[Openswan Users] Openswan + Netgear FVS318
Peter McGill
petermcgill at goco.net
Fri Jan 23 10:29:26 EST 2009
Petrik,
PAYLOAD_MALFORMED is usually due to a config mismatch.
Check that your key in /etc/ipsec.secrets matches the key on the Netgear.
ie) 83.145.201.2 83.145.204.59 : PSK "your secret key"
Check the subnets on the Netgear match yours:
leftsubnet=192.168.240.0/24
rightsubnet=192.168.1.0/24
Check that the Netgear has Perfect Forward Secrecy on (pfs).
Or if you can't find the setting set pfs=no, Openswan will
still use pfs if asked, just won't require it.
Explicitly set the authentication and encryption methods used on both
ends, for example:
# IKE Authentication (Phase 1)
# 3DES, MD5, Diffie Hellman (DH) Group 2 (1024 bit)
ike=3des-md5-modp1024
# ESP Encryption (Phase 2)
# 3DES, MD5, Diffie Hellman (DH) Group (Same as Phase 1)
esp=3des-md5
Try initiating with the Netgear instead of Openswan (auto=add).
The logs may give a better indication of the error (plutodebug=none).
Peter McGill
Petrik Salovaara wrote:
> Greetings,
>
> I am trying to get a VPN connection between openswan and Netgear FVS318 using PSK.
> My openswan linux box currently works fine with another openswan linux box and
> several roadwarriors using certificates. I have followed instructions on
> http://wiki.openswan.org/index.php/Openswan/NetGearFVS318 without success.
>
> Bottom line is that openswan reports "PAYLOAD_MALFORMED" in STATE_MAIN_I3
> Any help is appreciated.
>
> Here's the config in openswan:
>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>> config setup
>> #plutodebug=all
>> #plutoload=%search
>> #plutostart=%search
>> interfaces=%defaultroute
>> klipsdebug=none
>> nat_traversal=yes
>> plutodebug=none
>> strictcrlpolicy=no
>> uniqueids=yes
>> virtual_private=%v4:192.168.239.0/24
>>
>> conn %default
>> auto=add
>> auth=esp
>> compress=no
>> authby=rsasig
>> keyingtries=1
>> left=83.145.201.2
>> leftcert=/etc/ipsec.d/certs/www.solotes.fi_crt.pem
>> leftid="C=FI, O=Solotes Oy, CN=www.solotes.fi"
>> leftnexthop=83.145.201.254
>> leftrsasigkey=%cert
>> leftsubnet=192.168.240.0/24
>>
>> conn fvs318
>> type=tunnel
>> left=83.145.201.2
>> leftsubnet=192.168.240.0/24
>> leftnexthop=83.145.201.254
>> leftid="83.145.201.2"
>> right=83.145.204.59
>> rightsubnet=192.168.1.0/24
>> rightnexthop=83.145.204.254
>> rightid="83.145.204.59"
>> ikelifetime=1440m
>> keylife=480m
>> pfs=yes
>> keyexchange=ike
>> authby=secret
>> auto=start
>>
>> conn gw-oskari
>> right=%any
>> rightcert=/etc/ipsec.d/certs/gw.osku.solotes.fi_crt.pem
>> rightid="C=FI, O=Solotes Oy, CN=gw.osku.solotes.fi"
>> rightrsasigkey=%cert
>> rightsubnet=192.168.2.0/24
>> type=tunnel
>>
>> conn jukka
>> right=%any
>> rightcert=/etc/ipsec.d/certs/jukka.rw.solotes.fi_crt.pem
>> rightid="C=FI, O=Solotes Oy, CN=jukka.rw.solotes.fi"
>> rightrsasigkey=%cert
>> rightsubnet=vhost:%priv
>> type=tunnel
>>
>> conn trikki
>> right=%any
>> rightcert=/etc/ipsec.d/certs/trikki.rw.solotes.fi_crt.pem
>> rightid="C=FI, O=Solotes Oy, CN=trikki.rw.solotes.fi"
>> rightrsasigkey=%cert
>> rightsubnet=vhost:%priv
>> type=tunnel
>
>
> Netgear box is configured as follows:
>> http://www.solotes.fi/private/trikki/netgear/fvs318_ike_policy.gif
>> http://www.solotes.fi/private/trikki/netgear/fvs318_vpn_auto_policy.gif
>
>
> This is what goes into log/secure when starting ipsec:
>> Jan 14 17:32:34 www ipsec__plutorun: Starting Pluto subsystem...
