[Swan] R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, KEY_LENGTH attribute

Antonio Scattolini antonio.scattolini at atpesercizio.it
Thu Apr 9 16:05:05 EEST 2015


But phase2alg is supported in openswan 2.4.6? I know it is in libreswan
3.12.
I added it at both ends, still no connection...

-----Messaggio originale-----
Da: swan-bounces at lists.libreswan.org
[mailto:swan-bounces at lists.libreswan.org]Per conto di Wolfgang Nothdurft
Inviato: giovedi 9 aprile 2015 13.49
A: swan at lists.libreswan.org
Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
attribute


Am 09.04.2015 um 13:14 schrieb Antonio Scattolini:
> Hi, I have at end 1:
> Linux Openswan 2.4.6 (klips) on 2.6.17.11
> and at end 2:
> Libreswan 3.12 (klips) on 3.16.0-4-686-pae
>
> ipsec barf at end 1 gives:
> #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0
> xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none}
> #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX
> #3: received and ignored informational message
> #7: max number of retransmissions (2) reached STATE_QUICK_I1
> #7: starting keying attempt 2 of an unlimited number
> #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to
replace
> #7 {using isakmp#14}
> #14: next payload type of ISAKMP Hash Payload has an unknown value: 97
> #14: malformed payload in packet
> #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500
> #14: next payload type of ISAKMP Hash Payload has an unknown value: 62
> #14: malformed payload in packet
>
> ipsec barf at end 2 gives:
> #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG
> cipher=oakley_3des_cbc_192 integ=5 group=MODP1536}
> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
> #21340: IPsec encryption transform did not specify required KEY_LENGTH
> attribute
> #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to
> 85.44.60.33:500
> #20842: Informational Exchange message must be encrypted
> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
> #21346: IPsec encryption transform did not specify required KEY_LENGTH
> attribute
> #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to
> 85.44.60.33:500
> #20842: Informational Exchange message must be encrypted
>
> End 1 ipsec.conf:
> config setup
> 	# klipsdebug=none
> 	# plutodebug="control parsing"
> include /etc/ipsec.d/examples/no_oe.conf
> conn end1-end2
>          auto=start
>          compress=yes
>          authby=rsasig
>          left=a.b.c.d
>          leftsubnet=192.168.5.0/24
>          leftid=@fw.end2.intranet
>          right=%defaultroute
>          rightsubnet=192.168.3.0/24
>          rightid=@fw.end1.intranet
>          leftrsasigkey=0sAQPmt...
> 	  rightrsasigkey=0sAQN0...
>
> End 2 ipsec.conf:
> config setup
> 	# klipsdebug=none
> 	# plutodebug="control parsing"
> 	protostack=klips
> 	interfaces="ipsec0=eth1"
> 	# nat_traversal=yes
> 	oe=off
> conn end1-end2
>          auto=start
>          compress=yes
>          authby=rsasig
>          left=%defaultroute
>          leftsubnet=192.168.5.0/24
>          leftid=@fw.end2.intranet
>          right=e.f.g.h
>          rightsubnet=192.168.3.0/24
>          rightid=@fw.end1.intranet
>          leftrsasigkey=0sAQPmt...
>          rightrsasigkey=0sAQN0...
>
> I don't know how to make them work....

Hi Antonio,

you can fix this setting phase2alg on the initiator (end1).

@Paul: it seems this was forgotten

https://lists.libreswan.org/pipermail/swan/2014/000899.html

Wolfgang
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan



More information about the Swan mailing list