 [SRXN3205] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Aug 22 13:39:50 [SRXN3205] [IKE] Received unknown Vendor ID_
2009 Aug 22 13:39:51 [SRXN3205] [IKE] _
2009 Aug 22 13:39:51 [SRXN3205] [IKE] failed to get subjectAltName_
2009 Aug 22 13:39:51 [SRXN3205] [IKE] Sending Informational Exchange: notify payload[INVALID-CERTIFICATE]_
2009 Aug 22 13:39:51 [SRXN3205] [IKE] Ignore information because the message has no hash payload._
2009 Aug 22 13:40:01 [SRXN3205] [IKE] Received Malformed packet of payload length 47129 and total length 896._
                - Last output repeated twice -
2009 Aug 22 13:40:51 [SRXN3205] [IKE] Phase 1 negotiation failed due to time up for 22.123.34.56[500]. 68d87053cd47ca7d:f63c79f3ab9eb9f0_
2009 Aug 22 13:41:01 [SRXN3205] [IKE] Configuration found for 22.123.34.56[500]._
2009 Aug 22 13:41:01 [SRXN3205] [IKE] Received request for new phase 1 negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
2009 Aug 22 13:41:01 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Aug 22 13:41:01 [SRXN3205] [IKE] Received unknown Vendor ID_
                - Last output repeated 3 times -
2009 Aug 22 13:41:01 [SRXN3205] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Aug 22 13:41:01 [SRXN3205] [IKE] Received unknown Vendor ID_
2009 Aug 22 13:41:02 [SRXN3205] [IKE] _
2009 Aug 22 13:41:02 [SRXN3205] [IKE] failed to get subjectAltName_
2009 Aug 22 13:41:02 [SRXN3205] [IKE] Sending Informational Exchange: notify payload[INVALID-CERTIFICATE]_
2009 Aug 22 13:41:02 [SRXN3205] [IKE] Ignore information because the message has no hash payload._
2009 Aug 22 13:41:12 [SRXN3205] [IKE] Received Malformed packet of payload length 3943 and total length 896._
                - Last output repeated twice -
2009 Aug 22 13:42:02 [SRXN3205] [IKE] Phase 1 negotiation failed due to time up for 22.123.34.56[500]. e402c68e7572d7ff:8b4106bf8a772257_
2009 Aug 22 13:42:12 [SRXN3205] [IKE] Configuration found for 22.123.34.56[500]._
2009 Aug 22 13:42:12 [SRXN3205] [IKE] Received request for new phase 1 negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
2009 Aug 22 13:42:12 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Aug 22 13:42:12 [SRXN3205] [IKE] Received unknown Vendor ID_
                - Last output repeated 3 times -
2009 Aug 22 13:42:12 [SRXN3205] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Aug 22 13:42:12 [SRXN3205] [IKE] Received unknown Vendor ID_
2009 Aug 22 13:42:13 [SRXN3205] [IKE] _
2009 Aug 22 13:42:13 [SRXN3205] [IKE] failed to get subjectAltName_
2009 Aug 22 13:42:13 [SRXN3205] [IKE] Sending Informational Exchange: notify payload[INVALID-CERTIFICATE]_
2009 Aug 22 13:42:13 [SRXN3205] [IKE] Ignore information because the message has no hash payload._
2009 Aug 22 13:42:23 [SRXN3205] [IKE] Received Malformed packet of payload length 10579 and total length 896._
                - Last output repeated twice -
2009 Aug 22 13:43:13 [SRXN3205] [IKE] Phase 1 negotiation failed due to time up for 22.123.34.56[500]. 4534cc75d0e8c5f5:5d9a4bd2419acb90_


Did I completely screw something up in my config?

Wait there is more, ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]

Linux Openswan U2.6.14/K2.6.18-128.2.1.el5xen (netkey)

Checking for IPsec support in kernel [OK]

NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects

or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects

or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets) [OK]

Checking that pluto is running [OK]

Two or more interfaces found, checking IP forwarding [OK]

Checking NAT and MASQUERADEing 

Checking for 'ip' command [OK]

Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:

Looking for TXT in forward dns zone: whiskers8.me.org [MISSING]

Does the machine have at least one non-private address? [OK]

Looking for TXT in reverse dns zone: 6.137.198.209.in-addr.arpa. [MISSING]


Did I screw this up?

JT



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090823/90281ae0/attachment-0001.html 


More information about the Users mailing list