Mailing List Archive: INVALID_PAYLOAD

INVALID_PAYLOAD_TYPE

May 17, 2004, 2:21 PM

Post #1 of 4 (2965 views)

Hi,

(resent using the correct subscribed mail address. I hope it doesn't come
through twice)

I'm trying to use vpnc to connect to our Cisco VPN server at work. It seems
to authenticate ok, but fails on phase2 with the following error

vpnc: quick mode response rejected: INVALID_PAYLOAD_TYPE
check pfs setting

Here's a full level 2 trace

defender:~# vpnc --debug 2 --no-detach
S1
S2
S3
using interface tun0
S4
S4.1
S4.2
S4.3
S4.4
IKE SA selected 3des-md5
S4.5
S4.6
S5
S5.1
S5.2
S5.3
S5.4
Enter Username and Password.
S5.5
S5.2
S5.3
S5.6
S5.7
S6
got pfs setting: 0
Remote Application Version: Cisco Systems, Inc./VPN 3000 Concentrator
Version 3.6.7.D built by vmurphy on Apr 03 2003 11:41:55
got address 172.16.56.52
S7
S7.1
S7.2
S7.3
S7.4
S7.5

---!!!!!!!!! entering phase2_fatal !!!!!!!!!---

vpnc: quick mode response rejected: INVALID_PAYLOAD_TYPE
check pfs setting
defender:~#

Any ideas?

--
Ian Cass

INVALID_PAYLOAD_TYPE [ In reply to ]

ian.cass at mblox

May 17, 2004, 5:26 PM

Post #2 of 4 (2853 views)

Permalink

Hi,

I'm trying to use vpnc to connect to our Cisco VPN server at work. It seems
to authenticate ok, but fails on phase2 with the following error

vpnc: quick mode response rejected: INVALID_PAYLOAD_TYPE
check pfs setting

Here's a full level 2 trace

defender:~# vpnc --debug 2 --no-detach
S1
S2
S3
using interface tun0
S4
S4.1
S4.2
S4.3
S4.4
IKE SA selected 3des-md5
S4.5
S4.6
S5
S5.1
S5.2
S5.3
S5.4
Enter Username and Password.
S5.5
S5.2
S5.3
S5.6
S5.7
S6
got pfs setting: 0
Remote Application Version: Cisco Systems, Inc./VPN 3000 Concentrator
Version 3.6.7.D built by vmurphy on Apr 03 2003 11:41:55
got address 172.16.56.52
S7
S7.1
S7.2
S7.3
S7.4
S7.5

---!!!!!!!!! entering phase2_fatal !!!!!!!!!---

vpnc: quick mode response rejected: INVALID_PAYLOAD_TYPE
check pfs setting
defender:~#

Any ideas?

--
Ian Cass

INVALID_PAYLOAD_TYPE [ In reply to ]

massar at unix-ag

May 17, 2004, 11:08 PM

Post #3 of 4 (2861 views)

Permalink

hi,

> I'm trying to use vpnc to connect to our Cisco VPN server at work. It seems
> to authenticate ok, but fails on phase2 with the following error
>
> vpnc: quick mode response rejected: INVALID_PAYLOAD_TYPE
> check pfs setting

can you too post a level 3 debug?
is there any nat-gateway between you and the concentrator?

cu
maurice

INVALID_PAYLOAD_TYPE [ In reply to ]

massar at unix-ag

May 17, 2004, 11:32 PM

Post #4 of 4 (2862 views)

Permalink

hi,

> > can you too post a level 3 debug?
>
> Attached. Hope you don't mind me mailing you direct rather than showing
> everyone my debug msgs.

no problem...

in short:
vpnc progresses without problems until it starts the IPsec SA negotiation,
at which point the concentrator sends a ISAKMP delete notice.
This means that the concentrator did not look at the SA proposal at all,
and was expecting vpnc to do "something else" first...

could you try running vpnc with:
--application-version "Cisco Systems VPN Client 3.7.3 (A):Linux"
or something like that.

if that fails could you please send me a debug from the cisco client?
See: http://www.unix-ag.uni-kl.de/~massar/vpnc/docs/cisco-log-procedure.txt

(In the output there is "Application Version:" somewhere, maybe that
string could help too)

> > is there any nat-gateway between you and the concentrator?
>
> I'm pretty sure there isn't. I'm running this on my Linux router which has a
> direct external interface, and the concentrator is internet addressable too.

fine... NAT-T-support is still on the todo list *g*

cu
maurice