[Openswan Users] IPsec / L2tp: ISAKMP failures; iOS clients, openwrt server

Dom Latter openswan-users at latter.org
Thu Feb 21 06:33:45 EST 2013 

Hi,

noob here.

I have installed ipsec and xl2tpd on an openwrt [1] server [2].

We are currently focused on getting iOS devices connected so
that they can connect to the internet through the VPN.  (I.e.
all traffic is routed).

The server is NATed behind a domestic router; in general the
client device is also NATed.

I have had some success getting an iPad connected; when we
switched to iPhone, we had various errors at (what I believe
is) the first stage of authentication.  We don't get the
same errors every time; sometimes the connection is successful.

Here is one example from the logs (dates, IP addresses
removed).

This section is normal:

: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both 
are NATed
: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
: STATE_MAIN_R2: sent MR2, expecting MI3

This is where it goes wrong:

: next payload type of ISAKMP Identification Payload has an unknown 
value: 56
: probable authentication failure (mismatch of preshared secrets?): 
malformed payload in packet
  | payload malformed after IV
  |   5e e3 dd 75  39 76 1d 78  83 6e 27 99  5d 96 2f 72
  |   06 7b 01 32
: sending notification PAYLOAD_MALFORMED

Sometimes instead of the "unknown value" error I get:
"byte 2 of isakmp identification payload must be zero, but is not"

And sometimes we do get a connection!

Here is ipsec.conf.  I am aware that my left* and right* settings
probably need some work (advice appreciated).

# /etc/ipsec.conf - IPsec configuration file
version	2.0
config setup
         nat_traversal=yes
         oe=off
         protostack=netkey
         nhelpers=0
         interfaces=%defaultroute

include /etc/ipsec.uci.conf # includes nat_traversal=yes

# Include non-UCI connections here
# They will be preserved across restarts/upgrades
conn L2TP-PSK
         authby=secret
         pfs=no
         compress=no
         rekey=no
         keyingtries=3
         type=transport
         left=%defaultroute
	leftnexthop=%defaultroute
         leftprotoport=17/1701
         right=%any
	rightsubnet=vhost:%no,%priv
         rightprotoport=17/%any
         auto=add
         # Apple iOS doesn't send delete notify so we need dead peer
         # detection to detect vanishing clients
         dpddelay=10
         dpdtimeout=10
         dpdaction=clear


Any ideas?



[1] https://openwrt.org/
[2] TPLink domestic router; mips chip, 32MB RAM.

More information about the Users mailing list