Hello, I have three machines: one 3.7, one 3.6, and one Windows 2000 laptop. The client software on the laptop is this:
ftp://ftp.funkwerk-ec.com/pub/ipsec_client/bintec_secure_client_v11.zip aka "NCP Secure Entry" which usually runs very nicely. The two OpenBSD machines are configured identically, except for IP numbers and server certificates. Everything is set up to run with X.509 certificates off of my private CA. Connecting from the windows machine to the 3.6 machine works fine as long as I only use the primary IP number (it has two from different networks), but connecting to the 3.7 machine, which has only one IP number, yields "INVALID PAYLOAD TYPE", and nothing works. This is what I get with tcpdump (IP numbers fudged): # /usr/sbin/tcpdump -n -vvv -e -s 1500 -i bge0 \(esp or port 500 or port 4500 \) and host 1.2.3.4 tcpdump: listening on bge0, link-type EN10MB 12:15:35.791290 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 294: 1.2.3.4.500 > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953->0000000000000000 msgid: 00000000 len: 252 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1536 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 attribute KEY_LENGTH = 256 payload: VENDOR len: 12 payload: VENDOR len: 12 payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) payload: VENDOR len: 20 payload: VENDOR len: 20 (ttl 126, id 1731, len 280) 12:15:35.797183 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 210: 5.6.7.8.500 > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 168 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1536 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 attribute KEY_LENGTH = 256 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 13783, len 196) 12:15:36.113303 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: <unknown> len: 24 payload: <unknown> len: 24 (ttl 126, id 1732, len 344) 12:15:36.115954 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: d6da19765da85f25->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 29429, len 68) 12:16:05.215393 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: <unknown> len: 24 payload: <unknown> len: 24 (ttl 126, id 1733, len 344) 12:16:05.217956 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 6af35ef1d456e460->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 15575, len 68) 12:16:09.220412 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: <unknown> len: 24 payload: <unknown> len: 24 (ttl 126, id 1734, len 344) 12:16:09.222948 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 8e945543b69f3d8e->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 25815, len 68) 12:16:14.226697 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 > 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953->6297719b10aab610 msgid: 00000000 len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: <unknown> len: 24 payload: <unknown> len: 24 (ttl 126, id 1735, len 344) 12:16:14.229247 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: d7059971fb358e93->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 15834, len 68) Btw, on the 3.6 box, when I configure the client to talk on the aliased address, it doesn't work either, but with a very different error message. I'm willing to ignore this problem if I can get the 3.7 (3.8?) problem solved. Any help is very much appreciated! Best, --Toni++
