[Swan] R: R: R: R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, KEY_LENGTH attribute

Antonio Scattolini antonio.scattolini at atpesercizio.it
Fri Apr 10 23:29:30 EEST 2015 

I have seen but there are no messages from firewall
The (most) strange thing is the following:
end 1 (openswan klips 2.6.4, debian, kernel 2.6.17.11) talks ok to end 3
(openswan klips U2.4.12/K2.4.9, debian, kernel 2.6.18.5)
end 1 (openswan klips 2.6.4, debian, kernel 2.6.17.11) doesn't talk to end 2
(libreswan klips 3.12, debian, kernel 3.16.0-4-686-pae)
end 2 (libreswan klips 3.12, debian, kernel 3.16.0-4-686-pae) talks ok to
end 3 (openswan klips U2.4.12/K2.4.9, debian, kernel 2.6.18.5)
Firewalls (shorewall) have no particular restrictions.
Also I tried nat_traversal=yes in end 2 obtaining the identical results
above.

I am thinking seriously to upgrade every server to libreswan klips 3.12,
debian, kernel 3.16.0-4-686-pae...

-----Messaggio originale-----
Da: Paul Wouters [mailto:paul at nohats.ca]
Inviato: venerdi 10 aprile 2015 17.01
A: Antonio Scattolini
Cc: Wolfgang Nothdurft; <swan at lists.libreswan.org>
Oggetto: Re: R: R: [Swan] R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,
KEY_LENGTH attribute


That's good! Probably now look into NAT and firewall and forwarding rules.

Sent from my iPhone

> On Apr 10, 2015, at 05:52, Antonio Scattolini
<antonio.scattolini at atpesercizio.it> wrote:
>
> Now I have on end 1:
> #30: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> #30: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=aes_256 prf=oakley_sha group=modp2048}
> On end 2:
> #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x50d40191 <0x8f441b9e xfrm=AES_128-HMAC_SHA1 IPCOMP=>0x00005999
> <0x00008760 NATOA=none NATD=none DPD=passive}
>
> But still no luck...
> Antonio
>
> -----Messaggio originale-----
> Da: Paul Wouters [mailto:paul at nohats.ca]
> Inviato: giovedi 9 aprile 2015 22.13
> A: Antonio Scattolini
> Cc: 'Wolfgang Nothdurft'; swan at lists.libreswan.org
> Oggetto: Re: R: [Swan] R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,
> KEY_LENGTH attribute
>
>
>> On Thu, 9 Apr 2015, Antonio Scattolini wrote:
>>
>> Instead, if I put:
>> esp=aes256-sha1;modp1024
>> both peers have ISAKMP SA established and IPSec SA established and also
> both
>> stuck in STATE_QUICK_I2; no ping from host in lan of end 1 to host in lan
> of
>> end 2 and viceversa...
>
> you cannot be both established and in STATE_QUICK_I2?
>
> You can try aes128 instead?
>
> Paul

More information about the Swan mailing list