I am using strongSwan version 4.5.2 running on Ubuntu (Amazon Cloud)
I want to connect a SoHo Cisco VPN Router to it.
In the auth.log I see that STATE_MAIN_R3 is failing with following error:
ISAKMP Hash Payload has an unknown value
Here the strongSwan ipsec.conf:
config setup
plutodebug=control
nat_traversal=yes
charonstart=no
conn %default
ike=3des-md5-modp1024!
esp=3des-md5-modp1024!
pfs=no
compress=no
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn ikev1
left=172.31.1.112
leftsubnet=172.31.1.0/24
leftfirewall=yes
right=%any
rightsubnet=192.168.1.0/24
[email protected]<mailto:[email protected]>
auto=add
ipsec.secrets:
===============
172.31.1.112 %any : PSK "0000000000"
The auth.log File:
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: packet from 84.152.147.120:56421:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: packet from 84.152.147.120:56421:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | preparse_isakmp_policy: peer
requests PSK authentication
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | instantiated "ikev1" for
80.111.147.120
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | creating state object #1 at
0x7faf12c52760
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE: 37 03 6d c8 6e 59 15
77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE: 27 47 66 07 15 b4 3e
53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer: 54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56421
#1: responding to Main Mode from unknown peer 80.111.147.120:56421
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event EVENT_RETRANSMIT in
10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: |
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | *received 220 bytes from
80.111.147.120:56421 on eth0
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE: 37 03 6d c8 6e 59 15
77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE: 27 47 66 07 15 b4 3e
53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer: 54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state object #1 found, in
STATE_MAIN_R1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56421
#1: NAT-Traversal: Result using RFC 3947: both are NATed
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event EVENT_RETRANSMIT in
10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: |
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | *received 76 bytes from
80.111.147.120:56422 on eth0
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE: 37 03 6d c8 6e 59 15
77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE: 27 47 66 07 15 b4 3e
53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer: 54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state object #1 found, in
STATE_MAIN_R2
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56421
#1: Peer ID is ID_FQDN: '[email protected]'
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer CA: %none
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | current connection is a full
match -- no need to look further
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | offered CA: %none
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | NAT-T: new mapping
80.111.147.120:56421/56422)
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event
EVENT_SA_REPLACE, timeout in 3510 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56422
#1: sent MR3, ISAKMP SA established
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: |
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | *received 60 bytes from
80.111.147.120:56422 on eth0
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE: 37 03 6d c8 6e 59 15
77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE: 27 47 66 07 15 b4 3e
53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer: 54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state object #1 found, in
STATE_MAIN_R3
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56422
#1: next payload type of ISAKMP Hash Payload has an unknown value: 128
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56422
#1: malformed payload in packet
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
The configuration of the Cisco Router you can see here:
http://www.image-share.com/ijpg-2316-278.html
Unfortunately there is no log of the Cisco router available.
Thx for helping!
Mit freundlichen Grüßen / Best regards
Tobias Gruber
Tel. +49(89)6290-1690
PC-Fax +49(711)811-5121690
BeQIK
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
