[Swan] malformed payload error
David Mansfield
swan at dm.cobite.com
Fri Mar 6 21:12:11 EET 2015
Hi All,
I'm attempting to set up a tunnel using libreswan-3.8-6.el7_0.x86_64 on
centos 7. Other end is some Juniper box, but I don't know anything
beyond that.
My config is:
conn my_tunnel
left=a.b.c.d
leftsubnet=e.f.g.h/32
right=i.j.k.l
rightsubnet=i.j.k.m/32
authby=secret
aggrmode=no
auto=start
ike=aes256-sha1;modp1024
ikelifetime=4800s
phase2alg=aes256-sha1;modp1024
salifetime=4800s
rekey=yes
keyingtries=%forever
(I'm "right"). The ike and phase2 settings were provided to me thus:
Phase 1 Proposal:
Diffie-Hellman group: DH2
Re-key time (value in seconds): 4800
NAT Traversal: Disable
En Encryption: AES256
Integrity/Hashing Algorithm: SHA-1
Phase 2 Proposal:
Diffie-Hellman group: DH2
Re-key time (value in seconds): 4800
Perfect Forward Secrecy - PFS: Enable
Encryption: AES256
Integrity/Hashing Algorithm: SHA-1
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: initiating Main Mode
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: ignoring unknown Vendor ID payload [1c9cc56fce382e3a040b692cda85427d7306db4b110000001e060000]
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: received Vendor ID payload [Dead Peer Detection]
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: Not sending INITIAL_CONTACT
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: next payload type of ISAKMP Hash Payload has an unknown value: 29
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: malformed payload in packet
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: | payload malformed after possible IV
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: | 3a 14 09 c4 c7 8c 48 dd 99 2d 14 ab 51 60 bb 87
> Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: sending notification PAYLOAD_MALFORMED to a.b.c.d:500
Any ideas as to what may be causing this?
I have the debug-all output, but I'm not sure about posting it. Before
the "next payload type of ISAKMP Hash Payload has an unknown value: 29"
I have:
> Mar 6 13:49:37 ipsec-gateway pluto[3647]: | phase 1 is done, looking for phase 2 to unpend
So is it possible my phase 2 algorithms don't match? It's computing a
"phase 2 iv" and then decrypting then:
> Mar 6 13:49:37 ipsec-gateway pluto[3647]: | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100opt: 0x0
Then it emits the "next payload type of ISAKMP Hash Payload has an
unknown value".
--
Thanks,
David Mansfield
Cobite, INC.
More information about the Swan
mailing list