<div dir="ltr">Hi Paul -<br><div>I am running the same libreswan/OS as the original poster and this morning had 3 libreswan instances (each to different Mcafee devices) become unresponsive.</div><div>There is no prior mention of malformed packets in any of my ipsec.log files (goes back a few weeks) and hey have been reliable otherwise.</div><div><br></div><div>Is there a changelog entry between 3.8.6 and 3.12 that addresses a malformed packet situation I can reference for moving to 7.1 just after it was released?</div><div><br></div><div>Thanks</div><div><br></div><div><div>#vpn server 1</div><div>transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</div><div>STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</div><div>next payload type of ISAKMP Hash Payload has an unknown value: 156</div><div>malformed payload in packet</div><div><br></div><div># vpn server 2</div><div>STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</div><div>next payload type of ISAKMP Hash Payload has an unknown value: 133</div><div>malformed payload in packet</div><div><br></div><div># vpn server 3</div><div>transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</div><div>STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</div><div>next payload type of ISAKMP Hash Payload has an unknown value: 102</div><div>malformed payload in packet</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 6, 2015 at 6:46 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, 6 Mar 2015, David Mansfield wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm attempting to set up a tunnel using libreswan-3.8-6.el7_0.x86_64 on centos 7.<br>
</blockquote>
<br></span>
Can you try the 3.12 build? It came out yesterday for RHEL-7.1, not sure<br>
if Centos has picked it up yet. But it should be an easy rpm recompile<br>
with the newer version (and older patches removed)<br>
<br>
It is also possibly you have a wrong PSK.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
MarĀ 6 13:49:37 ipsec-gateway pluto[3647]: | phase 1 is done, looking for phase 2 to unpend<br>
</blockquote>
<br>
So is it possible my phase 2 algorithms don't match? It's computing a "phase 2 iv" and then decrypting then:<br>
</blockquote>
<br></span>
No your phase1 did not come up....<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<u></u>_________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/<u></u>mailman/listinfo/swan</a><br>
</div></div></blockquote></div><br></div>