[Openswan Users] Netgear FVS318, PAYLOAD_MALFORMED
Petrik Salovaara
petrik.salovaara at solotes.fi
Sat Jan 17 08:25:05 EST 2009
Greetings,
I am trying to get a VPN connection between openswan and Netgear FVS318 using PSK.
My openswan linux box currently works fine with another openswan linux box and
several roadwarriors using certificates. I have followed instructions on
http://wiki.openswan.org/index.php/Openswan/NetGearFVS318 without success.
Bottom line is that openswan reports "PAYLOAD_MALFORMED" in STATE_MAIN_I3
Any help is appreciated.
Here's the config in openswan:
>
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> config setup
> #plutodebug=all
> #plutoload=%search
> #plutostart=%search
> interfaces=%defaultroute
> klipsdebug=none
> nat_traversal=yes
> plutodebug=none
> strictcrlpolicy=no
> uniqueids=yes
> virtual_private=%v4:192.168.239.0/24
>
> conn %default
> auto=add
> auth=esp
> compress=no
> authby=rsasig
> keyingtries=1
> left=83.145.201.2
> leftcert=/etc/ipsec.d/certs/www.solotes.fi_crt.pem
> leftid="C=FI, O=Solotes Oy, CN=www.solotes.fi"
> leftnexthop=83.145.201.254
> leftrsasigkey=%cert
> leftsubnet=192.168.240.0/24
>
> conn fvs318
> type=tunnel
> left=83.145.201.2
> leftsubnet=192.168.240.0/24
> leftnexthop=83.145.201.254
> leftid="83.145.201.2"
> right=83.145.204.59
> rightsubnet=192.168.1.0/24
> rightnexthop=83.145.204.254
> rightid="83.145.204.59"
> ikelifetime=1440m
> keylife=480m
> pfs=yes
> keyexchange=ike
> authby=secret
> auto=start
>
> conn gw-oskari
> right=%any
> rightcert=/etc/ipsec.d/certs/gw.osku.solotes.fi_crt.pem
> rightid="C=FI, O=Solotes Oy, CN=gw.osku.solotes.fi"
> rightrsasigkey=%cert
> rightsubnet=192.168.2.0/24
> type=tunnel
>
> conn jukka
> right=%any
> rightcert=/etc/ipsec.d/certs/jukka.rw.solotes.fi_crt.pem
> rightid="C=FI, O=Solotes Oy, CN=jukka.rw.solotes.fi"
> rightrsasigkey=%cert
> rightsubnet=vhost:%priv
> type=tunnel
>
> conn trikki
> right=%any
> rightcert=/etc/ipsec.d/certs/trikki.rw.solotes.fi_crt.pem
> rightid="C=FI, O=Solotes Oy, CN=trikki.rw.solotes.fi"
> rightrsasigkey=%cert
> rightsubnet=vhost:%priv
> type=tunnel
Netgear box is configured as follows:
> http://www.solotes.fi/private/trikki/netgear/fvs318_ike_policy.gif
> http://www.solotes.fi/private/trikki/netgear/fvs318_vpn_auto_policy.gif
This is what goes into log/secure when starting ipsec:
> Jan 14 17:32:34 www ipsec__plutorun: Starting Pluto subsystem...
> Jan 14 17:32:34 www pluto[21402]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)
> Jan 14 17:32:34 www pluto[21402]: Setting NAT-Traversal port-4500 floating to on
> Jan 14 17:32:34 www pluto[21402]: port floating activation criteria nat_t=1/port_fload=1
> Jan 14 17:32:34 www pluto[21402]: including NAT-Traversal patch (Version 0.6c)
> Jan 14 17:32:34 www pluto[21402]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jan 14 17:32:34 www pluto[21402]: starting up 1 cryptographic helpers
> Jan 14 17:32:34 www pluto[21402]: started helper pid=21406 (fd:6)
> Jan 14 17:32:34 www pluto[21402]: Using NETKEY IPsec interface code on 2.6.18-53.1.19.el5
> Jan 14 17:32:35 www pluto[21402]: Changing to directory '/etc/ipsec.d/cacerts'
> Jan 14 17:32:35 www pluto[21402]: loaded CA cert file 'solotes-2007_cacert.pem' (1675 bytes)
> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/aacerts'
> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/ocspcerts'
> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/crls'
> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/trikki.rw.solotes.fi_crt.pem' (4318 bytes)
> Jan 14 17:32:35 www pluto[21402]: added connection description "trikki"
> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/gw.osku.solotes.fi_crt.pem' (4312 bytes)
> Jan 14 17:32:35 www pluto[21402]: added connection description "gw-oskari"
> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/jukka.rw.solotes.fi_crt.pem' (4317 bytes)
> Jan 14 17:32:35 www pluto[21402]: added connection description "jukka"
> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]: no subjectAltName matches ID '83.145.201.2', replaced by subject DN
> Jan 14 17:32:35 www pluto[21402]: added connection description "fvs318"
> Jan 14 17:32:35 www pluto[21402]: listening for IKE messages
> Jan 14 17:32:35 www pluto[21402]: adding interface virbr0/virbr0 192.168.122.1:500
> Jan 14 17:32:35 www pluto[21402]: adding interface virbr0/virbr0 192.168.122.1:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth1/eth1 192.168.240.254:500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth1/eth1 192.168.240.254:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth0/eth0 83.145.201.2:500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth0/eth0 83.145.201.2:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth2/eth2 192.168.240.253:500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth2/eth2 192.168.240.253:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo 127.0.0.1:500
> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo 127.0.0.1:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo ::1:500
> Jan 14 17:32:35 www pluto[21402]: loading secrets from "/etc/ipsec.secrets"
> Jan 14 17:32:35 www pluto[21402]: loaded private key file '/etc/ipsec.d/private/gw.osku.solotes.fi_key.pem' (887 bytes)
> Jan 14 17:32:35 www pluto[21402]: loaded private key file '/etc/ipsec.d/private/solotes-2007_cakey.pem' (1675 bytes)
> Jan 14 17:32:35 www pluto[21402]: loaded private key file '/etc/ipsec.d/private/www.solotes.fi_key.pem' (887 bytes)
> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: initiating Main Mode
> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Jan 14 17:32:35 www pluto[21402]: packet from 89.27.54.216:500: phase 1 message is part of an unknown exchange
> Jan 14 17:32:36 www pluto[21402]: "fvs318" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan 14 17:32:36 www pluto[21402]: "fvs318" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: malformed payload in packet
> Jan 14 17:32:38 www pluto[21402]: | payload malformed after IV
> Jan 14 17:32:38 www pluto[21402]: | b8 6f 9b ad f4 a6 c1 21
> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: sending notification PAYLOAD_MALFORMED to 83.145.204.59:500
> Jan 14 17:32:55 www pluto[21402]: packet from 89.27.54.216:500: phase 1 message is part of an unknown exchange
> Jan 14 17:33:46 www pluto[21402]: "fvs318" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
When turning on plutodebug=all, log shows following:
> http://www.solotes.fi/private/trikki/netgear/log_debug_all.txt
Petrik Salovaara
mailto:petrik.salovaara at solotes.fi
More information about the Users
mailing list