Hi All,
I'm attempting to set up a tunnel using libreswan-3.8-6.el7_0.x86_64 on
centos 7. Other end is some Juniper box, but I don't know anything
beyond that.
My config is:
conn my_tunnel
left=a.b.c.d
leftsubnet=e.f.g.h/32
right=i.j.k.l
rightsubnet=i.j.k.m/32
authby=secret
aggrmode=no
auto=start
ike=aes256-sha1;modp1024
ikelifetime=4800s
phase2alg=aes256-sha1;modp1024
salifetime=4800s
rekey=yes
keyingtries=%forever
(I'm "right"). The ike and phase2 settings were provided to me thus:
Phase 1 Proposal:
Diffie-Hellman group: DH2
Re-key time (value in seconds): 4800
NAT Traversal: Disable
En Encryption: AES256
Integrity/Hashing Algorithm: SHA-1
Phase 2 Proposal:
Diffie-Hellman group: DH2
Re-key time (value in seconds): 4800
Perfect Forward Secrecy - PFS: Enable
Encryption: AES256
Integrity/Hashing Algorithm: SHA-1
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: initiating Main Mode
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: ignoring unknown
Vendor ID payload [1c9cc56fce382e3a040b692cda85427d7306db4b110000001e060000]
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: received Vendor ID
payload [Dead Peer Detection]
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: ignoring Vendor ID
payload [HeartBeat Notify 386b0100]
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: Not sending
INITIAL_CONTACT
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: next payload type of
ISAKMP Hash Payload has an unknown value: 29
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: malformed payload in
packet
Mar 6 13:21:08 ipsec-gateway pluto[3647]: | payload malformed after possible IV
Mar 6 13:21:08 ipsec-gateway pluto[3647]: | 3a 14 09 c4 c7 8c 48 dd 99 2d
14 ab 51 60 bb 87
Mar 6 13:21:08 ipsec-gateway pluto[3647]: "my_tunnel" #1: sending notification
PAYLOAD_MALFORMED to a.b.c.d:500
Any ideas as to what may be causing this?
I have the debug-all output, but I'm not sure about posting it. Before
the "next payload type of ISAKMP Hash Payload has an unknown value: 29"
I have:
Mar 6 13:49:37 ipsec-gateway pluto[3647]: | phase 1 is done, looking for phase
2 to unpend
So is it possible my phase 2 algorithms don't match? It's computing a
"phase 2 iv" and then decrypting then:
Mar 6 13:49:37 ipsec-gateway pluto[3647]: | got payload 0x100
(ISAKMP_NEXT_HASH) needed: 0x100opt: 0x0
Then it emits the "next payload type of ISAKMP Hash Payload has an
unknown value".
--
Thanks,
David Mansfield
Cobite, INC.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
