Nov 7 15:13:42 vpnserver pluto[20906]: packet from 200.143.118.22:500: next payload type of ISAKMP Message has an unknown value: 133
Nov 7 15:13:42 vpnserver pluto[20906]: | payload malformed after IV
Nov 7 15:13:42 vpnserver pluto[20906]: |
Nov 7 15:13:42 vpnserver pluto[20906]: packet from 200.143.118.22:500: sending notification PAYLOAD_MALFORMED to 200.143.118.22:500
and will get a connection timeout. That is because of a bug in ICS. Android ICS seems to mess up the payload which causes this error: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not (see rfc 3947).There has been a bug report about this. It should have been fixed in Android 4.1.x. For 4.0.x (ICS) device, fortunately, there is an OpenSWAN workaround available at:
http://people.redhat.com/pwouters/osw/openswan-2.6.38-android-ics-natoa.patch
To resolve your issue, download this patch and recompile your openswan. If you compile openswan from SRPMS, make sure to change openswan.spec, add `-DSUPPORT_BROKEN_ANDROID_ICS' to make option `USERCOMPILE' in your openswan.spec, like this:
%{__make} \
USERCOMPILE="-g %{optflags} -fPIE -pie -DSUPPORT_BROKEN_ANDROID_ICS" \
......
No comments:
Post a Comment