[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] sending notification PAYLOAD_MALFORMED
From: Paul Young <paul () arkig ! com>
Date: 2013-09-24 7:45:35
Message-ID: CAAEtRDVgKUyhPqWSN+0VWZf7G789UMmizCQPutOuZOZ2LieC3w () mail ! gmail ! com
[Download RAW message or body]
Yep that is pretty much the case Nick - agreed
Thanks all
On 24 September 2013 17:39, Nick Howitt <n1ck.h0w1tt@gmail.com> wrote:
> **
>
> For you "roadwarrior", if you only have one tunnel at the other end, use
> right=%any and %any in ipsec.secrets. Then right is identified only by the
> secret and the rightsubnet. Do not use rightid to identify the device
> unless you use aggressive mode as tightid is not transmitted in phase1/main
> mode.
>
> On 2013-09-24 01:35, Paul Young wrote:
>
> The host does not but the router it connects to the internet with does.
>
> It is a little bit of a stretch as the router connects to the internet by
> a 4G dongle. Which itself is doing things to make life difficult. For
> example it is not strictly addressable from the internet.
>
> So that is why I am trying to set up a host -> VPN server type of setup.
> Road runner basically.
>
> I am not referencing IPs in the secret file itself.
>
> I set an id and use that to relate the conf file to the secret file -
> @<blah> format.
>
> So for example in the conf file I have an entry like:
>
> leftid=@wow
>
> and in the secrets file associated with the conf file I have this format:
>
> @wow: PSK "asecret"
>
> and as far as I know that is part of the tie in
>
> Paul
>
>
> On 24 September 2013 10:24, Leto <letoams@gmail.com> wrote:
>
> > shouldn't be needed. Dos your host get a new IP on reboot and you use
> > the old ip in either ipsec.conf or ipsec.secrets?
> >
> >
> > sent from a tiny device
> >
> > On 2013-09-23, at 20:08, Paul Young <paul@arkig.com> wrote:
> >
> > The next things I did was change the PSK to something really simple -
> > did not change the symptoms.
> >
> > So now I have rebuilt the entire server on one side and am starting from
> > scratch. Which is bulls__t
> >
> > But I don't have much time to get this to work
> >
> >
> > On 24 September 2013 07:10, Paul Young <paul@arkig.com> wrote:
> >
> > > Hi Leto,
> > >
> > > Thanks for the reply. It looks ok and I basically generated the PSK with:
> > >
> > > ipsec ranbits --continuous 128
> > >
> > > Cheers,
> > > Paul
> > >
> > >
> > > On 24 September 2013 02:52, Leto <letoams@gmail.com> wrote:
> > >
> > > > try avoiding some strange characters in the psk. ensure you're not
> > > > mixing up ASCII vs hex?
> > > >
> > > > sent from a tiny device
> > > >
> > > > On 2013-09-23, at 10:09, Paul Young <paul@arkig.com> wrote:
> > > >
> > > > Hi Guys,
> > > >
> > > > What other reasons other than mismatched PSKs could cause this issue?
> > > >
> > > > Thanks
> > > >
> > > >
> > > > On 23 September 2013 18:46, Paul Young <paul@arkig.com> wrote:
> > > >
> > > > > I also just tried replacing the PSK on both sides and got the same
> > > > > issue continued
> > > > >
> > > > >
> > > > > On 23 September 2013 18:39, Paul Young <paul@arkig.com> wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > After rebooting one side of my Openswan setup without changing config
> > > > > > and so on I am getting this error and cannot create a tunnel anymore.
> > > > > >
> > > > > > The reason I rebooted the host is I applied a bunch of firmware
> > > > > > updates to the hardware.
