ipsec tunnel with racoon / phase1 failure with invalid length of payload

alan yang alancyang at gmail.com
Wed Nov 26 08:26:34 PST 2008 

hello,

wonder people could shed some light how to debug more when configuring
ipsec tunnel with racoon that it seems to fail on the phase1
negotiation with racoon log info listed in the following.  i tried aes
as encryption algorithm, but it failed the same way.

not sure the invalid length of payload is caused by what.

2008-11-26 09:22:05: DEBUG: encryption(3des)
2008-11-26 09:22:05: DEBUG: with key:
2008-11-26 09:22:05: DEBUG:
1239dfa9 caa1798f 212cd994 7802292b 3ef473f3 3188868a
2008-11-26 09:22:05: DEBUG: decrypted payload by IV:
2008-11-26 09:22:05: DEBUG:
bbd836ac 319a1ebe
2008-11-26 09:22:05: DEBUG: decrypted payload, but not trimed.
2008-11-26 09:22:05: DEBUG:
8450f134 99116727 73c7f68c 3f0a65c2 68a9afe6 2c0a6ce1 41708fbb 3f0c7511
c5fdeaad 804a2277
2008-11-26 09:22:05: DEBUG: padding len=119
2008-11-26 09:22:05: DEBUG: skip to trim padding.
2008-11-26 09:22:05: DEBUG: decrypted.
2008-11-26 09:22:05: DEBUG:
d1d9962c 6004bf7b 0c317531 9c85bb06 05100201 00000000 00000044 8450f134
99116727 73c7f68c 3f0a65c2 68a9afe6 2c0a6ce1 41708fbb 3f0c7511 c5fdeaad
804a2277
2008-11-26 09:22:05: DEBUG: begin.
2008-11-26 09:22:05: DEBUG: seen nptype=5(id)
2008-11-26 09:22:05: DEBUG: invalid length of payload

racoon.conf

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

log notify;

padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

listen
{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002];		# administrative port for racoonctl.
	#strict_address; 	# requires that all addresses must be bound.
}

timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per send.

	# maximum time to wait for completing each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote 192.168.0.101
{
	exchange_mode main,aggressive;
	nonce_size 16;
	initial_contact on;
	proposal_check strict;	# obey, strict, or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo anonymous
{
	pfs_group 2;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

More information about the freebsd-questions mailing list