esp=aes256-sha1-modp1024 Are you sure of? Connection goes into error (it is not even added). Instead, if I put: esp=aes256-sha1;modp1024 both peers have ISAKMP SA established and IPSec SA established and also both stuck in STATE_QUICK_I2; no ping from host in lan of end 1 to host in lan of end 2 and viceversa...
Antonio -----Messaggio originale----- Da: Paul Wouters [mailto:[email protected]] Inviato: giovedì 9 aprile 2015 16.39 A: Antonio Scattolini Cc: 'Wolfgang Nothdurft'; [email protected] Oggetto: Re: [Swan] R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, KEY_LENGTH attribute On Thu, 9 Apr 2015, Antonio Scattolini wrote: > So, end 2 will be: > > phase2=esp > phase2alg=aes256-sha1;modp1024 > > End 1 will be: > > esp=aes256-sha1;modp1024 > > Right? Or am I missing something? you might need esp=aes256-sha1-modp1024 The syntax changed at some point. Openswan 2.4.6 is VERY old. It also suffers from at least three CVE crashers, so it should really not be used anywhere :/ Paul > Antonio > > -----Messaggio originale----- > Da: Wolfgang Nothdurft [mailto:[email protected]] > Inviato: giovedì 9 aprile 2015 15.23 > A: Antonio Scattolini > Cc: [email protected] > Oggetto: Re: R: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH > attribute > > > Am 09.04.2015 um 15:05 schrieb Antonio Scattolini: >> But phase2alg is supported in openswan 2.4.6? I know it is in libreswan >> 3.12. >> I added it at both ends, still no connection... >> >> -----Messaggio originale----- >> Da: [email protected] >> [mailto:[email protected]]Per conto di Wolfgang Nothdurft >> Inviato: giovedi 9 aprile 2015 13.49 >> A: [email protected] >> Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH >> attribute >> >> >> Am 09.04.2015 um 13:14 schrieb Antonio Scattolini: >>> Hi, I have at end 1: >>> Linux Openswan 2.4.6 (klips) on 2.6.17.11 >>> and at end 2: >>> Libreswan 3.12 (klips) on 3.16.0-4-686-pae >>> >>> ipsec barf at end 1 gives: >>> #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0 >>> xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none} >>> #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX >>> #3: received and ignored informational message >>> #7: max number of retransmissions (2) reached STATE_QUICK_I1 >>> #7: starting keying attempt 2 of an unlimited number >>> #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to >> replace >>> #7 {using isakmp#14} >>> #14: next payload type of ISAKMP Hash Payload has an unknown value: 97 >>> #14: malformed payload in packet >>> #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500 >>> #14: next payload type of ISAKMP Hash Payload has an unknown value: 62 >>> #14: malformed payload in packet >>> >>> ipsec barf at end 2 gives: >>> #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 >>> #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG >>> cipher=oakley_3des_cbc_192 integ=5 group=MODP1536} >>> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 >>> #21340: IPsec encryption transform did not specify required KEY_LENGTH >>> attribute >>> #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to >>> 85.44.60.33:500 >>> #20842: Informational Exchange message must be encrypted >>> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 >>> #21346: IPsec encryption transform did not specify required KEY_LENGTH >>> attribute >>> #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to >>> 85.44.60.33:500 >>> #20842: Informational Exchange message must be encrypted >>> >>> End 1 ipsec.conf: >>> config setup >>> # klipsdebug=none >>> # plutodebug="control parsing" >>> include /etc/ipsec.d/examples/no_oe.conf >>> conn end1-end2 >>> auto=start >>> compress=yes >>> authby=rsasig >>> left=a.b.c.d >>> leftsubnet=192.168.5.0/24 >>> [email protected] >>> right=%defaultroute >>> rightsubnet=192.168.3.0/24 >>> [email protected] >>> leftrsasigkey=0sAQPmt... >>> rightrsasigkey=0sAQN0... >>> >>> End 2 ipsec.conf: >>> config setup >>> # klipsdebug=none >>> # plutodebug="control parsing" >>> protostack=klips >>> interfaces="ipsec0=eth1" >>> # nat_traversal=yes >>> oe=off >>> conn end1-end2 >>> auto=start >>> compress=yes >>> authby=rsasig >>> left=%defaultroute >>> leftsubnet=192.168.5.0/24 >>> [email protected] >>> right=e.f.g.h >>> rightsubnet=192.168.3.0/24 >>> [email protected] >>> leftrsasigkey=0sAQPmt... >>> rightrsasigkey=0sAQN0... >>> >>> I don't know how to make them work.... >> Hi Antonio, >> >> you can fix this setting phase2alg on the initiator (end1). >> >> @Paul: it seems this was forgotten >> >> https://lists.libreswan.org/pipermail/swan/2014/000899.html >> >> Wolfgang >> _______________________________________________ >> Swan mailing list >> [email protected] >> https://lists.libreswan.org/mailman/listinfo/swan > > oh, I overlooked your version. ;) > > phase2alg was also in openswan, but unfortunately not in 2.4.x. Here you > must use esp= to set the proposals. > > Wolfgang > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan > _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
