Am 09.04.2015 um 13:14 schrieb Antonio Scattolini:
Hi, I have at end 1: Linux Openswan 2.4.6 (klips) on 2.6.17.11 and at end 2: Libreswan 3.12 (klips) on 3.16.0-4-686-paeipsec barf at end 1 gives: #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0 xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none} #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX #3: received and ignored informational message #7: max number of retransmissions (2) reached STATE_QUICK_I1 #7: starting keying attempt 2 of an unlimited number #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #7 {using isakmp#14} #14: next payload type of ISAKMP Hash Payload has an unknown value: 97 #14: malformed payload in packet #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500 #14: next payload type of ISAKMP Hash Payload has an unknown value: 62 #14: malformed payload in packet ipsec barf at end 2 gives: #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=oakley_3des_cbc_192 integ=5 group=MODP1536} #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 #21340: IPsec encryption transform did not specify required KEY_LENGTH attribute #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to 85.44.60.33:500 #20842: Informational Exchange message must be encrypted #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 #21346: IPsec encryption transform did not specify required KEY_LENGTH attribute #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to 85.44.60.33:500 #20842: Informational Exchange message must be encrypted End 1 ipsec.conf: config setup # klipsdebug=none # plutodebug="control parsing" include /etc/ipsec.d/examples/no_oe.conf conn end1-end2 auto=start compress=yes authby=rsasig left=a.b.c.d leftsubnet=192.168.5.0/24 [email protected] right=%defaultroute rightsubnet=192.168.3.0/24 [email protected] leftrsasigkey=0sAQPmt... rightrsasigkey=0sAQN0... End 2 ipsec.conf: config setup # klipsdebug=none # plutodebug="control parsing" protostack=klips interfaces="ipsec0=eth1" # nat_traversal=yes oe=off conn end1-end2 auto=start compress=yes authby=rsasig left=%defaultroute leftsubnet=192.168.5.0/24 [email protected] right=e.f.g.h rightsubnet=192.168.3.0/24 [email protected] leftrsasigkey=0sAQPmt... rightrsasigkey=0sAQN0... I don't know how to make them work....
Hi Antonio, you can fix this setting phase2alg on the initiator (end1). @Paul: it seems this was forgotten https://lists.libreswan.org/pipermail/swan/2014/000899.html Wolfgang _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
