[Swan] R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, KEY_LENGTH attribute

Antonio Scattolini antonio.scattolini at atpesercizio.it
Thu Apr 9 17:10:18 EEST 2015


So, end 2 will be:

phase2=esp
phase2alg=aes256-sha1;modp1024

End 1 will be:

esp=aes256-sha1;modp1024

Right? Or am I missing something?

Antonio

-----Messaggio originale-----
Da: Wolfgang Nothdurft [mailto:wolfgang at linogate.de]
Inviato: giovedì 9 aprile 2015 15.23
A: Antonio Scattolini
Cc: swan at lists.libreswan.org
Oggetto: Re: R: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
attribute


Am 09.04.2015 um 15:05 schrieb Antonio Scattolini:
> But phase2alg is supported in openswan 2.4.6? I know it is in libreswan
> 3.12.
> I added it at both ends, still no connection...
>
> -----Messaggio originale-----
> Da: swan-bounces at lists.libreswan.org
> [mailto:swan-bounces at lists.libreswan.org]Per conto di Wolfgang Nothdurft
> Inviato: giovedi 9 aprile 2015 13.49
> A: swan at lists.libreswan.org
> Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
> attribute
>
>
> Am 09.04.2015 um 13:14 schrieb Antonio Scattolini:
>> Hi, I have at end 1:
>> Linux Openswan 2.4.6 (klips) on 2.6.17.11
>> and at end 2:
>> Libreswan 3.12 (klips) on 3.16.0-4-686-pae
>>
>> ipsec barf at end 1 gives:
>> #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0
>> xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none}
>> #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX
>> #3: received and ignored informational message
>> #7: max number of retransmissions (2) reached STATE_QUICK_I1
>> #7: starting keying attempt 2 of an unlimited number
>> #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to
> replace
>> #7 {using isakmp#14}
>> #14: next payload type of ISAKMP Hash Payload has an unknown value: 97
>> #14: malformed payload in packet
>> #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500
>> #14: next payload type of ISAKMP Hash Payload has an unknown value: 62
>> #14: malformed payload in packet
>>
>> ipsec barf at end 2 gives:
>> #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG
>> cipher=oakley_3des_cbc_192 integ=5 group=MODP1536}
>> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
>> #21340: IPsec encryption transform did not specify required KEY_LENGTH
>> attribute
>> #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to
>> 85.44.60.33:500
>> #20842: Informational Exchange message must be encrypted
>> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
>> #21346: IPsec encryption transform did not specify required KEY_LENGTH
>> attribute
>> #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to
>> 85.44.60.33:500
>> #20842: Informational Exchange message must be encrypted
>>
>> End 1 ipsec.conf:
>> config setup
>> 	# klipsdebug=none
>> 	# plutodebug="control parsing"
>> include /etc/ipsec.d/examples/no_oe.conf
>> conn end1-end2
>>           auto=start
>>           compress=yes
>>           authby=rsasig
>>           left=a.b.c.d
>>           leftsubnet=192.168.5.0/24
>>           leftid=@fw.end2.intranet
>>           right=%defaultroute
>>           rightsubnet=192.168.3.0/24
>>           rightid=@fw.end1.intranet
>>           leftrsasigkey=0sAQPmt...
>> 	  rightrsasigkey=0sAQN0...
>>
>> End 2 ipsec.conf:
>> config setup
>> 	# klipsdebug=none
>> 	# plutodebug="control parsing"
>> 	protostack=klips
>> 	interfaces="ipsec0=eth1"
>> 	# nat_traversal=yes
>> 	oe=off
>> conn end1-end2
>>           auto=start
>>           compress=yes
>>           authby=rsasig
>>           left=%defaultroute
>>           leftsubnet=192.168.5.0/24
>>           leftid=@fw.end2.intranet
>>           right=e.f.g.h
>>           rightsubnet=192.168.3.0/24
>>           rightid=@fw.end1.intranet
>>           leftrsasigkey=0sAQPmt...
>>           rightrsasigkey=0sAQN0...
>>
>> I don't know how to make them work....
> Hi Antonio,
>
> you can fix this setting phase2alg on the initiator (end1).
>
> @Paul: it seems this was forgotten
>
> https://lists.libreswan.org/pipermail/swan/2014/000899.html
>
> Wolfgang
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

oh, I overlooked your version. ;)

phase2alg was also in openswan, but unfortunately not in 2.4.x. Here you
must use esp= to set the proposals.

Wolfgang



More information about the Swan mailing list