[Swan] R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, KEY_LENGTH attribute
Antonio Scattolini
antonio.scattolini at atpesercizio.it
Thu Apr 9 16:05:05 EEST 2015
But phase2alg is supported in openswan 2.4.6? I know it is in libreswan
3.12.
I added it at both ends, still no connection...
-----Messaggio originale-----
Da: swan-bounces at lists.libreswan.org
[mailto:swan-bounces at lists.libreswan.org]Per conto di Wolfgang Nothdurft
Inviato: giovedi 9 aprile 2015 13.49
A: swan at lists.libreswan.org
Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
attribute
Am 09.04.2015 um 13:14 schrieb Antonio Scattolini:
> Hi, I have at end 1:
> Linux Openswan 2.4.6 (klips) on 2.6.17.11
> and at end 2:
> Libreswan 3.12 (klips) on 3.16.0-4-686-pae
>
> ipsec barf at end 1 gives:
> #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0
> xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none}
> #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX
> #3: received and ignored informational message
> #7: max number of retransmissions (2) reached STATE_QUICK_I1
> #7: starting keying attempt 2 of an unlimited number
> #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to
replace
> #7 {using isakmp#14}
> #14: next payload type of ISAKMP Hash Payload has an unknown value: 97
> #14: malformed payload in packet
> #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500
> #14: next payload type of ISAKMP Hash Payload has an unknown value: 62
> #14: malformed payload in packet
>
> ipsec barf at end 2 gives:
> #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG
> cipher=oakley_3des_cbc_192 integ=5 group=MODP1536}
> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
> #21340: IPsec encryption transform did not specify required KEY_LENGTH
> attribute
> #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to
> 85.44.60.33:500
> #20842: Informational Exchange message must be encrypted
> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
> #21346: IPsec encryption transform did not specify required KEY_LENGTH
> attribute
> #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to
> 85.44.60.33:500
> #20842: Informational Exchange message must be encrypted
>
> End 1 ipsec.conf:
> config setup
> # klipsdebug=none
> # plutodebug="control parsing"
> include /etc/ipsec.d/examples/no_oe.conf
> conn end1-end2
> auto=start
> compress=yes
> authby=rsasig
> left=a.b.c.d
> leftsubnet=192.168.5.0/24
> leftid=@fw.end2.intranet
> right=%defaultroute
> rightsubnet=192.168.3.0/24
> rightid=@fw.end1.intranet
> leftrsasigkey=0sAQPmt...
> rightrsasigkey=0sAQN0...
>
> End 2 ipsec.conf:
> config setup
> # klipsdebug=none
> # plutodebug="control parsing"
> protostack=klips
> interfaces="ipsec0=eth1"
> # nat_traversal=yes
> oe=off
> conn end1-end2
> auto=start
> compress=yes
> authby=rsasig
> left=%defaultroute
> leftsubnet=192.168.5.0/24
> leftid=@fw.end2.intranet
> right=e.f.g.h
> rightsubnet=192.168.3.0/24
> rightid=@fw.end1.intranet
> leftrsasigkey=0sAQPmt...
> rightrsasigkey=0sAQN0...
>
> I don't know how to make them work....
Hi Antonio,
you can fix this setting phase2alg on the initiator (end1).
@Paul: it seems this was forgotten
https://lists.libreswan.org/pipermail/swan/2014/000899.html
Wolfgang
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list