So, end 2 will be: phase2=esp phase2alg=aes256-sha1;modp1024
End 1 will be: esp=aes256-sha1;modp1024 Right? Or am I missing something? Antonio -----Messaggio originale----- Da: Wolfgang Nothdurft [mailto:[email protected]] Inviato: giovedì 9 aprile 2015 15.23 A: Antonio Scattolini Cc: [email protected] Oggetto: Re: R: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH attribute Am 09.04.2015 um 15:05 schrieb Antonio Scattolini: > But phase2alg is supported in openswan 2.4.6? I know it is in libreswan > 3.12. > I added it at both ends, still no connection... > > -----Messaggio originale----- > Da: [email protected] > [mailto:[email protected]]Per conto di Wolfgang Nothdurft > Inviato: giovedi 9 aprile 2015 13.49 > A: [email protected] > Oggetto: Re: [Swan] BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED,KEY_LENGTH > attribute > > > Am 09.04.2015 um 13:14 schrieb Antonio Scattolini: >> Hi, I have at end 1: >> Linux Openswan 2.4.6 (klips) on 2.6.17.11 >> and at end 2: >> Libreswan 3.12 (klips) on 3.16.0-4-686-pae >> >> ipsec barf at end 1 gives: >> #15: STATE_QUICK_R2: IPsec SA established {ESP=>0x61b2c275 <0x4f3bc0f0 >> xfrm=AES_128-HMAC_SHA1 IPCOMP=x00006747 <0x00009191 NATD=none DPD=none} >> #3: ignoring informational payload, type BAD_PROPOSAL_SYNTAX >> #3: received and ignored informational message >> #7: max number of retransmissions (2) reached STATE_QUICK_I1 >> #7: starting keying attempt 2 of an unlimited number >> #17: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to > replace >> #7 {using isakmp#14} >> #14: next payload type of ISAKMP Hash Payload has an unknown value: 97 >> #14: malformed payload in packet >> #14: sending notification PAYLOAD_MALFORMED to a.b.c.d:500 >> #14: next payload type of ISAKMP Hash Payload has an unknown value: 62 >> #14: malformed payload in packet >> >> ipsec barf at end 2 gives: >> #21339: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 >> #21339: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG >> cipher=oakley_3des_cbc_192 integ=5 group=MODP1536} >> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 >> #21340: IPsec encryption transform did not specify required KEY_LENGTH >> attribute >> #21340: sending encrypted notification BAD_PROPOSAL_SYNTAX to >> 85.44.60.33:500 >> #20842: Informational Exchange message must be encrypted >> #20842: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.3.0/24:0/0 >> #21346: IPsec encryption transform did not specify required KEY_LENGTH >> attribute >> #21346: sending encrypted notification BAD_PROPOSAL_SYNTAX to >> 85.44.60.33:500 >> #20842: Informational Exchange message must be encrypted >> >> End 1 ipsec.conf: >> config setup >> # klipsdebug=none >> # plutodebug="control parsing" >> include /etc/ipsec.d/examples/no_oe.conf >> conn end1-end2 >> auto=start >> compress=yes >> authby=rsasig >> left=a.b.c.d >> leftsubnet=192.168.5.0/24 >> [email protected] >> right=%defaultroute >> rightsubnet=192.168.3.0/24 >> [email protected] >> leftrsasigkey=0sAQPmt... >> rightrsasigkey=0sAQN0... >> >> End 2 ipsec.conf: >> config setup >> # klipsdebug=none >> # plutodebug="control parsing" >> protostack=klips >> interfaces="ipsec0=eth1" >> # nat_traversal=yes >> oe=off >> conn end1-end2 >> auto=start >> compress=yes >> authby=rsasig >> left=%defaultroute >> leftsubnet=192.168.5.0/24 >> [email protected] >> right=e.f.g.h >> rightsubnet=192.168.3.0/24 >> [email protected] >> leftrsasigkey=0sAQPmt... >> rightrsasigkey=0sAQN0... >> >> I don't know how to make them work.... > Hi Antonio, > > you can fix this setting phase2alg on the initiator (end1). > > @Paul: it seems this was forgotten > > https://lists.libreswan.org/pipermail/swan/2014/000899.html > > Wolfgang > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan oh, I overlooked your version. ;) phase2alg was also in openswan, but unfortunately not in 2.4.x. Here you must use esp= to set the proposals. Wolfgang _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
