[vpnc-devel] ISAKMP_N_INVALID_PAYLOAD_TYPE problem

Johan Dahlin johan at gnome.org
Thu Jun 26 20:50:36 CEST 2008 

Hi, I'm having a problem connecting to a VPN server using vpnc.

Using it normally shows the following:

./vpnc: quick mode response rejected:  (ISAKMP_N_INVALID_PAYLOAD_TYPE)(1)
this means the concentrator did not like what we had to offer.
Possible reasons are:
   * concentrator configured to require a firewall
      this locks out even Cisco clients on any platform expect windows
      which is an obvious security improvment. There is no workaround (yet).
   * concentrator configured to require IP compression
      this is not yet supported by vpnc.
      Note: the Cisco Concentrator Documentation recommends against using
      compression, expect on low-bandwith (read: ISDN) links, because it
      uses much CPU-resources on the concentrator

I used 0.5.1 in ubuntu to start with, but I retried with the latest svn 
revision (r332) as well, with the same problem.

I used the following vpnc configuration:
-----------
IPSec gateway XXX.XXX.XXX.XXX
IPSec ID uipsec
IPSec secret XXXXXX (taken from the .pcf and decoded using cisco-decrypt)
IKE Authmode psk
Xauth username xxxxxxx
Xauth password xxxxxxx
-----------

It works fine with the Cisco VPN Client, running on the same machine.
This is the output from vpnclient:

-----------
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-19-generic #1 SMP Wed Jun 4 16:35:01 UTC 2008 i686
Config file directory: /etc/opt/cisco-vpnclient

Initializing the VPN connection.
Initiating TCP to XXX.XXX.XXX.XXX, port 10000
Contacting the gateway at XXX.XXX.XXX.XXX
Authenticating user.
Negotiating security policies.
Securing communication channel.

Your VPN connection is secure.

VPN tunnel information.
Client address: 172.30.124.10
Server address: XXX.XXX.XXX.XXX
Encryption: 256-bit AES
Authentication: HMAC-SHA
IP Compression: None
NAT passthrough is active on port TCP 10000
Local LAN Access is disabled
-----------

I tried to change the Version string, the patch I tried is attached as 
version-string.diff, it does not work with it applied.
The version string was fetched by using strace -s128 on vpnclient.

A log of vpnc --debug 3 is attached as vpnc.log
A log of vpnclient with everything set to 3 is attached as vpnclient.log
(I only replaced the ip in vpnclient.log with XXX.XXX.XXX.XXX)

Is there anything else I can do to help out, to make this feature added/bug 
fixed? wireshark, strace, machine access can be arranged if necessary.

Johan
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vpnc.log
Url: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20080626/2738b2c0/attachment.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vpnc-version.diff
Url: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20080626/2738b2c0/attachment-0001.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vpnclient.log
Url: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20080626/2738b2c0/attachment-0002.txt

More information about the vpnc-devel mailing list