> > > > > >
> > > > > > Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP
> > > > > > address> #55: next payload type of ISAKMP Identification Payload has an
> > > > > > unknown value: 23
> > > > > > Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address>
> > > > > > #55: probable authentication failure (mismatch of preshared secrets?):
> > > > > > malformed payload in packet
> > > > > > Sep 23 18:33:23 lobster pluto[38968]: | payload malformed after IV
> > > > > > Sep 23 18:33:23 lobster pluto[38968]: | 74 40 8b d3 5a 30 3e 52
> > > > > > dc 54 26 a5 d9 88 bc e9
> > > > > > Sep 23 18:33:23 lobster pluto[38968]: | e4 ea 8e 4b
> > > > > > Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP address>
> > > > > > #55: sending notification PAYLOAD_MALFORMED to <outside IP address>:500
> > > > > >
> > > > > > I have triple checked the PSK and it appears to be fine. What am I
> > > > > > missing?
> > > > > >
> > > > > > Thanks,
> > > > > > Paul
> > > > > >
> > > > > _______________________________________________
> > > > Users@lists.openswan.org
> > > > https://lists.openswan.org/mailman/listinfo/users
> > > > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > > Building and Integrating Virtual Private Networks with Openswan:
> > > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > > >
> > > > _______________________________________________
> > Users@lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> >
> _______________________________________________Users@lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
>
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with \
> Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> _______________________________________________
> Users@lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
[Attachment #3 (text/html)]
<div dir="ltr">Yep that is pretty much the case Nick - \
agreed<div><br></div><div>Thanks all</div></div><div class="gmail_extra"><br><br><div \
class="gmail_quote">On 24 September 2013 17:39, Nick Howitt <span dir="ltr"><<a \
href="mailto:n1ck.h0w1tt@gmail.com" \
target="_blank">n1ck.h0w1tt@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><u></u> <div style="font-family:Arial,Helvetica,sans-serif">
<p>For you "roadwarrior", if you only have one tunnel at the other end, use \
right=%any and %any in ipsec.secrets. Then right is identified only by the secret and \
the rightsubnet. Do not use rightid to identify the device unless you use aggressive \
mode as tightid is not transmitted in phase1/main mode.</p> <div><div class="h5">
<p>On 2013-09-24 01:35, Paul Young wrote:</p>
<blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px \
solid;margin-left:5px"> <div dir="ltr">The host does not but the router it connects \
to the internet with does. <div> </div>
<div>It is a little bit of a stretch as the router connects to the internet by a 4G \
dongle. Which itself is doing things to make life difficult. For example it is not \
strictly addressable from the internet.</div> <div> </div>
<div>So that is why I am trying to set up a host -> VPN server type of setup. Road \
runner basically.</div> <div> </div>
<div>I am not referencing IPs in the secret file itself.</div>
<div> </div>
<div>I set an id and use that to relate the conf file to the secret file - \
@<blah> format.</div> <div> </div>
<div>So for example in the conf file I have an entry like:</div>
<div> </div>
<div>leftid=@wow</div>
<div> </div>
<div>and in the secrets file associated with the conf file I have this format:</div>
<div> </div>
<div>@wow: PSK "asecret"</div>
<div> </div>
<div>and as far as I know that is part of the tie in</div>
<div> </div>
<div>Paul</div>
</div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On 24 September 2013 10:24, Leto <span><<a \
href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></span> \
wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"> <div dir="auto">
<div>shouldn't be needed. Dos your host get a new IP on reboot and you use the \
old ip in either ipsec.conf or ipsec.secrets? <div><br><br>sent from a tiny device \
</div> </div>
<div>
<div>
<div><br>On 2013-09-23, at 20:08, Paul Young <<a href="mailto:paul@arkig.com" \
target="_blank">paul@arkig.com</a>> wrote:<br><br></div> <blockquote type="cite" \
style="padding-left:5px;border-left:#1010ff 2px solid;margin-left:5px"> <div>
<div dir="ltr">The next things I did was change the PSK to something really simple - \
did not change the symptoms. <div> </div>
<div>So now I have rebuilt the entire server on one side and am starting from \
scratch. Which is bulls__t</div> <div> </div>
<div>But I don't have much time to get this to work</div>
</div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On 24 September 2013 07:10, Paul Young <span><<a \
