On Thu, 9 Apr 2015, Antonio Scattolini wrote:
So, end 2 will be:
phase2=esp
phase2alg=aes256-sha1;modp1024
End 1 will be:
esp=aes256-sha1;modp1024
Right? Or am I missing something?
you might need esp=aes256-sha1-modp1024
The syntax changed at some point. Openswan 2.4.6 is VERY old. It also
suffers from at least three CVE crashers, so it should really not be
used anywhere :/
Paul
Antonio
-----Messaggio originale-----
Da: Wolfgang Nothdurft [mailto:[email protected]]
Inviato: giovedì 9 aprile 2015 15.23
A: Antonio Scattolini
Cc: [email protected]
Oggetto: Re: R: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
attribute
Am 09.04.2015 um 15:05 schrieb Antonio Scattolini:
But phase2alg is supported in openswan 2.4.6? I know it is in libreswan
3.12.
I added it at both ends, still no connection...
-----Messaggio originale-----
Da: [email protected]
[mailto:[email protected]]Per conto di Wolfgang Nothdurft
Inviato: giovedi 9 aprile 2015 13.49
A: [email protected]
Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH
attribute
Am 09.04.2015 um 13:14 schrieb Antonio Scattolini:
Hi, I have at end 1:
Linux Openswan 2.4.6 (klips) on 2.6.17.11
and at end 2:
Libreswan 3.12 (klips) on 3.16.0-4-686-pae
ipsec barf at end 1 gives:
#15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0
xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none}
#3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX
#3: received and ignored informational message
#7: max number of retransmissions (2) reached STATE_QUICK_I1
#7: starting keying attempt 2 of an unlimited number
#17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to
replace
#7 {using isakmp#14}
#14: next payload type of ISAKMP Hash Payload has an unknown value: 97
#14: malformed payload in packet
#14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500
#14: next payload type of ISAKMP Hash Payload has an unknown value: 62
#14: malformed payload in packet
ipsec barf at end 2 gives:
#21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
#21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG
cipher=oakley_3des_cbc_192 integ=5 group=MODP1536}
#20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
#21340: IPsec encryption transform did not specify required KEY_LENGTH
attribute
#21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to
85.44.60.33:500
#20842: Informational Exchange message must be encrypted
#20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0
#21346: IPsec encryption transform did not specify required KEY_LENGTH
attribute
#21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to
85.44.60.33:500
#20842: Informational Exchange message must be encrypted
End 1 ipsec.conf:
config setup
# klipsdebug=none
# plutodebug="control parsing"
include /etc/ipsec.d/examples/no_oe.conf
conn end1-end2
auto=start
compress=yes
authby=rsasig
left=a.b.c.d
leftsubnet=192.168.5.0/24
[email protected]
right=%defaultroute
rightsubnet=192.168.3.0/24
[email protected]
leftrsasigkey=0sAQPmt...
rightrsasigkey=0sAQN0...
End 2 ipsec.conf:
config setup
# klipsdebug=none
# plutodebug="control parsing"
protostack=klips
interfaces="ipsec0=eth1"
# nat_traversal=yes
oe=off
conn end1-end2
auto=start
compress=yes
authby=rsasig
left=%defaultroute
leftsubnet=192.168.5.0/24
[email protected]
right=e.f.g.h
rightsubnet=192.168.3.0/24
[email protected]
leftrsasigkey=0sAQPmt...
rightrsasigkey=0sAQN0...
I don't know how to make them work....
Hi Antonio,
you can fix this setting phase2alg on the initiator (end1).
@Paul: it seems this was forgotten
https://lists.libreswan.org/pipermail/swan/2014/000899.html
Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
oh, I overlooked your version. ;)
phase2alg was also in openswan, but unfortunately not in 2.4.x. Here you
must use esp= to set the proposals.
Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
