[strongSwan] Strongswan Ikev1 to Cisco SoHo Router - ISAKMP Hash Payload has an unknown value

[Gruber Tobias (ST/ETI)]

I am using strongSwan version 4.5.2 running on Ubuntu (Amazon Cloud)
I want to connect a SoHo Cisco VPN Router to it.

In the auth.log I see that  STATE_MAIN_R3 is failing with following error:
ISAKMP Hash Payload has an unknown value

Here the strongSwan ipsec.conf:

config setup
        plutodebug=control
        nat_traversal=yes
        charonstart=no

conn %default
        ike=3des-md5-modp1024!
        esp=3des-md5-modp1024!
        pfs=no
        compress=no
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn ikev1
        left=172.31.1.112
        leftsubnet=172.31.1.0/24
        leftfirewall=yes
        right=%any
        rightsubnet=192.168.1.0/24
        rightid=client at test.com<mailto:rightid=client at test.com>
        auto=add



ipsec.secrets:
===============
172.31.1.112 %any : PSK "0000000000"


The auth.log File:
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: packet from 84.152.147.120:56421: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: packet from 84.152.147.120:56421: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | preparse_isakmp_policy: peer requests PSK authentication
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | instantiated "ikev1" for 80.111.147.120
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | creating state object #1 at 0x7faf12c52760
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE:  37 03 6d c8  6e 59 15 77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE:  27 47 66 07  15 b4 3e 53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer:  54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56421 #1: responding to Main Mode from unknown peer 80.111.147.120:56421
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: |
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | *received 220 bytes from 80.111.147.120:56421 on eth0
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE:  37 03 6d c8  6e 59 15 77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE:  27 47 66 07  15 b4 3e 53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer:  54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state object #1 found, in STATE_MAIN_R1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56421 #1: NAT-Traversal: Result using RFC 3947: both are NATed
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: |
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | *received 76 bytes from 80.111.147.120:56422 on eth0
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE:  37 03 6d c8  6e 59 15 77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE:  27 47 66 07  15 b4 3e 53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer:  54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state object #1 found, in STATE_MAIN_R2
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56421 #1: Peer ID is ID_FQDN: 'client at test.com'
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer CA:      %none
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | current connection is a full match -- no need to look further
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | offered CA:   %none
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | NAT-T: new mapping 80.111.147.120:56421/56422)
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | inserting event EVENT_SA_REPLACE, timeout in 3510 seconds for #1
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56422 #1: sent MR3, ISAKMP SA established
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: |
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | *received 60 bytes from 80.111.147.120:56422 on eth0
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | ICOOKIE:  37 03 6d c8  6e 59 15 77
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | RCOOKIE:  27 47 66 07  15 b4 3e 53
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | peer:  54 98 93 78
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state hash entry 20
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | state object #1 found, in STATE_MAIN_R3
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56422 #1: next payload type of ISAKMP Hash Payload has an unknown value: 128
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: "ikev1"[1] 80.111.147.120:56422 #1: malformed payload in packet
Oct 25 11:49:10 ip-172-31-1-112 pluto[26918]: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds


The configuration of the Cisco Router you can see here:
http://www.image-share.com/ijpg-2316-278.html

Unfortunately there is no log of the Cisco router available.

Thx for helping!


Mit freundlichen Grüßen / Best regards

Tobias Gruber

Tel. +49(89)6290-1690
PC-Fax +49(711)811-5121690

BeQIK



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131025/5fa37aaa/attachment.html>