[Swan] R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, KEY_LENGTH attribute

Paul Wouters paul at nohats.ca
Thu Apr 9 17:38:57 EEST 2015


On Thu, 9 Apr 2015, Antonio Scattolini wrote:

> So, end 2 will be:
>
> phase2=esp
> phase2alg=aes256-sha1;modp1024
>
> End 1 will be:
>
> esp=aes256-sha1;modp1024
>
> Right? Or am I missing something?

you might need esp=aes256-sha1-modp1024

The syntax changed at some point. Openswan 2.4.6 is VERY old. It also
suffers from at least three CVE crashers, so it should really not be
used anywhere :/

Paul

> Antonio
>
> -----Messaggio originale-----
> Da: Wolfgang Nothdurft [mailto:wolfgang at linogate.de]
> Inviato: giovedì 9 aprile 2015 15.23
> A: Antonio Scattolini
> Cc: swan at lists.libreswan.org
> Oggetto: Re: R: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
> attribute
>
>
> Am 09.04.2015 um 15:05 schrieb Antonio Scattolini:
>> But phase2alg is supported in openswan 2.4.6? I know it is in libreswan
>> 3.12.
>> I added it at both ends, still no connection...
>>
>> -----Messaggio originale-----
>> Da: swan-bounces at lists.libreswan.org
>> [mailto:swan-bounces at lists.libreswan.org]Per conto di Wolfgang Nothdurft
>> Inviato: giovedi 9 aprile 2015 13.49
>> A: swan at lists.libreswan.org
>> Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
>> attribute
>>
>>
>> Am 09.04.2015 um 13:14 schrieb Antonio Scattolini:
>>> Hi, I have at end 1:
>>> Linux Openswan 2.4.6 (klips) on 2.6.17.11
>>> and at end 2:
>>> Libreswan 3.12 (klips) on 3.16.0-4-686-pae
>>>
>>> ipsec barf at end 1 gives:
>>> #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0
>>> xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none}
>>> #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX
>>> #3: received and ignored informational message
>>> #7: max number of retransmissions (2) reached STATE_QUICK_I1
>>> #7: starting keying attempt 2 of an unlimited number
>>> #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to
>> replace
>>> #7 {using isakmp#14}
>>> #14: next payload type of ISAKMP Hash Payload has an unknown value: 97
>>> #14: malformed payload in packet
>>> #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500
>>> #14: next payload type of ISAKMP Hash Payload has an unknown value: 62
>>> #14: malformed payload in packet
>>>
>>> ipsec barf at end 2 gives:
>>> #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>> #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG
>>> cipher=oakley_3des_cbc_192 integ=5 group=MODP1536}
>>> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
>>> #21340: IPsec encryption transform did not specify required KEY_LENGTH
>>> attribute
>>> #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to
>>> 85.44.60.33:500
>>> #20842: Informational Exchange message must be encrypted
>>> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
>>> #21346: IPsec encryption transform did not specify required KEY_LENGTH
>>> attribute
>>> #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to
>>> 85.44.60.33:500
>>> #20842: Informational Exchange message must be encrypted
>>>
>>> End 1 ipsec.conf:
>>> config setup
>>> 	# klipsdebug=none
>>> 	# plutodebug="control parsing"
>>> include /etc/ipsec.d/examples/no_oe.conf
>>> conn end1-end2
>>>           auto=start
>>>           compress=yes
>>>           authby=rsasig
>>>           left=a.b.c.d
>>>           leftsubnet=192.168.5.0/24
>>>           leftid=@fw.end2.intranet
>>>           right=%defaultroute
>>>           rightsubnet=192.168.3.0/24
>>>           rightid=@fw.end1.intranet
>>>           leftrsasigkey=0sAQPmt...
>>> 	  rightrsasigkey=0sAQN0...
>>>
>>> End 2 ipsec.conf:
>>> config setup
>>> 	# klipsdebug=none
>>> 	# plutodebug="control parsing"
>>> 	protostack=klips
>>> 	interfaces="ipsec0=eth1"
>>> 	# nat_traversal=yes
>>> 	oe=off
>>> conn end1-end2
>>>           auto=start
>>>           compress=yes
>>>           authby=rsasig
>>>           left=%defaultroute
>>>           leftsubnet=192.168.5.0/24
>>>           leftid=@fw.end2.intranet
>>>           right=e.f.g.h
>>>           rightsubnet=192.168.3.0/24
>>>           rightid=@fw.end1.intranet
>>>           leftrsasigkey=0sAQPmt...
>>>           rightrsasigkey=0sAQN0...
>>>
>>> I don't know how to make them work....
>> Hi Antonio,
>>
>> you can fix this setting phase2alg on the initiator (end1).
>>
>> @Paul: it seems this was forgotten
>>
>> https://lists.libreswan.org/pipermail/swan/2014/000899.html
>>
>> Wolfgang
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>
> oh, I overlooked your version. ;)
>
> phase2alg was also in openswan, but unfortunately not in 2.4.x. Here you
> must use esp= to set the proposals.
>
> Wolfgang
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>


More information about the Swan mailing list