[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] =?utf-8?q?sending_notification_PAYLOAD=5FMALFORM?= =?utf-8?q?ED?=
From: Nick Howitt <n1ck.h0w1tt () gmail ! com>
Date: 2013-09-24 7:39:57
Message-ID: c47311a12b0c7d68588aa8da53579352 () howitts ! poweredbyclear ! com
[Download RAW message or body]
For you "roadwarrior", if you only have one tunnel at the other end, use
right=%any and %any in ipsec.secrets. Then right is identified only by
the secret and the rightsubnet. Do not use rightid to identify the
device unless you use aggressive mode as tightid is not transmitted in
phase1/main mode.
On 2013-09-24 01:35, Paul Young wrote:
> The host does not but the router it connects to the internet with does.
>
> It is a little bit of a stretch as the router connects to the internet by a 4G \
> dongle. Which itself is doing things to make life difficult. For example it is not \
> strictly addressable from the internet.
> So that is why I am trying to set up a host -> VPN server type of setup. Road \
> runner basically.
> I am not referencing IPs in the secret file itself.
>
> I set an id and use that to relate the conf file to the secret file - @<blah> \
> format.
> So for example in the conf file I have an entry like:
>
> leftid=@wow
>
> and in the secrets file associated with the conf file I have this format:
>
> @wow: PSK "asecret"
>
> and as far as I know that is part of the tie in
>
> Paul
>
> On 24 September 2013 10:24, Leto <letoams@gmail.com> wrote:
>
> shouldn't be needed. Dos your host get a new IP on reboot and you use the old ip in \
> either ipsec.conf or ipsec.secrets?
> sent from a tiny device
>
> On 2013-09-23, at 20:08, Paul Young <paul@arkig.com> wrote:
>
> The next things I did was change the PSK to something really simple - did not \
> change the symptoms.
> So now I have rebuilt the entire server on one side and am starting from scratch. \
> Which is bulls__t
> But I don't have much time to get this to work
>
> On 24 September 2013 07:10, Paul Young <paul@arkig.com> wrote:
>
> Hi Leto,
>
> Thanks for the reply. It looks ok and I basically generated the PSK with:
>
> ipsec ranbits --continuous 128
>
> Cheers,
> Paul
>
> On 24 September 2013 02:52, Leto <letoams@gmail.com> wrote:
>
> try avoiding some strange characters in the psk. ensure you're not mixing up ASCII \
> vs hex?
> sent from a tiny device
>
> On 2013-09-23, at 10:09, Paul Young <paul@arkig.com> wrote:
>
> Hi Guys,
>
> What other reasons other than mismatched PSKs could cause this issue?
>
> Thanks
>
> On 23 September 2013 18:46, Paul Young <paul@arkig.com> wrote:
>
> I also just tried replacing the PSK on both sides and got the same issue continued
>
> On 23 September 2013 18:39, Paul Young <paul@arkig.com> wrote:
>
> Hi all,
>
> After rebooting one side of my Openswan setup without changing config and so on I \
> am getting this error and cannot create a tunnel anymore.
> The reason I rebooted the host is I applied a bunch of firmware updates to the \
> hardware.
> Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: next \
> payload type of ISAKMP Identification Payload has an unknown value: \
> 23
> Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: probable \
> authentication failure (mismatch of preshared secrets?): malformed payload in \
> packet
> Sep 23 18:33:23 lobster pluto[38968]: | payload malformed after IV
> Sep 23 18:33:23 lobster pluto[38968]: | 74 40 8b d3 5a 30 3e 52 dc 54 26 a5 d9 88 \
> bc e9
> Sep 23 18:33:23 lobster pluto[38968]: | e4 ea 8e 4b
> Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: sending \
> notification PAYLOAD_MALFORMED to <outside IP address>:500
> I have triple checked the PSK and it appears to be fine. What am I missing?
