From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 26 16:26:34 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 234211065674
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Nov 2008 16:26:34 +0000 (UTC)
	(envelope-from alancyang@gmail.com)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28])
	by mx1.freebsd.org (Postfix) with ESMTP id C4E118FC25
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Nov 2008 16:26:33 +0000 (UTC)
	(envelope-from alancyang@gmail.com)
Received: by yw-out-2324.google.com with SMTP id 9so270231ywe.13
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Nov 2008 08:26:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to
	:subject:mime-version:content-type:content-transfer-encoding
	:content-disposition;
	bh=asoAG9fsUem6YG10FV2+CC5+np1lHQ/S/UrSb6qk9Kw=;
	b=RFFeKlgzorGv17hQ5HuwllMx6yiUN8Wx183KVFga9b8S1qOR8pEgubb8i3J0GlmGEb
	y4xAEwWxrQVs/5m06tCxowqN0VqkJ3UQ64OYrZcjBchMSPMmen9Z7UTIRZ5Ja3YJq7O4
	UYmzNyAlrQPZLbACrpWzjHOolr4P1Y2cM3ml8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:mime-version:content-type
	:content-transfer-encoding:content-disposition;
	b=CV2T+snjOzNHlma4LVDwLn0gdXmOY9sem+dIdpz5GvgA/ITZNL+UYfnUfHj8g8wx/6
	/vl7WIJQCOB59S5pD1IX6oI/3MZf84bUtIcji0POAY00q2B97T5ryylbNHaKqRWxfjUX
	Ao2LHG3DKgWPxPKZwf5p543t9ECuzXyDM+4eo=
Received: by 10.151.40.3 with SMTP id s3mr1559842ybj.117.1227715156080;
	Wed, 26 Nov 2008 07:59:16 -0800 (PST)
Received: by 10.151.101.10 with HTTP; Wed, 26 Nov 2008 07:59:16 -0800 (PST)
Message-ID: <290865fd0811260759s442d7332m3dce3f4900a45f60@mail.gmail.com>
Date: Wed, 26 Nov 2008 07:59:16 -0800
From: "alan yang" <alancyang@gmail.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: ipsec tunnel with racoon / phase1 failure with invalid length of
	payload
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2008 16:26:34 -0000

hello,

wonder people could shed some light how to debug more when configuring
ipsec tunnel with racoon that it seems to fail on the phase1
negotiation with racoon log info listed in the following.  i tried aes
as encryption algorithm, but it failed the same way.

not sure the invalid length of payload is caused by what.

2008-11-26 09:22:05: DEBUG: encryption(3des)
2008-11-26 09:22:05: DEBUG: with key:
2008-11-26 09:22:05: DEBUG:
1239dfa9 caa1798f 212cd994 7802292b 3ef473f3 3188868a
2008-11-26 09:22:05: DEBUG: decrypted payload by IV:
2008-11-26 09:22:05: DEBUG:
bbd836ac 319a1ebe
2008-11-26 09:22:05: DEBUG: decrypted payload, but not trimed.
2008-11-26 09:22:05: DEBUG:
8450f134 99116727 73c7f68c 3f0a65c2 68a9afe6 2c0a6ce1 41708fbb 3f0c7511
c5fdeaad 804a2277
2008-11-26 09:22:05: DEBUG: padding len=119
2008-11-26 09:22:05: DEBUG: skip to trim padding.
2008-11-26 09:22:05: DEBUG: decrypted.
2008-11-26 09:22:05: DEBUG:
d1d9962c 6004bf7b 0c317531 9c85bb06 05100201 00000000 00000044 8450f134
99116727 73c7f68c 3f0a65c2 68a9afe6 2c0a6ce1 41708fbb 3f0c7511 c5fdeaad
804a2277
2008-11-26 09:22:05: DEBUG: begin.
2008-11-26 09:22:05: DEBUG: seen nptype=5(id)
2008-11-26 09:22:05: DEBUG: invalid length of payload

racoon.conf

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

log notify;

padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

listen
{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002];		# administrative port for racoonctl.
	#strict_address; 	# requires that all addresses must be bound.
}

timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per send.

	# maximum time to wait for completing each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote 192.168.0.101
{
	exchange_mode main,aggressive;
	nonce_size 16;
	initial_contact on;
	proposal_check strict;	# obey, strict, or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo anonymous
{
	pfs_group 2;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}