[Openswan Users] pending Phase 2 for "gateway1-conn" problem

Mon Jun 1 16:16:27 EDT 2015

Would appreciate some help with my questions. All my servers are
RHELl6.x86_64 virtual machines.

I have an apache web server that I want to establish IPsec tunnels with "n"
number of backend servers. Lets call the apache server "A" (IP 10.60.87.6)
and the backend server "B" (IP 10.62.66.49).
One "A" I have my /etc/ipsec.d/gateway.conf as follows..
conn gateway-conn
 type=transport
 authby=secret
 left=10.60.87.6
 right=%any
 pfs=yes
 auto=add

with a /etc/ipsec.d/gateway.secrets as follows..
10.60.87.6 %any: "mybigsecret"

One "B" I have my /etc/ipsec.d/gateway1.conf as follows..
conn gateway1-conn
 type=transport
 authby=secret
 right=10.62.66.49
 left=10.60.87.6
 pfs=yes
 auto=up

with a /etc/ipsec.d/gateway1.secrets as follows..
10.60.87.6 %any: "mybigsecret"

I cannot ping "B" from "A" or vice versa.

On "A" an "ipsec auto status" shows...
000 "gateway-conn": 10.60.87.6<10.60.87.6>[+S=C]...%any[+S=C]; unrouted;
eroute owner: #0
000 "gateway-conn":     myip=unset; hisip=unset;
000 "gateway-conn":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "gateway-conn":   policy: PSK+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK+lKOD
+rKOD; prio: 32,32; interface: eth0;
000 "gateway-conn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "gateway-conn"[22]: 10.60.87.6<10.60.87.6>[+S=C]...10.62.66.49[+S=C];
unrouted; eroute owner: #0
000 "gateway-conn"[22]:     myip=unset; hisip=unset;
000 "gateway-conn"[22]:   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "gateway-conn"[22]:   policy: PSK+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK
+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "gateway-conn"[22]:   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #44: "gateway-conn"[22] 10.62.66.49:500 STATE_MAIN_R2 (sent MR2,
expecting MI3); EVENT_RETRANSMIT in 27s; lastdpd=-1s(seq in:0 out:0); idle;
import:not set

and /var/log/secure shows...
2015-06-01T15:09:12.148880-05:00 gw11 pluto[19853]: "gateway-conn"[22]
10.62.66.49 #46: sending notification PAYLOAD_MALFORMED to 10.62.66.49:500
2015-06-01T15:09:32.166369-05:00 gw11 pluto[19853]: "gateway-conn"[22]
10.62.66.49 #46: next payload type of ISAKMP Identification Payload has an
unknown value: 140
2015-06-01T15:09:32.166402-05:00 gw11 pluto[19853]: "gateway-conn"[22]
10.62.66.49 #46: probable authentication failure (mismatch of preshared
secrets?): malformed payload in packet
2015-06-01T15:09:32.166413-05:00 gw11 pluto[19853]: | payload malformed
after IV
2015-06-01T15:09:32.166434-05:00 gw11 pluto[19853]: |   ef e3 e5 65  2a 8f
eb a2  f7 7e 02 7e  81 0f 85 01
2015-06-01T15:09:32.166444-05:00 gw11 pluto[19853]: |   e6 89 ec 98
2015-06-01T15:09:32.166453-05:00 gw11 pluto[19853]: "gateway-conn"[22]
10.62.66.49 #46: sending notification PAYLOAD_MALFORMED to 10.62.66.49:500

On "B" an "ipsec auto status" shows...
000 #46: "gateway1-conn":500 STATE_MAIN_I3 (sent MI3, expecting MR3);
EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #46: pending Phase 2 for "gateway1-conn" replacing #0

and /var/log/secure shows...
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #46: max
number of retransmissions (2) reached STATE_MAIN_I3.  Possible
authentication failure: no acceptable response to our first encrypted
message
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #46:
starting keying attempt 42 of an unlimited number
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
initiating Main Mode to replace #46
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
received Vendor ID payload [Openswan (this version) 2.6.32 ]
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
received Vendor ID payload [Dead Peer Detection]
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
received Vendor ID payload [RFC 3947] method set to=109
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
enabling possible NAT-traversal with method 4
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
STATE_MAIN_I2: sent MI2, expecting MR2
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47: I
will NOT send an initial contact payload
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47: Not
sending INITIAL_CONTACT
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
STATE_MAIN_I3: sent MI3, expecting MR3
Jun  1 15:05:32 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
received 1 malformed payload notifies
Jun  1 15:05:42 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
discarding duplicate packet; already STATE_MAIN_I3
Jun  1 15:05:42 SIDR36APMXGREEN-3a7 pluto[29896]: "gateway1-conn" #47:
received 2 malformed payload notifies

What could be causing the " sending notification PAYLOAD_MALFORMED to
10.62.66.49:500" error on "A"?
What about the "pending Phase 2 for gateway1-conn replacing #0" message?
Do you see anything wrong with my configuration?

One mystery is this sometimes works and other times it does not. It
intermittently works and when it gets in this state I cannot recover it.

Your help would be greatly appreciated.

Thanks

Jesse N. Perez
IBM Software Group  |  Cloud and Smarter Infrastructure Division
(352) 341-3872  |  perezje at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150601/1c7244b8/attachment.html>