Holger Bauer wrote:
Hello Holger,
I've been banging my head on the wall trying to get remote IPSEC to work
with mobile clients and have had very little luck so far. From what I
can tell, I've configured things properly on both ends but I receive a
strange error message in the IPSEC logs when I try to connect. It states
"racoon: ERROR: reject the packet, received unexpecting payload type 0."
I can see how this could get frustrating very quickly ;)
I have searched the racoon/ipsec-tools mailing list as well as the
mailling list for the IPSEC client (Shrewsoft) but have had no luck. All
keys are the same on both client and server as well as negotiation
modes, encryption/hash algorithms, protocols, and key groups. I am
running a fairly uncomplicated pfsense setup. PPPoE ADSL connection on
WAN and a LAN with all clients. The error log is as follows:
There is a problem ...
May 8 01:34:29 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
May 8 01:34:29 racoon: INFO: 192.168.2.1[500] used as isakmp port
(fd=21)
May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2d:a338%xl1[500] used
as isakmp port (fd=20)
May 8 01:34:29 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
May 8 01:34:29 racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=19)
May 8 01:34:29 racoon: INFO: ::1[500] used as isakmp port (fd=18)
May 8 01:34:29 racoon: INFO: fe80::1%lo0[500] used as isakmp port
(fd=17)
... here ...
May 8 01:34:29 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
May 8 01:34:29 racoon: INFO: <pfSense IP>[500] used as isakmp port
(fd=16)
May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng0[500] used
as isakmp port (fd=15)
May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng1[500] used
as isakmp port (fd=14)
May 8 01:34:29 racoon: WARNING:
... and here ...
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
May 8 01:34:29 racoon: INFO: 192.168.2.15[500] used as isakmp port
(fd=13)
May 8 01:34:29 racoon: INFO: @(#)This product linked OpenSSL
0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
May 8 01:34:29 racoon: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
---END---
... with setting the socket option for UDP Encapsulation.
IKE NATT packets use a 4 byte null value ( NON-ESP marker ) to
differentiate them from ESP NATT packets. Its possible that since the
socket option is failing, the marker is not being stripped and may be
the cause of your "unexpected payload type 0" error message. I would
have to take a close look at the racoon socket code to be sure. In any
case, for NATT to work correctly the error needs to be corrected. I am
running racoon with NATT and Yvans patches and I certainly don't see
anything like this when starting racoon.
2007-05-07 17:16:54: INFO: 10.1.1.10[4500] used as isakmp port (fd=5)
2007-05-07 17:16:54: INFO: 10.1.1.10[4500] used for NAT-T
2007-05-07 17:16:54: INFO: 10.1.1.10[500] used as isakmp port (fd=6)
2007-05-07 17:16:54: INFO: 10.1.1.10[500] used for NAT-T
The only reason I can think of, off the top of my head, that would cause
the setsockopt UDP_ENCAP_ESPINUDP_NON_IKE error message is if Yvans
NAT-T patch was not applied cleanly to the FreeBSD sources. Was a full
kernel+userland compile+install completed after the patch was applied?
You could try disabling NATT support in the Shrew Soft Client and see if
you still get that error. Not sure if it will help :| If you do get this
resolved and are still having problems getting the Client to connect, I
would be happy to lend a hand with the configuration and trouble
shooting if you will compile and post some helpful info for other users.
-Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
