This is fixed in 3.7-stable and above. HJ. On Thu, Sep 22, 2005 at 12:37:16PM +0200, Toni Mueller wrote: > Hello, > > I have three machines: one 3.7, one 3.6, and one Windows 2000 laptop. > The client software on the laptop is this: > > ftp://ftp.funkwerk-ec.com/pub/ipsec_client/bintec_secure_client_v11.zip > > aka "NCP Secure Entry" which usually runs very nicely. > > The two OpenBSD machines are configured identically, except for IP > numbers and server certificates. Everything is set up to run with X.509 > certificates off of my private CA. > > Connecting from the windows machine to the 3.6 machine works fine as > long as I only use the primary IP number (it has two from different > networks), but connecting to the 3.7 machine, which has only one IP > number, yields "INVALID PAYLOAD TYPE", and nothing works. This is what > I get with tcpdump (IP numbers fudged): > > > # /usr/sbin/tcpdump -n -vvv -e -s 1500 -i bge0 \(esp or port 500 or port 4500 > \) and host 1.2.3.4 > tcpdump: listening on bge0, link-type EN10MB > 12:15:35.791290 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 294: 1.2.3.4.500 > > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 0c052e9abace2953->0000000000000000 msgid: 00000000 len: 252 > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 > xforms: 1 > payload: TRANSFORM len: 40 > transform: 1 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = AES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = RSA_SIG > attribute GROUP_DESCRIPTION = MODP_1536 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 00007080 > attribute KEY_LENGTH = 256 > payload: VENDOR len: 12 > payload: VENDOR len: 12 > payload: VENDOR len: 20 (supports v3 NAT-T, > draft-ietf-ipsec-nat-t-ike-03) > payload: VENDOR len: 20 (supports v2 NAT-T, > draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 20 (supports v1 NAT-T, > draft-ietf-ipsec-nat-t-ike-00) > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > payload: VENDOR len: 20 (supports DPD v1.0) > payload: VENDOR len: 20 > payload: VENDOR len: 20 (ttl 126, id 1731, len 280) > 12:15:35.797183 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 210: 5.6.7.8.500 > > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 168 > payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 > xforms: 1 > payload: TRANSFORM len: 40 > transform: 1 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = AES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = RSA_SIG > attribute GROUP_DESCRIPTION = MODP_1536 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 00007080 > attribute KEY_LENGTH = 256 > payload: VENDOR len: 20 (supports v2 NAT-T, > draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 20 (supports v3 NAT-T, > draft-ietf-ipsec-nat-t-ike-03) > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 13783, len > 196) > 12:15:36.113303 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 > payload: KEY_EXCH len: 196 > payload: NONCE len: 44 > payload: <unknown> len: 24 > payload: <unknown> len: 24 (ttl 126, id 1732, len 344) > 12:15:36.115954 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: d6da19765da85f25->0000000000000000 msgid: 00000000 len: 40 > payload: NOTIFICATION len: 12 > notification: INVALID PAYLOAD TYPE (ttl 64, id 29429, len 68) > 12:16:05.215393 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 > payload: KEY_EXCH len: 196 > payload: NONCE len: 44 > payload: <unknown> len: 24 > payload: <unknown> len: 24 (ttl 126, id 1733, len 344) > 12:16:05.217956 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: 6af35ef1d456e460->0000000000000000 msgid: 00000000 len: 40 > payload: NOTIFICATION len: 12 > notification: INVALID PAYLOAD TYPE (ttl 64, id 15575, len 68) > 12:16:09.220412 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 > payload: KEY_EXCH len: 196 > payload: NONCE len: 44 > payload: <unknown> len: 24 > payload: <unknown> len: 24 (ttl 126, id 1734, len 344) > 12:16:09.222948 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: 8e945543b69f3d8e->0000000000000000 msgid: 00000000 len: 40 > payload: NOTIFICATION len: 12 > notification: INVALID PAYLOAD TYPE (ttl 64, id 25815, len 68) > 12:16:14.226697 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 > payload: KEY_EXCH len: 196 > payload: NONCE len: 44 > payload: <unknown> len: 24 > payload: <unknown> len: 24 (ttl 126, id 1735, len 344) > 12:16:14.229247 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: d7059971fb358e93->0000000000000000 msgid: 00000000 len: 40 > payload: NOTIFICATION len: 12 > notification: INVALID PAYLOAD TYPE (ttl 64, id 15834, len 68) > > > Btw, on the 3.6 box, when I configure the client to talk on the > aliased address, it doesn't work either, but with a very different > error message. I'm willing to ignore this problem if I can get > the 3.7 (3.8?) problem solved. > > > Any help is very much appreciated! > > > > Best, > --Toni++ > >
-- Dipl.-Inf. Hans-Joerg Hoexer room: 07.137 phone:+49 9131 852 7915 Dept. of Computer Science 3 University of Erlangen-Nuremberg Martensstr. 3, 91058 Erlangen, Germany