href="mailto:paul@arkig.com" target="_blank">paul@arkig.com</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div dir="ltr">Hi Leto,
<div> </div>
<div>Thanks for the reply. It looks ok and I basically generated the PSK with:</div>
<div> </div>
<div>ipsec ranbits --continuous 128</div>
<div> </div>
<div>Cheers,</div>
<div>Paul</div>
</div>
<div>
<div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On 24 September 2013 02:52, Leto <span><<a \
href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></span> \
wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"> <div dir="auto">
<div>try avoiding some strange characters in the psk. ensure you're not mixing up \
ASCII vs hex?<br><br>sent from a tiny device </div> <div>
<div>
<div><br>On 2013-09-23, at 10:09, Paul Young <<a href="mailto:paul@arkig.com" \
target="_blank">paul@arkig.com</a>> wrote:<br><br></div> <blockquote type="cite" \
style="padding-left:5px;border-left:#1010ff 2px solid;margin-left:5px"> <div>
<div dir="ltr">Hi Guys,
<div> </div>
<div>What other reasons other than mismatched PSKs could cause this issue?</div>
<div> </div>
<div>Thanks</div>
</div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On 23 September 2013 18:46, Paul Young <span><<a \
href="mailto:paul@arkig.com" target="_blank">paul@arkig.com</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div dir="ltr">I also just tried replacing the PSK on both \
sides and got the same issue continued</div> <div>
<div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On 23 September 2013 18:39, Paul Young <span><<a \
href="mailto:paul@arkig.com" target="_blank">paul@arkig.com</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div dir="ltr">Hi all,
<div> </div>
<div>After rebooting one side of my Openswan setup without changing config and so on \
I am getting this error and cannot create a tunnel anymore.</div> <div> </div>
<div>The reason I rebooted the host is I applied a bunch of firmware updates to the \
hardware.</div> <div> </div>
<div>
<div>Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] <outside IP \
address> #55: next payload type of ISAKMP Identification Payload has an unknown \
value: 23</div> <div>Sep 23 18:33:23 lobster pluto[38968]: "conn"[11] \
<outside IP address> #55: probable authentication failure (mismatch of \
preshared secrets?): malformed payload in packet</div> <div>Sep 23 18:33:23 lobster \
pluto[38968]: | payload malformed after IV</div> <div>Sep 23 18:33:23 lobster \
pluto[38968]: | 74 40 8b d3 5a 30 3e 52 dc 54 26 a5 d9 88 bc e9</div> <div>Sep \
23 18:33:23 lobster pluto[38968]: | e4 ea 8e 4b</div> <div>Sep 23 18:33:23 lobster \
pluto[38968]: "conn"[11] <outside IP address> #55: sending \
notification PAYLOAD_MALFORMED to <outside IP address>:500</div> </div>
<div> </div>
<div>I have triple checked the PSK and it appears to be fine. What am I \
missing?</div> <div> </div>
<div>Thanks,</div>
<div>Paul</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px \
solid;margin-left:5px"> \
<div><span>_______________________________________________</span><br><span><a \
href="mailto:Users@lists.openswan.org" \
target="_blank">Users@lists.openswan.org</a></span><br><span><a \
href="https://lists.openswan.org/mailman/listinfo/users" \
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br> \
<span>Micropayments: <a \
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br><span>Building \
and Integrating Virtual Private Networks with Openswan:</span><br> <span><a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span></div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px \
solid;margin-left:5px"> \
<div><span>_______________________________________________</span><br><span><a \
href="mailto:Users@lists.openswan.org" \
target="_blank">Users@lists.openswan.org</a></span><br><span><a \
href="https://lists.openswan.org/mailman/listinfo/users" \
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br> \
<span>Micropayments: <a \
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br><span>Building \
and Integrating Virtual Private Networks with Openswan:</span><br> <span><a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<br>
<pre>_______________________________________________
<a href="mailto:Users@lists.openswan.org" \
target="_blank">Users@lists.openswan.org</a> <a \
href="https://lists.openswan.org/mailman/listinfo/users" \
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a> Building \
and Integrating Virtual Private Networks with Openswan: <a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</div></div></div>
<br>_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" \
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br> \
Building and Integrating Virtual Private Networks with Openswan:<br> <a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic