Sean,

 

I have tried using the passphrase of “hello” with no luck, same error.

I also do not see the option for simple DES on the endian gui. Only 3des and AES.

 

--Daniel

 


From: efw-user-bounces@lists.sourceforge.net [mailto:efw-user-bounces@lists.sourceforge.net] On Behalf Of Sean Waite
Sent: Monday, March 26, 2007 10:00 AM
To: efw-user@lists.sourceforge.net
Subject: Re: [Efw-user] Endian to Pix Site to Site VPN.

 

I have site to site VPN between a Pix-Endian at the moment. I have read where if you use certain non-standard characters in the PFS you will get the Payload_Malformed error. If it is not already change the key to a simple alphanumeric one. If it is already, try dumbing the encryption down to simple DES to see what you get. I can not remember the exact error but I did once have an issue where the current config would not work with 3DES-AES, I had to do DES and build up from there. This was a few years ago and my memory is not too good, but anyways currently I do have AES-256 enabled now.

 

A PIX will site-to-site with an Endian. With that said, in my past experience I found that either using FreeBSD, FreeBSD based firewalls (Monowall/PFSense) worked much better than Endian. I never tried IPCOP, but have used several other Linux based firewalls. My main problem with Endian is the VPN is not stable, meaning the connection dies out too randomly. DPD does give an incorrect error message in that the "R_U_THERE_ACK has invalid icookie" that can be ignored. Supposedly this is Cisco not adhering to standards in regards to DPD, what ever the case the Openswan list told me long ago that this is a non-issue.

What I have found is that editing the ipsec.conf to try and change logging level to all made no difference. The best advice I was able to get was to insure there was a minimal constant flow of traffic through the tunnel. So I added some machines on the Endian site to be monitored via SNMP at different intervals along with using these machines to use NTP service from behind the PIX side. This had no effect.

Below is the config for one of the VPNS which may or may not be of assistance.

version 2

config setup
    interfaces=%defaultroute
    klipsdebug=all
    plutodebug=all
    uniqueids=yes
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/255.255.255.0,%v4:!/,%v4:!/,%v4:!192.168.1.0/255.255.255.0

conn %default
    keyingtries=0
    disablearrivalcheck=no

conn EFW
    right=6x.xx.xxx.xxx
    rightsubnet=192.168.2.0/255.255.255.0
    rightnexthop=%defaultroute
    left=6x.xxx.xxx.xx
    leftsubnet=192.168.1.0/255.255.255.0
    leftnexthop=%defaultroute
    ike=aes256-md5-modp1024
    esp=aes256-md5
    ikelifetime=1h
    keylife=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=hold
    authby=secret
    auto=start
conn EFWRemote
    left=6x.xx.xxx.xxx
    leftnexthop=%defaultroute
    leftsubnet=192.168.2.0/255.255.255.0
    right=%any
    rightsubnet=vhost:%no,%priv
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    authby=secret
    auto=add

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore

 

 

 

 



 

Sean Waite

-----Original Message-----
From: Daniel Barnett <erathtech@co.erath.tx.us>
To: "'efw-user@lists.sourceforge.net'" <efw-user@lists.sourceforge.net>
Date: Sun, 25 Mar 2007 11:55:00 -0500
Subject: [Efw-user] Endian to Pix Site to Site VPN.

Has anyone site to site VPN’d a pix and the Endian firewall?

 

I keep getting PAYLOAD_MALFORMED errors on my pix.

I also get a few with “invalid payloads” errors.

 

The pix seems to say the pre shared keys don’t match but they are EXACTLY the same on both units.

 

--Daniel