[Openswan Users] IPsec / L2tp: ISAKMP failures; iOS clients, openwrt server

Willie Gillespie wgillespie+openswan at es2eng.com
Thu Feb 21 15:09:01 EST 2013 

What version of Openswan are you using?  Somewhere around 2.6.35 they 
added a few iOS bug workarounds, so hopefully you are using a version 
later than that.

Do you get any more success if you use rightprotoport=17/0

On 2/21/2013 4:33 AM, Dom Latter wrote:
> Hi,
>
> noob here.
>
> I have installed ipsec and xl2tpd on an openwrt [1] server [2].
>
> We are currently focused on getting iOS devices connected so
> that they can connect to the internet through the VPN.  (I.e.
> all traffic is routed).
>
> The server is NATed behind a domestic router; in general the
> client device is also NATed.
>
> I have had some success getting an iPad connected; when we
> switched to iPhone, we had various errors at (what I believe
> is) the first stage of authentication.  We don't get the
> same errors every time; sometimes the connection is successful.
>
> Here is one example from the logs (dates, IP addresses
> removed).
>
> This section is normal:
>
> : NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both
> are NATed
> : transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> : STATE_MAIN_R2: sent MR2, expecting MI3
>
> This is where it goes wrong:
>
> : next payload type of ISAKMP Identification Payload has an unknown
> value: 56
> : probable authentication failure (mismatch of preshared secrets?):
> malformed payload in packet
>   | payload malformed after IV
>   |   5e e3 dd 75  39 76 1d 78  83 6e 27 99  5d 96 2f 72
>   |   06 7b 01 32
> : sending notification PAYLOAD_MALFORMED
>
> Sometimes instead of the "unknown value" error I get:
> "byte 2 of isakmp identification payload must be zero, but is not"
>
> And sometimes we do get a connection!
>
> Here is ipsec.conf.  I am aware that my left* and right* settings
> probably need some work (advice appreciated).
>
> # /etc/ipsec.conf - IPsec configuration file
> version    2.0
> config setup
>          nat_traversal=yes
>          oe=off
>          protostack=netkey
>          nhelpers=0
>          interfaces=%defaultroute
>
> include /etc/ipsec.uci.conf # includes nat_traversal=yes
>
> # Include non-UCI connections here
> # They will be preserved across restarts/upgrades
> conn L2TP-PSK
>          authby=secret
>          pfs=no
>          compress=no
>          rekey=no
>          keyingtries=3
>          type=transport
>          left=%defaultroute
>      leftnexthop=%defaultroute
>          leftprotoport=17/1701
>          right=%any
>      rightsubnet=vhost:%no,%priv
>          rightprotoport=17/%any
>          auto=add
>          # Apple iOS doesn't send delete notify so we need dead peer
>          # detection to detect vanishing clients
>          dpddelay=10
>          dpdtimeout=10
>          dpdaction=clear
>
>
> Any ideas?
>
>
>
> [1] https://openwrt.org/
> [2] TPLink domestic router; mips chip, 32MB RAM.
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list