But phase2alg is supported in openswan 2.4.6? I know it is in libreswan 3.12. I added it at both ends, still no connection...
-----Messaggio originale----- Da: [email protected] [mailto:[email protected]]Per conto di Wolfgang Nothdurft Inviato: giovedi 9 aprile 2015 13.49 A: [email protected] Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH attribute Am 09.04.2015 um 13:14 schrieb Antonio Scattolini: > Hi, I have at end 1: > Linux Openswan 2.4.6 (klips) on 2.6.17.11 > and at end 2: > Libreswan 3.12 (klips) on 3.16.0-4-686-pae > > ipsec barf at end 1 gives: > #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0 > xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none} > #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX > #3: received and ignored informational message > #7: max number of retransmissions (2) reached STATE_QUICK_I1 > #7: starting keying attempt 2 of an unlimited number > #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace > #7 {using isakmp#14} > #14: next payload type of ISAKMP Hash Payload has an unknown value: 97 > #14: malformed payload in packet > #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500 > #14: next payload type of ISAKMP Hash Payload has an unknown value: 62 > #14: malformed payload in packet > > ipsec barf at end 2 gives: > #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 > #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG > cipher=oakley_3des_cbc_192 integ=5 group=MODP1536} > #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 > #21340: IPsec encryption transform did not specify required KEY_LENGTH > attribute > #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to > 85.44.60.33:500 > #20842: Informational Exchange message must be encrypted > #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 > #21346: IPsec encryption transform did not specify required KEY_LENGTH > attribute > #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to > 85.44.60.33:500 > #20842: Informational Exchange message must be encrypted > > End 1 ipsec.conf: > config setup > # klipsdebug=none > # plutodebug="control parsing" > include /etc/ipsec.d/examples/no_oe.conf > conn end1-end2 > auto=start > compress=yes > authby=rsasig > left=a.b.c.d > leftsubnet=192.168.5.0/24 > [email protected] > right=%defaultroute > rightsubnet=192.168.3.0/24 > [email protected] > leftrsasigkey=0sAQPmt... > rightrsasigkey=0sAQN0... > > End 2 ipsec.conf: > config setup > # klipsdebug=none > # plutodebug="control parsing" > protostack=klips > interfaces="ipsec0=eth1" > # nat_traversal=yes > oe=off > conn end1-end2 > auto=start > compress=yes > authby=rsasig > left=%defaultroute > leftsubnet=192.168.5.0/24 > [email protected] > right=e.f.g.h > rightsubnet=192.168.3.0/24 > [email protected] > leftrsasigkey=0sAQPmt... > rightrsasigkey=0sAQN0... > > I don't know how to make them work.... Hi Antonio, you can fix this setting phase2alg on the initiator (end1). @Paul: it seems this was forgotten https://lists.libreswan.org/pipermail/swan/2014/000899.html Wolfgang _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
