[Openswan Users] Netgear FVS318, PAYLOAD_MALFORMED

Tuomo Soini tis at foobar.fi
Sat Jan 17 13:46:28 EST 2009 

Petrik Salovaara wrote:
> Greetings,
> 
> I am trying to get a VPN connection between openswan and Netgear FVS318 using PSK.
> My openswan linux box currently works fine with another openswan linux box and
> several roadwarriors using certificates. I have followed instructions on
> http://wiki.openswan.org/index.php/Openswan/NetGearFVS318 without success.

> Here's the config in openswan:
>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>> config setup
>>         #plutodebug=all
>>         #plutoload=%search
>>         #plutostart=%search
>>         interfaces=%defaultroute
>>         klipsdebug=none
>>         nat_traversal=yes
>>         plutodebug=none
>>         strictcrlpolicy=no
>>         uniqueids=yes
>>         virtual_private=%v4:192.168.239.0/24
>>
>> conn %default
>>         auto=add
>>         auth=esp
>>         compress=no
>>         authby=rsasig
>>         keyingtries=1
>>         left=83.145.201.2
>>         leftcert=/etc/ipsec.d/certs/www.solotes.fi_crt.pem
>>         leftid="C=FI, O=Solotes Oy, CN=www.solotes.fi"
>>         leftnexthop=83.145.201.254
>>         leftrsasigkey=%cert
>>         leftsubnet=192.168.240.0/24

Don't load certificaes and set id in conn %default. It makes your config
very errorprone as you can find out below. Here you load certificate for
_every_ conn, even psk ones!

>> conn fvs318
>>         type=tunnel
>>         left=83.145.201.2
>>         leftsubnet=192.168.240.0/24
>>         leftnexthop=83.145.201.254
>>         leftid="83.145.201.2"
>>         right=83.145.204.59
>>         rightsubnet=192.168.1.0/24
>>         rightnexthop=83.145.204.254
>>         rightid="83.145.204.59"
>>         ikelifetime=1440m
>>         keylife=480m
>>         pfs=yes
>>         keyexchange=ike
>>         authby=secret
>>         auto=start

This config is wrong because you load certificate from conn default but
you don't disable loading of cert for this conn. You can do it like this
but I suggest you load certificate from conn's not from conn %default.

	# this disables loading leftcert.
	leftcert=""

>> Jan 14 17:32:35 www pluto[21402]:   loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
>> Jan 14 17:32:35 www pluto[21402]:   no subjectAltName matches ID '83.145.201.2', replaced by subject DN

This logentry say you what went wrong. You just missed this very
important notification which broke your conn.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list