[Openswan Users] Openswan cannot make connection with DrayTek in Aggressive Mode (packet rejected: should have been encrypted)

[Paul Wouters]

On Fri, 9 Sep 2011, Steve Leung wrote:

> Subject: [Openswan Users] Openswan cannot make connection with DrayTek in
>     Aggressive Mode (packet rejected: should have been encrypted)

Usually this means they send an informational message (an error) when the
openswan side is considerd "done, ready for crypto". Most likely a config
interop misconfiguration.

On top of that, Draytek's are very badly implemented in general. Especially
with their "always on" and "dialup" vs "incoming" settings... So try
initiating it from the draytek as well as initiating from openswan.

Also note that draytek will keep its phase1 ISAKMP up even after you
reconfigure it, so to be sure your config has taken hold, always reboot
these things.

> Sep 9 13:33:03 openswan openswan: | v1 state object #18 found, in STATE_AGGR_R1
> Sep 9 13:33:03 openswan openswan: | processing connection IPSEC1/1x11 10.0.0.1
> Sep 9 13:33:03 openswan openswan: "IPSEC1/1x1"[1] 10.0.0.1 #18: packet
> rejected: should have been encrypted
> Sep 9 13:33:03 openswan openswan: "IPSEC1/1x1"[1] 10.0.0.1 #18:
> sending notification INVALID_FLAGS to 10.0.0.1:500
> Sep 9 13:33:03 openswan openswan: | sending 40 bytes for notification
> packet through eth2:500 to 10.0.0.1:500 (using #18)

You might want to check this with plutodebug=all.

> conn IPSEC1
> type=tunnel
> authby=secret
> left=10.0.0.2
> leftsubnets={10.7.1.1/16}
> leftid=ipsec at abc
> right=%any
> rightsubnets={192.168.1.1/24}

I would use:

 	rightsubnet=192.168.1.1/24

same for leftsubnet, as it prevents instantiations of the conn that are not required
here

> rightid=ipsec at draytek
> ike=3des-md5;modp1024

Are you sure the draytek i using DH2? If it uses DH5 that is modp1536

> phase2alg=3des-md5
> pfs=no

double check if it has perfect forward secrecry disabled...

Paul