[Users] what is causing protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

From: Joop Marijne (joop_at_marijne.nl)
Date: Tue Jan 14 2003 - 11:03:04 CET

I am trying to connect a cisco 828 router to a freeswan box. the key
exchange works,
but phase II is failing, here is the syslog dump

Jan 14 09:54:51 penguin-systems pluto[25237]: | ***parse ISAKMP
Identification P
ayload:
Jan 14 09:54:51 penguin-systems pluto[25237]: | next payload type:
ISAKMP_NEX
T_HASH
Jan 14 09:54:51 penguin-systems pluto[25237]: | length: 12
Jan 14 09:54:51 penguin-systems pluto[25237]: | ID type: 1
Jan 14 09:54:51 penguin-systems pluto[25237]: | DOI specific A: 17
Jan 14 09:54:51 penguin-systems pluto[25237]: | DOI specific B: 0
Jan 14 09:54:51 penguin-systems pluto[25237]: | ***parse ISAKMP Hash
Payload:
Jan 14 09:54:51 penguin-systems pluto[25237]: | next payload type:
ISAKMP_NEX
T_N
Jan 14 09:54:51 penguin-systems pluto[25237]: | length: 20
Jan 14 09:54:51 penguin-systems pluto[25237]: | ***parse ISAKMP Notification
Pay
load:
Jan 14 09:54:51 penguin-systems pluto[25237]: | next payload type:
ISAKMP_NEX
T_NONE
Jan 14 09:54:51 penguin-systems pluto[25237]: | length: 28
Jan 14 09:54:51 penguin-systems pluto[25237]: | DOI: ISAKMP_DOI_IPSEC
Jan 14 09:54:51 penguin-systems pluto[25237]: | protocol ID: 1
Jan 14 09:54:51 penguin-systems pluto[25237]: | SPI size: 16
Jan 14 09:54:51 penguin-systems pluto[25237]: | Notify Message Type:
IPSEC_IN
ITIAL_CONTACT
Jan 14 09:54:51 penguin-systems pluto[25237]: | removing 4 bytes of padding
Jan 14 09:54:51 penguin-systems pluto[25237]: "hoofddorp" #1: ignoring
informati
onal payload, type IPSEC_INITIAL_CONTACT
Jan 14 09:54:51 penguin-systems pluto[25237]: | info: 4d 70 38 35 58 8c fa
0e
 4d 69 fb 98 cd b6 7f de
Jan 14 09:54:51 penguin-systems pluto[25237]: "hoofddorp" #1: protocol/port
in P
hase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 14 09:54:51 penguin-systems pluto[25237]: | state transition function
for ST
ATE_MAIN_R2 failed: INVALID_ID_INFORMATION

freeswan config

conn hoofddorp
        # Left security gateway, subnet behind it, next hop toward right.
        type=tunnel
        left=10.0.0.100
        leftsubnet=192.168.254.0/24

        # Right security gateway, subnet behind it, next hop toward left.
        right=10.0.0.101
        rightsubnet=192.168.253.0/24

        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=add
        authby=secret
        keylife=24h

cisco config

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "hoofddorp"
!
enable secret 0 cisco
!
ip subnet-zero
no ip domain lookup
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key TEST address 10.0.0.100
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

!
crypto map test 1 ipsec-isakmp
 set peer 10.0.0.100
 set transform-set 3DES-MD5
 set pfs group2
 match address 102
!
!
!
!
interface Ethernet0
 ip address 10.0.0.101 255.255.255.0
 no ip proxy-arp
 hold-queue 100 out
 crypto map test
!
interface ATM0
 ip address 192.168.253.5 255.255.255.0
 pvc 0 0/35
 encapsulation aal5mux ip
 !
 dsl equipment-type CPE
 dsl operating-mode GSHDSL symmetric annex B
 dsl linerate AUTO
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.100
no ip http server
!
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 password 7 096D161B4A5C4E391355
 login
!
scheduler max-task-time 5000
end

kind regards,

Joop Marijne

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:39 CET