[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Error PAYLOAD_MALFORMED (OpenBSD-3.0 + Cisco 7200)

To: "Hakan Olsson" <ho@crt.se>
Subject: Re: IPSec Error PAYLOAD_MALFORMED (OpenBSD-3.0 + Cisco 7200)
From: Iván Montoro Ten <ivanm@knowgate.com>
Date: Tue, 19 Mar 2002 00:43:50 +0100
Cc: <misc@openbsd.org>
Organization: Know Gate S.L.
References: <Pine.BSO.4.40.0203182349590.2208-100000@bloodwine.crt.se>

Thank Hakan, I attach you log file separetly with -DA=90. I don't know
how missed that. By the way haven't seen any "/payload type/", and I've
double checked shared secret (several Windows clients running already).
Everything looks good, even seems like first phase is finished but
there's some problem negotiating second phase :?

Thanks

Ivan Montoro
----- Original Message -----
From: "Hakan Olsson" <ho@crt.se>
To: "Iván Montoro Ten" <ivanm@knowgate.com>
Cc: <misc@openbsd.org>
Sent: Tuesday, March 19, 2002 12:00 AM
Subject: Re: IPSec Error PAYLOAD_MALFORMED (OpenBSD-3.0 + Cisco 7200)


First, my guess is a mistyped shared secret. (A typo will cause bad
decryption on the reciever side --> "malformed payload".)

...

At a glance, your isakmpd.conf, pf.conf, policy etc look ok. (Do you need
to run DES + MD5? Most systems today support stronger variants...)

> ########################################################################
> 5) ipsecadm flush (just in case...)
>    ps axu       -> no isaknmp daemon running
>    netstat -nr  -> nothing under "Encap"
>    netstat -na  -> nothing listerning on port 500
> ########################################################################
> 6) Now execute isakmpd -c /etc/isakmpd.conf -d -DA=9 -D1=70 (snipped)

Why -DA=9 ? I assume you meant to type -DA=90, which give more (lots...),
and more detailing debug output. Still, what I saw in the log file mostly
looks like a misspelled shared secret. As '9' is not a high enough log
level to show if it actually was (most debug info start at level '10'), I
can't be more specific than this.

If you turn on more debugging and see a message such as "unknown payload
type NN", with NN larger than 14, it's almost certainly a bad passphrase.
(Why 14? If you have the source, see the isakmp_num.cst file :)

For general IPsec troubleshooting, look at the OpenBSD FAQ, ch 13.

/H

--
Hĺkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

References:
- Re: IPSec Error PAYLOAD_MALFORMED (OpenBSD-3.0 + Cisco 7200)
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: ifconfig aliases
Next by Date: Re: ifconfig aliases
Prev by thread: Re: IPSec Error PAYLOAD_MALFORMED (OpenBSD-3.0 + Cisco 7200)
Next by thread: /var/log/maillog
Index(es):
- Date
- Thread