>> Jan 14 17:32:34 www pluto[21402]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)
>> Jan 14 17:32:34 www pluto[21402]: Setting NAT-Traversal port-4500 floating to on
>> Jan 14 17:32:34 www pluto[21402]: port floating activation criteria nat_t=1/port_fload=1
>> Jan 14 17:32:34 www pluto[21402]: including NAT-Traversal patch (Version 0.6c)
>> Jan 14 17:32:34 www pluto[21402]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>> Jan 14 17:32:34 www pluto[21402]: starting up 1 cryptographic helpers
>> Jan 14 17:32:34 www pluto[21402]: started helper pid=21406 (fd:6)
>> Jan 14 17:32:34 www pluto[21402]: Using NETKEY IPsec interface code on 2.6.18-53.1.19.el5
>> Jan 14 17:32:35 www pluto[21402]: Changing to directory '/etc/ipsec.d/cacerts'
>> Jan 14 17:32:35 www pluto[21402]: loaded CA cert file 'solotes-2007_cacert.pem' (1675 bytes)
>> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/aacerts'
>> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/ocspcerts'
>> Jan 14 17:32:35 www pluto[21402]: Could not change to directory '/etc/ipsec.d/crls'
>> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
>> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/trikki.rw.solotes.fi_crt.pem' (4318 bytes)
>> Jan 14 17:32:35 www pluto[21402]: added connection description "trikki"
>> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
>> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/gw.osku.solotes.fi_crt.pem' (4312 bytes)
>> Jan 14 17:32:35 www pluto[21402]: added connection description "gw-oskari"
>> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
>> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/jukka.rw.solotes.fi_crt.pem' (4317 bytes)
>> Jan 14 17:32:35 www pluto[21402]: added connection description "jukka"
>> Jan 14 17:32:35 www pluto[21402]: loaded host cert file '/etc/ipsec.d/certs/www.solotes.fi_crt.pem' (4304 bytes)
>> Jan 14 17:32:35 www pluto[21402]: no subjectAltName matches ID '83.145.201.2', replaced by subject DN
>> Jan 14 17:32:35 www pluto[21402]: added connection description "fvs318"
>> Jan 14 17:32:35 www pluto[21402]: listening for IKE messages
>> Jan 14 17:32:35 www pluto[21402]: adding interface virbr0/virbr0 192.168.122.1:500
>> Jan 14 17:32:35 www pluto[21402]: adding interface virbr0/virbr0 192.168.122.1:4500
>> Jan 14 17:32:35 www pluto[21402]: adding interface eth1/eth1 192.168.240.254:500
>> Jan 14 17:32:35 www pluto[21402]: adding interface eth1/eth1 192.168.240.254:4500
>> Jan 14 17:32:35 www pluto[21402]: adding interface eth0/eth0 83.145.201.2:500
>> Jan 14 17:32:35 www pluto[21402]: adding interface eth0/eth0 83.145.201.2:4500
>> Jan 14 17:32:35 www pluto[21402]: adding interface eth2/eth2 192.168.240.253:500
>> Jan 14 17:32:35 www pluto[21402]: adding interface eth2/eth2 192.168.240.253:4500
>> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo 127.0.0.1:500
>> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo 127.0.0.1:4500
>> Jan 14 17:32:35 www pluto[21402]: adding interface lo/lo ::1:500
>> Jan 14 17:32:35 www pluto[21402]: loading secrets from "/etc/ipsec.secrets"
>> Jan 14 17:32:35 www pluto[21402]: loaded private key file '/etc/ipsec.d/private/gw.osku.solotes.fi_key.pem' (887 bytes)
>> Jan 14 17:32:35 www pluto[21402]: loaded private key file '/etc/ipsec.d/private/solotes-2007_cakey.pem' (1675 bytes)
>> Jan 14 17:32:35 www pluto[21402]: loaded private key file '/etc/ipsec.d/private/www.solotes.fi_key.pem' (887 bytes)
>> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: initiating Main Mode
>> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> Jan 14 17:32:35 www pluto[21402]: "fvs318" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> Jan 14 17:32:35 www pluto[21402]: packet from 89.27.54.216:500: phase 1 message is part of an unknown exchange
>> Jan 14 17:32:36 www pluto[21402]: "fvs318" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> Jan 14 17:32:36 www pluto[21402]: "fvs318" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
>> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: malformed payload in packet
>> Jan 14 17:32:38 www pluto[21402]: | payload malformed after IV
>> Jan 14 17:32:38 www pluto[21402]: | b8 6f 9b ad f4 a6 c1 21
>> Jan 14 17:32:38 www pluto[21402]: "fvs318" #1: sending notification PAYLOAD_MALFORMED to 83.145.204.59:500
>> Jan 14 17:32:55 www pluto[21402]: packet from 89.27.54.216:500: phase 1 message is part of an unknown exchange
>> Jan 14 17:33:46 www pluto[21402]: "fvs318" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
>
> When turning on plutodebug=all, log shows following:
>> http://www.solotes.fi/private/trikki/netgear/log_debug_all.txt
>
> Petrik Salovaara
> mailto:petrik.salovaara at solotes.fi
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list