Maybe the other end is not supporting needed ciphers? Try other selections? Eero 2016-02-17 16:38 GMT+02:00 John Cenile <jcenile1983 at gmail.com>: > Hello, > > > I'm having a bit of trouble connecting our current CentOS Openswan server > with a Vyos server via IPSec. > > I've posted this on the VyOS forums, but haven't had many helpful > responses, so I thought I would ask here. > > http://forum.vyos.net/showthread.php?tid=26504&pid=29703#pid29703 > > Basically our Openswan configuration is as follows: > > conn VYOS > keyingtries=0 > keylife=20m > ikelifetime=2h > left=<VYOS IP> > right=<OPENSWAN IP> > leftsubnets={ > 10.1.1.0/24,10.1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.5.0/24} > rightsubnets={10.2.1.0/24,10.2.2.0/24,10.2.3.0/24,10.2.4.0/24} > auto=start > authby=secret > dpddelay=30 > dpdtimeout=120 > dpdaction=hold > phase2alg=aes256-sha1;modp1536 > phase2=esp > ike=aes256-sha1;modp1536 > > Our VyOS configuration is posted in the above forum post, except now I have > followed their advice and created 20 tunnels (each subnet to each subnet, > if that makes sense). > > However, when I enabled this, I got the following errors on the Openswan > server: > > > Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/3x3" #70: next payload type of > ISAKMP Hash Payload has an unknown value: 243 > Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/3x3" #70: malformed payload in > packet > Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/3x3" #70: sending notification > PAYLOAD_MALFORMED to <VYOS IP>:500 > Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/4x4" #69: next payload type of > ISAKMP Hash Payload has an unknown value: 170 > Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/4x4" #69: malformed payload in > packet > Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/5x4" #68: next payload type of > ISAKMP Hash Payload has an unknown value: 63 > Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/5x4" #68: malformed payload in > packet > > > And on our VyOS server we got the following errors: > > Feb 18 01:17:19 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-20" #381: > sending encrypted notification INVALID_ID_INFORMATION to <OPENSWAN IP>:500 > Feb 18 01:17:19 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-20" #381: > cannot respond to IPsec SA request because no connection is known for > 10.1.1.0/24===<VYOS IP>[<VYOS IP>]...<OPENSWAN IP>[<OPENSWAN IP>]=== > 10.2.3.0/24 > Feb 18 01:17:19 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-20" #381: > sending encrypted notification INVALID_ID_INFORMATION to <OPENSWAN IP>:500 > Feb 18 01:17:23 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-11" #422: > cannot install eroute -- it is in use for "peer-<OPENSWAN IP>-tunnel-3" > #403 > Feb 18 01:17:23 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-16" #421: > cannot install eroute -- it is in use for "peer-<OPENSWAN IP>-tunnel-4" > #395 > Feb 18 01:17:23 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-20" #420: > cannot install eroute -- it is in use for "peer-<OPENSWAN IP>-tunnel-5" > #417 > Feb 18 01:17:23 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-20" #381: > Informational Exchange message must be encrypted > Feb 18 01:17:24 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-20" #381: > Quick Mode I1 message is unacceptable because it uses a previously used > Message ID 0x14702d90 (perhaps this is a duplicated packet) > Feb 18 01:17:24 VYOS pluto[20807]: "peer-<OPENSWAN IP>-tunnel-20" #381: > sending encrypted notification INVALID_MESSAGE_ID to <OPENSWAN IP>:500 > > Does anyone have any idea what I might be doing wrong? I've tried doing > only 5 tunnels, however then some subnets couldn't reach certain subnets > (as I said in the VyOS forum thread), and now I've tried each subnet to > each subnet. > > I can't find much (any) information on it, but does Openswan support VTI > interfaces? Would that solve my problem? > > Thanks in advance. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >