This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP with PSK, great! L2TP with X509, no way!

Hey all,

Much to my delight I recently got L2TP working with my firewall and my laptops (posting with it right now).  The only problem is that it only works when using the Microsoft L2TP over IPSec and PSK authentication.   But when I try Roadwarrior / MS_DEFAULT / X509 certs it always fails with a malformed packet error.  Take a look.

2006:11:28-18:46:42 (none) pluto[24856]: packet from ***.***.***.***:56429: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
2006:11:28-18:46:42 (none) pluto[24856]: packet from ***.***.***.***:56429: ignoring Vendor ID payload [FRAGMENTATION]
2006:11:28-18:46:42 (none) pluto[24856]: packet from ***.***.***.***:56429: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
2006:11:28-18:46:42 (none) pluto[24856]: packet from ***.***.***.***:56429: ignoring Vendor ID payload [Vid-Initial-Contact]
2006:11:28-18:46:42 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: responding to Main Mode from unknown peer ***.***.***.***
2006:11:28-18:46:42 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2006:11:28-18:46:42 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: STATE_MAIN_R1: sent MR1, expecting MI2
2006:11:28-18:46:42 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
2006:11:28-18:46:42 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2006:11:28-18:46:42 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: STATE_MAIN_R2: sent MR2, expecting MI3
2006:11:28-18:47:46 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: next payload type of ISAKMP Hash Payload has an unknown value: 69
2006:11:28-18:47:46 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: malformed payload in packet
2006:11:28-18:47:46 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: sending notification PAYLOAD_malformED to ***.***.***.***:56429
2006:11:28-18:47:52 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.*** #2: max number of retransmissions (2) reached STATE_MAIN_R2
2006:11:28-18:47:52 (none) pluto[24856]: "S_Astaro_1"[2] ***.***.***.***: deleting connection "S_Astaro_1" instance with peer ***.***.***.*** {isakmp=#0/ipsec=#0}
2006:11:28-18:48:20 (none) pluto[24856]: packet from ***.***.***.***:56429: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
2006:11:28-18:48:20 (none) pluto[24856]: packet from ***.***.***.***:56429: ignoring Vendor ID payload [FRAGMENTATION]
2006:11:28-18:48:20 (none) pluto[24856]: packet from ***.***.***.***:56429: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
2006:11:28-18:48:20 (none) pluto[24856]: packet from ***.***.***.***:56429: ignoring Vendor ID payload [Vid-Initial-Contact]

How do I fix this?  I created the certs according the guide in the KB using X500 DNs and I followed all of the instructions to the dot.

What am I doing wrong here?  What is going on?

Aodhan

EDIT: Do I need to have both the Signing Authority and Client cert imported?

This thread was automatically locked due to age.

0 NimmdirKeks over 18 years ago

On the Astaro you mean, yes you need the SA CA too. Otherwise the chain can't be checked.

He gets a fragmentation error. What keylength are you using?
Cancel
Vote Up 0 Vote Down

Cancel
0 InlineFive over 18 years ago in reply to NimmdirKeks

Okay, I installed the CA and the CSR on the laptop but I'm still not having any success. I've tried playing with the MTU but I still fragmentation errors, so I left it at 1420. And I've disabled NAT Traversal because it doesn't work with Roadwarrior certs with out an IP address, but I can't use an IP instead of X509 because Windows won't authentication.

I'm really flummuxed why PSK works just fine but I can't get Roadwarrior with certs to work at all. [:(]

The lastest log errors are in the attached text file if you don't mind looking through them.
- vpnerror.txt
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 InlineFive over 18 years ago in reply to InlineFive

Bump for visibility.
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 18 years ago in reply to InlineFive

From the logfile, it seems, that your link dose not support an large enough MTU for your X509 Cert. One reason could be, that your KEY-Size of the X509 Certs is too big. Had this sometimes, when keys larger then 1536 bits where used on a "low quality" line.

PSK works with much smaller MTU's then X509, because normaly, PSK dose not need to exchange very large key information.
Cancel
Vote Up 0 Vote Down

Cancel
0 InlineFive over 18 years ago in reply to NimmdirKeks

The only way I could make a key fit if it it was 1024 bytes, which doesn't seem very secure.

I'll try stepping down to 2048 byte certificates and see what happens.
Cancel
Vote Up 0 Vote Down

Cancel
0 InlineFive over 18 years ago in reply to NimmdirKeks

Okay, I did that and now it's making progress. But now it freezes on STATE_QUICK_R2: IPsec SA established {ESP=>0x48270809
- vpn.txt
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 18 years ago in reply to InlineFive

006:12:06-15:42:45 (none) pluto[16980]: ERROR: asynchronous network error report on eth1 (sport=500) for message to ***.***.***.*** port 17517, complainant ***.***.***.***: Message too long [errno 90, origin ICMP type 3 code 4 (not authenticated)]

Seems still to large, IPSEC dose not support fragmentation. What kind of line are you linked up too? Worst case i had was a max. MTU 500 available.
Cancel
Vote Up 0 Vote Down

Cancel
0 InlineFive over 18 years ago in reply to NimmdirKeks

I was using DSL lines as clients and a cable line as the host. I'll try dropping the MTU below 1400.
Cancel
Vote Up 0 Vote Down

Cancel