Sean Malloy wrote:
It looks like you are trying to use different encryption algorithms and
hash functions for the phase 2 SA. They need to match at both end points.
It looks like the Linux box is configured to do 3DES and SHA1. The
OpenBSD box is configured to do AES and SHA256.
Hi,
Even with this setup it doesn't establish the tunnel properly.
BSD:
ike esp from 10.50.0.0/24 to 192.168.9.0/24 peer LINUX_PUBLIC \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
psk "passphrase"
Linux:
conn lnx-bsd
left=LINUX_PUBLIC
leftsubnet=192.168.9.0/24
right=BSD_PUBLIC
rightsubnet=10.50.0.0/24
authby=secret
ike=aes-sha1-modp1024
auto=start
esp=aes-sha1
keyexchange=ike
Here are the logs:
Linux side:
"lnx-bsd" #2: I did not send a certificate because I do not have one.
"lnx-bsd" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"lnx-bsd" #2: STATE_MAIN_I3: sent MI3, expecting MR3
"lnx-bsd" #7: responding to Main Mode
"lnx-bsd" #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"lnx-bsd" #7: STATE_MAIN_R1: sent MR1, expecting MI2
"lnx-bsd" #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"lnx-bsd" #7: STATE_MAIN_R2: sent MR2, expecting MI3
"lnx-bsd" #7: ignoring informational payload, type IPSEC_INITIAL_CONTACT
"lnx-bsd" #7: Main mode peer ID is ID_IPV4_ADDR: 'BSD_PUBLIC'
"lnx-bsd" #7: I did not send a certificate because I do not have one.
"lnx-bsd" #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"lnx-bsd" #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
"lnx-bsd" #8: responding to Quick Mode {msgid:de9df09c}
"lnx-bsd" #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"lnx-bsd" #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
"lnx-bsd" #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"lnx-bsd" #8: STATE_QUICK_R2: IPsec SA established {ESP=>0xa2b93f3b
<0x38351b1b xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
BSD side:
Aug 27 10:17:52 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 96> in payload of type 5
Aug 27 10:17:52 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:18:03 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 96> in payload of type 5
Aug 27 10:18:03 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:18:22 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 96> in payload of type 5
Aug 27 10:18:22 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:20:14 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: d
Aug 27 10:20:14 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:20:24 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: d
Aug 27 10:20:24 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:20:44 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: d
Aug 27 10:20:44 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:22:34 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 6d
Aug 27 10:22:34 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:22:45 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 6d
Aug 27 10:22:45 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:23:04 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 6d
Aug 27 10:23:04 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:24:56 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 45> in payload of type 5
Aug 27 10:24:56 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:25:05 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 45> in payload of type 5
Aug 27 10:25:05 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:25:26 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 45> in payload of type 5
Aug 27 10:25:26 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:27:16 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: b0
Aug 27 10:27:16 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:27:27 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: b0
Aug 27 10:27:27 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:27:47 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: b0
Aug 27 10:27:47 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:29:38 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 42> in payload of type 5
Aug 27 10:29:38 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:29:48 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 42> in payload of type 5
Aug 27 10:29:48 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:30:07 fw-001 isakmpd[11393]: message_parse_payloads: invalid
next payload type <Unknown 42> in payload of type 5
Aug 27 10:30:07 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type INVALID_PAYLOAD_TYPE
Aug 27 10:31:59 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 8
Aug 27 10:31:59 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:32:08 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 8
Aug 27 10:32:08 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:32:29 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 8
Aug 27 10:32:29 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:34:19 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 17
Aug 27 10:34:19 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:34:30 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 17
Aug 27 10:34:30 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:34:49 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 17
Aug 27 10:34:49 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:36:41 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 64
Aug 27 10:36:41 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:36:50 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 64
Aug 27 10:36:50 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Aug 27 10:37:11 fw-001 isakmpd[11393]: message_parse_payloads: reserved
field non-zero: 64
Aug 27 10:37:11 fw-001 isakmpd[11393]: dropped message from PUBLIC_LINUX
port 500 due to notification type PAYLOAD_MALFORMED
Thanks
Laurent
