[Openswan Users] Netgear FVS318, PAYLOAD_MALFORMED

Petrik Salovaara petrik.salovaara at solotes.fi
Sat Jan 17 08:25:05 EST 2009


Greetings,

I am trying to get a VPN connection between openswan and Netgear FVS318 using PSK.
My openswan linux box currently works fine with another openswan linux box and
several roadwarriors using certificates. I have followed instructions on
http://wiki.openswan.org/index.php/Openswan/NetGearFVS318 without success.

Bottom line is that openswan reports "PAYLOAD_MALFORMED" in STATE_MAIN_I3
Any help is appreciated.

Here's the config in openswan:
> 
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> config setup
>         #plutodebug=all
>         #plutoload=%search
>         #plutostart=%search
>         interfaces=%defaultroute
>         klipsdebug=none
>         nat_traversal=yes
>         plutodebug=none
>         strictcrlpolicy=no
>         uniqueids=yes
>         virtual_private=%v4:192.168.239.0/24
> 
> conn %default
>         auto=add
>         auth=esp
>         compress=no
>         authby=rsasig
>         keyingtries=1
>         left=83.145.201.2
>         leftcert=/etc/ipsec.d/certs/www.solotes.fi_crt.pem
>         leftid="C=FI, O=Solotes Oy, CN=www.solotes.fi"
>         leftnexthop=83.145.201.254
>         leftrsasigkey=%cert
>         leftsubnet=192.168.240.0/24
> 
> conn fvs318
>         type=tunnel
>         left=83.145.201.2
>         leftsubnet=192.168.240.0/24
>         leftnexthop=83.145.201.254
>         leftid="83.145.201.2"
>         right=83.145.204.59
>         rightsubnet=192.168.1.0/24
>         rightnexthop=83.145.204.254
>         rightid="83.145.204.59"
>         ikelifetime=1440m
>         keylife=480m
>         pfs=yes
>         keyexchange=ike
>         authby=secret
>         auto=start
> 
> conn gw-oskari
>         right=%any
>         rightcert=/etc/ipsec.d/certs/gw.osku.solotes.fi_crt.pem
>         rightid="C=FI, O=Solotes Oy, CN=gw.osku.solotes.fi"
>         rightrsasigkey=%cert
>         rightsubnet=192.168.2.0/24
>         type=tunnel
> 
> conn jukka
>         right=%any
>         rightcert=/etc/ipsec.d/certs/jukka.rw.solotes.fi_crt.pem
>         rightid="C=FI, O=Solotes Oy, CN=jukka.rw.solotes.fi"
>         rightrsasigkey=%cert
>         rightsubnet=vhost:%priv
>         type=tunnel
> 
> conn trikki
>         right=%any
>         rightcert=/etc/ipsec.d/certs/trikki.rw.solotes.fi_crt.pem
>         rightid="C=FI, O=Solotes Oy, CN=trikki.rw.solotes.fi"
>         rightrsasigkey=%cert
>         rightsubnet=vhost:%priv
>         type=tunnel


Netgear box is configured as follows:
> http://www.solotes.fi/private/trikki/netgear/fvs318_ike_policy.gif
> http://www.solotes.fi/private/trikki/netgear/fvs318_vpn_auto_policy.gif


This is what goes into log/secure when starting ipsec:
> Jan 14 17:32:34 www ipsec__plutorun: Starting Pluto subsystem...
> Jan 14 17:32:34 www pluto[21402]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)
> Jan 14 17:32:34 www pluto[21402]: Setting NAT-Traversal port-4500 floating to on
> Jan 14 17:32:34 www pluto[21402]:    port floating activation criteria nat_t=1/port_fload=1
> Jan 14 17:32:34 www pluto[21402]:   including NAT-Traversal patch (Version 0.6c)
> Jan 14 17:32:34 www pluto[21402]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jan 14 17:32:34 www pluto[21402]: starting up 1 cryptographic helpers
> Jan 14 17:32:34 www pluto[21402]: started helper pid=21406 (fd:6)
> Jan 14 17:32:34 www pluto[21402]: Using NETKEY IPsec interface code on 2.6.18-53.1.19.el5
> Jan 14 17:32:35 www pluto[21402]: Changing to directory '/etc/ipsec.d/cacerts'
> Jan 14 17:32:35 www pluto[21402]:   loaded CA cert file 'solotes-2007_cacert.pem' (1675 bytes)
> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/aacerts'
> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/ocspcerts'
> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/crls'
> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/trikki.rw.solotes.fi_crt.pem' (4318 bytes)
> Jan 14 17:32:35 www pluto[21402]: added connection description "trikki"
> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/gw.osku.solotes.fi_crt.pem' (4312 bytes)
> Jan 14 17:32:35 www pluto[21402]: added connection description "gw-oskari"
> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/jukka.rw.solotes.fi_crt.pem' (4317 bytes)
> Jan 14 17:32:35 www pluto[21402]: added connection description "jukka"
> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
> Jan 14 17:32:35 www pluto[21402]:   no subjectAltName matches ID '83.145.201.2', replaced by subject DN
> Jan 14 17:32:35 www pluto[21402]: added connection description "fvs318"
> Jan 14 17:32:35 www pluto[21402]: listening for IKE messages
> Jan 14 17:32:35 www pluto[21402]: adding interface virbr0/virbr0 192.168.122.1:500
> Jan 14 17:32:35 www pluto[21402]: adding interface virbr0/virbr0 192.168.122.1:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth1/eth1 192.168.240.254:500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth1/eth1 192.168.240.254:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth0/eth0 83.145.201.2:500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth0/eth0 83.145.201.2:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth2/eth2 192.168.240.253:500
> Jan 14 17:32:35 www pluto[21402]: adding interface eth2/eth2 192.168.240.253:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo 127.0.0.1:500
> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo 127.0.0.1:4500
> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo ::1:500
> Jan 14 17:32:35 www pluto[21402]: loading secrets from "/etc/ipsec.secrets"
> Jan 14 17:32:35 www pluto[21402]:   loaded private key file '/etc/ipsec.d/private/gw.osku.solotes.fi_key.pem' (887 bytes)
> Jan 14 17:32:35 www pluto[21402]:   loaded private key file '/etc/ipsec.d/private/solotes-2007_cakey.pem' (1675 bytes)
> Jan 14 17:32:35 www pluto[21402]:   loaded private key file '/etc/ipsec.d/private/www.solotes.fi_key.pem' (887 bytes)
> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: initiating Main Mode
> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Jan 14 17:32:35 www pluto[21402]: packet from 89.27.54.216:500: phase 1 message is part of an unknown exchange
> Jan 14 17:32:36 www pluto[21402]: "fvs318" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan 14 17:32:36 www pluto[21402]: "fvs318" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: malformed payload in packet
> Jan 14 17:32:38 www pluto[21402]: | payload malformed after IV
> Jan 14 17:32:38 www pluto[21402]: |   b8 6f 9b ad  f4 a6 c1 21
> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: sending notification PAYLOAD_MALFORMED to 83.145.204.59:500
> Jan 14 17:32:55 www pluto[21402]: packet from 89.27.54.216:500: phase 1 message is part of an unknown exchange
> Jan 14 17:33:46 www pluto[21402]: "fvs318" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

When turning on plutodebug=all, log shows following:
> http://www.solotes.fi/private/trikki/netgear/log_debug_all.txt

Petrik Salovaara
mailto:petrik.salovaara at solotes.fi






More information about the Users mailing list