[Swan] malformed payload error

David Mansfield swan at dm.cobite.com
Fri Mar 6 21:12:11 EET 2015


Hi All,

I'm attempting to set up a tunnel using libreswan-3.8-6.el7_0.x86_64 on 
centos 7.  Other end is some Juniper box, but I don't know anything 
beyond that.

My config is:

conn my_tunnel
	left=a.b.c.d
	leftsubnet=e.f.g.h/32
	right=i.j.k.l
	rightsubnet=i.j.k.m/32
         authby=secret
         aggrmode=no
         auto=start
         ike=aes256-sha1;modp1024
         ikelifetime=4800s
         phase2alg=aes256-sha1;modp1024
         salifetime=4800s
         rekey=yes
         keyingtries=%forever


(I'm "right").  The ike and phase2 settings were provided to me thus:

Phase 1 Proposal:			
Diffie-Hellman group:			DH2
Re-key time (value in seconds):			4800
NAT Traversal:			Disable
En Encryption:			AES256
Integrity/Hashing Algorithm:			SHA-1

Phase 2 Proposal:			
Diffie-Hellman group:			DH2
Re-key time (value in seconds):			4800
Perfect Forward Secrecy - PFS:			Enable
Encryption:			AES256
Integrity/Hashing Algorithm:			SHA-1


> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: initiating Main Mode
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: ignoring unknown Vendor ID payload [1c9cc56fce382e3a040b692cda85427d7306db4b110000001e060000]
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: received Vendor ID payload [Dead Peer Detection]
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: Not sending INITIAL_CONTACT
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: next payload type of ISAKMP Hash Payload has an unknown value: 29
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: malformed payload in packet
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: | payload malformed after possible IV
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: |   3a 14 09 c4  c7 8c 48 dd  99 2d 14 ab  51 60 bb 87
> Mar  6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: sending notification PAYLOAD_MALFORMED to a.b.c.d:500


Any ideas as to what may be causing this?

I have the debug-all output, but I'm not sure about posting it.  Before 
the "next payload type of ISAKMP Hash Payload has an unknown value: 29" 
I have:

> Mar  6 13:49:37 ipsec-gateway pluto[3647]: | phase 1 is done, looking for phase 2 to unpend

So is it possible my phase 2 algorithms don't match? It's computing a 
"phase 2 iv" and then decrypting then:

> Mar  6 13:49:37 ipsec-gateway pluto[3647]: | got payload 0x100  (ISAKMP_NEXT_HASH) needed: 0x100opt: 0x0

Then it emits the "next payload type of ISAKMP Hash Payload has an 
unknown value".



-- 
Thanks,
David Mansfield
Cobite, INC.


More information about the Swan mailing list