>
> Thanks,
> Paul
> _______________________________________________
> Users@lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
> _______________________________________________
> Users@lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users [1]
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[2]
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[3]
Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[Attachment #3 (unknown)]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-family: Arial,Helvetica,sans-serif'>
<p>For you "roadwarrior", if you only have one tunnel at the other end, use \
right=%any and %any in ipsec.secrets. Then right is identified only by the secret and \
the rightsubnet. Do not use rightid to identify the device unless you use aggressive \
mode as tightid is not transmitted in phase1/main mode.</p> <p>On 2013-09-24 01:35, \
Paul Young wrote:</p> <blockquote type="cite" style="padding-left:5px; \
border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head \
ignored --><!-- meta ignored --> <div dir="ltr">The host does not but the router it \
connects to the internet with does. <div> </div>
<div>It is a little bit of a stretch as the router connects to the internet by a 4G \
dongle. Which itself is doing things to make life difficult. For example it is not \
strictly addressable from the internet.</div> <div> </div>
<div>So that is why I am trying to set up a host -> VPN server type of setup. Road \
runner basically.</div> <div> </div>
<div>I am not referencing IPs in the secret file itself.</div>
<div> </div>
<div>I set an id and use that to relate the conf file to the secret file - \
@<blah> format.</div> <div> </div>
<div>So for example in the conf file I have an entry like:</div>
<div> </div>
<div>leftid=@wow</div>
<div> </div>
<div>and in the secrets file associated with the conf file I have this format:</div>
<div> </div>
<div>@wow: PSK "asecret"</div>
<div> </div>
<div>and as far as I know that is part of the tie in</div>
<div> </div>
<div>Paul</div>
</div>
<div class="gmail_extra"><br /><br />
<div class="gmail_quote">On 24 September 2013 10:24, Leto <span><<a \
href="mailto:letoams@gmail.com">letoams@gmail.com</a>></span> wrote:<br /> \
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc \
solid; padding-left: 1ex;"> <div dir="auto">
<div>shouldn't be needed. Dos your host get a new IP on reboot and you use the old ip \
in either ipsec.conf or ipsec.secrets? <div class="im"><br /><br />sent from a tiny \
device </div> </div>
<div>
<div class="h5">
<div><br />On 2013-09-23, at 20:08, Paul Young <<a \
href="mailto:paul@arkig.com">paul@arkig.com</a>> wrote:<br /><br /></div> \
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; \
margin-left:5px"> <div>
<div dir="ltr">The next things I did was change the PSK to something really simple - \
did not change the symptoms. <div> </div>
<div>So now I have rebuilt the entire server on one side and am starting from \
scratch. Which is bulls__t</div> <div> </div>
<div>But I don't have much time to get this to work</div>
</div>
<div class="gmail_extra"><br /><br />
<div class="gmail_quote">On 24 September 2013 07:10, Paul Young <span><<a \
href="mailto:paul@arkig.com">paul@arkig.com</a>></span> wrote:<br /> <blockquote \
class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; \
padding-left: 1ex;"> <div dir="ltr">Hi Leto,
<div> </div>
<div>Thanks for the reply. It looks ok and I basically generated the PSK with:</div>
<div> </div>
<div>ipsec ranbits --continuous 128</div>
<div> </div>
<div>Cheers,</div>
<div>Paul</div>
</div>
<div>
<div>
<div class="gmail_extra"><br /><br />
<div class="gmail_quote">On 24 September 2013 02:52, Leto <span><<a \
href="mailto:letoams@gmail.com">letoams@gmail.com</a>></span> wrote:<br /> \
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc \
solid; padding-left: 1ex;"> <div dir="auto">
<div>try avoiding some strange characters in the psk. ensure you're not mixing up \
ASCII vs hex?<br /><br />sent from a tiny device </div> <div>
<div>
<div><br />On 2013-09-23, at 10:09, Paul Young <<a \
href="mailto:paul@arkig.com">paul@arkig.com</a>> wrote:<br /><br /></div> \
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; \
margin-left:5px"> <div>
<div dir="ltr">Hi Guys,
<div> </div>
<div>What other reasons other than mismatched PSKs could cause this issue?</div>
<div> </div>
<div>Thanks</div>
</div>
<div class="gmail_extra"><br /><br />
<div class="gmail_quote">On 23 September 2013 18:46, Paul Young <span><<a \
href="mailto:paul@arkig.com">paul@arkig.com</a>></span> wrote:<br /> <blockquote \
class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; \
padding-left: 1ex;"> <div dir="ltr">I also just tried replacing the PSK on both sides \
and got the same issue continued</div> <div>
<div>
<div class="gmail_extra"><br /><br />
<div class="gmail_quote">On 23 September 2013 18:39, Paul Young <span><<a \
href="mailto:paul@arkig.com">paul@arkig.com</a>></span> wrote:<br /> <blockquote \
class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; \
padding-left: 1ex;"> <div dir="ltr">Hi all,
<div> </div>
<div>After rebooting one side of my Openswan setup without changing config and so on \
I am getting this error and cannot create a tunnel anymore.</div> <div> </div>
<div>The reason I rebooted the host is I applied a bunch of firmware updates to the \
hardware.</div> <div> </div>
<div>
<div>Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: \
next payload type of ISAKMP Identification Payload has an unknown value: 23</div> \
<div>Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address> #55: \
probable authentication failure (mismatch of preshared secrets?): malformed payload \
in packet</div> <div>Sep 23 18:33:23 lobster pluto[38968]: | payload malformed after \
IV</div> <div>Sep 23 18:33:23 lobster pluto[38968]: | 74 40 8b d3 5a 30 \
3e 52 dc 54 26 a5 d9 88 bc e9</div> <div>Sep 23 18:33:23 lobster \
pluto[38968]: | e4 ea 8e 4b</div> <div>Sep 23 18:33:23 lobster pluto[38968]: \
"conn"[11] <outside IP address> #55: sending notification PAYLOAD_MALFORMED to \
<outside IP address>:500</div> </div>
<div> </div>
<div>I have triple checked the PSK and it appears to be fine. What am I \
missing?</div> <div> </div>
<div>Thanks,</div>
<div>Paul</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; \
margin-left:5px"> <div><span>_______________________________________________</span><br \
/><span><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></span><br \
/><span><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></span><br \
/><span>Micropayments: <a \
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br \
/><span>Building and Integrating Virtual Private Networks with Openswan:</span><br \
/><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283 \
155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span></div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; \
margin-left:5px"> <div><span>_______________________________________________</span><br \
/><span><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></span><br \
/><span><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></span><br \
/><span>Micropayments: <a \
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br \
/><span>Building and Integrating Virtual Private Networks with Openswan:</span><br \
/><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283 \
155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<br />
<pre>_______________________________________________
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic