[Openswan Users] byte 2 of ISAKMP Hash Payload must be zero, but is not

elsa.watson-fzy8fw2 at yopmail.com elsa.watson-fzy8fw2 at yopmail.com
Wed Apr 2 16:19:54 EDT 2014 

Hi all

I am using an cisco RV215W (runnning openswan)

 

I have two VPN server each behind xDSL router (NAT enabled)

 

I cannot get the raw open swan file

 

 

But here are my logs

6             2014-04-02 0:08:05 AM debug   pluto[22201]: "rabat" #2:
sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500   

7             2014-04-02 0:08:05 AM debug   pluto[22201]: | 46 5f b1 08 95
86 af 15 b4 06 f9 a4 5a f6 d8 ad      

8             2014-04-02 0:08:05 AM debug   pluto[22201]: | payload
malformed after IV       

9             2014-04-02 0:08:05 AM info        pluto[22201]: "rabat" #2:
malformed payload in packet               

10           2014-04-02 0:08:05 AM debug   pluto[22201]: "rabat" #2:
malformed payload in packet               

11           2014-04-02 0:08:05 AM debug   pluto[22201]: "rabat" #2: byte 2
of ISAKMP Hash Payload must be zero, but is not         

12           2014-04-02 0:08:05 AM debug   pluto[22201]: "rabat" #2: Dead
Peer Detection (RFC 3706): enabled      

13           2014-04-02 0:08:05 AM debug   pluto[22201]: "rabat" #2:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp1024}  

 

It seems that a parameter is wrong between both sites that lead to byte 2 of
ISAKMP Hash Payload must be zero, but is not

But I cannot identify wich parameter is wrong

Here is the xetract from cisco GUI

 

On Site G

(LAN)192.168.25.0/24  ===  192.168.25.1(CISCO)192.168.10.161
192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G

 

On Site R

(LAN)192.168.15.0/24  ===  192.168.15.1(CISCO)192.168.1.2
192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R

 

 So I have NAT (So I have activated NAT traveral on both side)

 On the RV215W (Site G)

IKE Policy Table

Mode:main

Local identifier : 192.168.10.161

 Remote identifier 192.168.1.2

AES128/SHA1

DH Group2

xauth disabled

 

 VPN policy table

Type:autopolicy

remote endpoint 41.F.G.H

Local 192.168.25.1/255.255.255.0

remote 192.168.15.1/255.255.255.0

AES128/SHA1

PFS Keygroup: disable

 

 

 

 On site R (SRP521W)

IKE

Policy Name     gnt

Exchange Mode              Main

Encryption Algorithm    AES128

Authentication Algorithm           SHA-1

Diffie-Hellman (DH) Group         Group 2 (1024 bit)

Auto Pre-Shared Key    XXXXXXXXXX

Enable Dead Peer Detection      Enable

DPD Interval      3600

DPD Timeout     3600

XAUTH client     Disable

 

 

IP Sec

Status   Enable

Policy Name      rabat

Local Group Type            IP Address & Subnet

Local Group IP Address 192.168.15.1

Local Group IP Subnet  255.255.255.0

Remote Endpoint           IP Address

Remote security gateway address          192.168.10.161

Remote security domain name 

Remote group type       IP Address & Subnet

Remote group IP             192.168.25.1

Remote group Subnet Mask      255.255.255.0

Encrypted algorithm      3DES

Integrity algorithm         SHA-1

Police type         Auto

Manual encryption key 

Manual auth key             

Inbound SPI       

Outbound SPI   

PFS        Disable

Key life time      7800

Now using IKE police     gnt

 

I have been struggling for many days, and forums did not help me identify
the problem

 

Thanks for your help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140402/35a77815/attachment.html>

More information about the Users mailing list