[Openswan Users] sending notification PAYLOAD_MALFORMED

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Sep 24 07:39:57 UTC 2013 

 

For you "roadwarrior", if you only have one tunnel at the other end, use
right=%any and %any in ipsec.secrets. Then right is identified only by
the secret and the rightsubnet. Do not use rightid to identify the
device unless you use aggressive mode as tightid is not transmitted in
phase1/main mode. 

On 2013-09-24 01:35, Paul Young wrote: 

> The host does not but the router it connects to the internet with does. 
> 
> It is a little bit of a stretch as the router connects to the internet by a 4G dongle. Which itself is doing things to make life difficult. For example it is not strictly addressable from the internet. 
> 
> So that is why I am trying to set up a host -> VPN server type of setup. Road runner basically. 
> 
> I am not referencing IPs in the secret file itself. 
> 
> I set an id and use that to relate the conf file to the secret file - @<blah> format. 
> 
> So for example in the conf file I have an entry like: 
> 
> leftid=@wow 
> 
> and in the secrets file associated with the conf file I have this format: 
> 
> @wow: PSK "asecret" 
> 
> and as far as I know that is part of the tie in 
> 
> Paul 
> 
> On 24 September 2013 10:24, Leto <letoams at gmail.com> wrote:
> 
> shouldn't be needed. Dos your host get a new IP on reboot and you use the old ip in either ipsec.conf or ipsec.secrets? 
> 
> sent from a tiny device 
> 
> On 2013-09-23, at 20:08, Paul Young <paul at arkig.com> wrote:
> 
> The next things I did was change the PSK to something really simple - did not change the symptoms. 
> 
> So now I have rebuilt the entire server on one side and am starting from scratch. Which is bulls__t 
> 
> But I don't have much time to get this to work 
> 
> On 24 September 2013 07:10, Paul Young <paul at arkig.com> wrote:
> 
> Hi Leto, 
> 
> Thanks for the reply. It looks ok and I basically generated the PSK with: 
> 
> ipsec ranbits --continuous 128 
> 
> Cheers, 
> Paul 
> 
> On 24 September 2013 02:52, Leto <letoams at gmail.com> wrote:
> 
> try avoiding some strange characters in the psk. ensure you're not mixing up ASCII vs hex?
> 
> sent from a tiny device 
> 
> On 2013-09-23, at 10:09, Paul Young <paul at arkig.com> wrote:
> 
> Hi Guys, 
> 
> What other reasons other than mismatched PSKs could cause this issue? 
> 
> Thanks 
> 
> On 23 September 2013 18:46, Paul Young <paul at arkig.com> wrote:
> 
> I also just tried replacing the PSK on both sides and got the same issue continued 
> 
> On 23 September 2013 18:39, Paul Young <paul at arkig.com> wrote:
> 
> Hi all, 
> 
> After rebooting one side of my Openswan setup without changing config and so on I am getting this error and cannot create a tunnel anymore. 
> 
> The reason I rebooted the host is I applied a bunch of firmware updates to the hardware. 
> 
> Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: next payload type of ISAKMP Identification Payload has an unknown value: 23 
> Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet 
> Sep 23 18:33:23 lobster pluto[38968]: | payload malformed after IV 
> Sep 23 18:33:23 lobster pluto[38968]: | 74 40 8b d3 5a 30 3e 52 dc 54 26 a5 d9 88 bc e9 
> Sep 23 18:33:23 lobster pluto[38968]: | e4 ea 8e 4b 
> Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: sending notification PAYLOAD_MALFORMED to <outside IP address>:500 
> 
> I have triple checked the PSK and it appears to be fine. What am I missing? 
> 
> Thanks, 
> Paul

> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]

> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]

_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users [1]
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[2]
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[3]

 

Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130924/9ca1ab38/attachment.html>

More information about the Users mailing list