[Openswan Users] iPad IPSEC/L2TP->OpenSwan problem
John E.P. Hynes
john at hytronix.com
Wed Oct 27 16:44:53 EDT 2010
Greetings,
I have a configuration that works for windows clients but not for
iPads. I have included some of the changes suggested by (Nate Carlson?
Can't remember) to the config files to allow Apple clients to connect.
iPads fail with the following log entry:
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: received
Vendor ID payload [RFC 3947] method set to=109
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: ignoring
unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: ignoring
unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: ignoring
unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: ignoring
unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: ignoring
unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 110
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 110
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110
Oct 27 16:15:12 firewall pluto[5659]: packet from x.x.x.x:500: received
Vendor ID payload [Dead Peer Detection]
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
responding to Main Mode from unknown peer x.x.x.x
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
STATE_MAIN_R1: sent MR1, expecting MI2
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both
are NATed
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
STATE_MAIN_R2: sent MR2, expecting MI3
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:12 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:12 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:12 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:15 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:15 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:15 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:15 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:15 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:15 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:18 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:18 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:18 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:18 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:18 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:18 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:21 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:21 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:21 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:21 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:21 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:21 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:22 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:22 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:22 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:22 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:22 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:22 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:24 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:24 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:24 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:24 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:24 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:24 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:27 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:27 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:27 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:27 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:27 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:27 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:30 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:30 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:30 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:30 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:30 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:30 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:34 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:34 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:34 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:34 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:34 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:34 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:37 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:37 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:37 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:37 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:37 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:37 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:15:39 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
2 of ISAKMP Identification Payload must be zero, but is not
Oct 27 16:15:39 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Oct 27 16:15:39 firewall pluto[5659]: | payload malformed after IV
Oct 27 16:15:39 firewall pluto[5659]: | d4 ce 1a 56 99 8c 4a c0 8b
24 d7 60 d1 3e 1c e2
Oct 27 16:15:39 firewall pluto[5659]: | 89 72 0f c4
Oct 27 16:15:39 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
sending notification PAYLOAD_MALFORMED to x.x.x.x:500
Oct 27 16:16:22 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: max
number of retransmissions (2) reached STATE_MAIN_R2
Oct 27 16:16:22 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x: deleting
connection "dynip-hosts" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
The "mismatch of preshared secrets?" seems obvious - but I've checked to
make sure they agree many times.
My "dynip-hosts" config looks like this:
conn dynip-hosts
authby=secret
pfs=no
left=y.y.y.y
leftsubnet=10.0.0.0/24
leftprotoport=17/1701
rightnexthop=%defaultroute
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
forceencaps=yes
auto=add
Any ideas where I should look next?
Thanks,
-John
More information about the Users
mailing list