[Openswan Users] Aggressive mode fails at AI2 with packet rejected: should have been encrypted

Thu Apr 28 13:31:38 EDT 2011

Hello List,

I am trying to make an aggressive mode connection from a dynamic ip to 
OpenSwan 2.6.33 on a CentOS 5.5 box.

The secure log snippet shows:
"gw2040"[3] a.b.c.d #3: STATE_AGGR_R1: sent AR1, expecting AI2
"gw2040"[3] a.b.c.d #3: packet rejected: should have been encrypted
"gw2040"[3] a.b.c.d #3: sending notification INVALID_FLAGS to a.b.c.d:500
"gw2040"[3] a.b.c.d #3: Quick Mode message is unacceptable because it is 
for an incomplete ISAKMP SA
| payload malformed after IV
|   f2 d1 76 81  85 a6 d8 4f  db e0 38 47  2c 16 26 1d
"gw2040"[3] a.b.c.d #3: sending notification PAYLOAD_MALFORMED to 
a.b.c.d:500

ipsec --version
Linux Openswan U2.6.33/K2.6.18-194.32.1.el5xen (netkey)

For info:
The client/initiating router is a Virtual Access GW2040
I see the same issue using a Draytek 2930 as client instead.
The GW2040 can make a successful aggressive mode connection to the Draytek
Another OpenSwan machine as the client can connect fine.

conn gw2040
         aggrmode=yes
         type=tunnel
         authby=secret
         pfs=no
         compress=no
         keyexchange=ike
         ike=3des-md5-modp1024
         esp=3des-md5
         left=aaa.bbb.ccc.ddd
         leftsubnet=192.168.130.0/24
         right=%any
         rightsubnet=192.168.100.0/24
         rightid=abc at myrightid.com
         auto=add

I wonder if anyone has seen this before and can suggest a configuration 
tweak to solve this?

Many thanks,
MikeS