[Openswan Users] IPsec / L2tp: ISAKMP failures; iOS clients, openwrt server
wgillespie+openswan at es2eng.com
Thu Feb 21 15:09:01 EST 2013
What version of Openswan are you using? Somewhere around 2.6.35 they
added a few iOS bug workarounds, so hopefully you are using a version
later than that.
Do you get any more success if you use rightprotoport=17/0
On 2/21/2013 4:33 AM, Dom Latter wrote:
> noob here.
> I have installed ipsec and xl2tpd on an openwrt  server .
> We are currently focused on getting iOS devices connected so
> that they can connect to the internet through the VPN. (I.e.
> all traffic is routed).
> The server is NATed behind a domestic router; in general the
> client device is also NATed.
> I have had some success getting an iPad connected; when we
> switched to iPhone, we had various errors at (what I believe
> is) the first stage of authentication. We don't get the
> same errors every time; sometimes the connection is successful.
> Here is one example from the logs (dates, IP addresses
> This section is normal:
> : NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both
> are NATed
> : transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> : STATE_MAIN_R2: sent MR2, expecting MI3
> This is where it goes wrong:
> : next payload type of ISAKMP Identification Payload has an unknown
> value: 56
> : probable authentication failure (mismatch of preshared secrets?):
> malformed payload in packet
> | payload malformed after IV
> | 5e e3 dd 75 39 76 1d 78 83 6e 27 99 5d 96 2f 72
> | 06 7b 01 32
> : sending notification PAYLOAD_MALFORMED
> Sometimes instead of the "unknown value" error I get:
> "byte 2 of isakmp identification payload must be zero, but is not"
> And sometimes we do get a connection!
> Here is ipsec.conf. I am aware that my left* and right* settings
> probably need some work (advice appreciated).
> # /etc/ipsec.conf - IPsec configuration file
> version 2.0
> config setup
> include /etc/ipsec.uci.conf # includes nat_traversal=yes
> # Include non-UCI connections here
> # They will be preserved across restarts/upgrades
> conn L2TP-PSK
> # Apple iOS doesn't send delete notify so we need dead peer
> # detection to detect vanishing clients
> Any ideas?
>  https://openwrt.org/
>  TPLink domestic router; mips chip, 32MB RAM.
> Users at lists.openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users