[strongSwan] WG: problem connecting to juniper ssg5
Jürgen Hoffmann
hoffmann at ellumination.de
Sun Dec 19 23:13:43 CET 2010
Hi all,
this is my ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
plutodebug=control
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=no
#plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
mobike=no
ike=aes128-sha-modp1024
esp=aes128-sha
conn net-net
left=30.83.252.204
leftsubnet=172.20.0.0/16
leftid=@lw.ziv.de
leftfirewall=yes
lefthostaccess=yes
right=2.195.78.10
rightsubnet=192.168.0.0/16,2.195.74.7/32
rightid=@hq.xxx.de
auto=add
pfs=yes
Von: users-bounces+hoffmann=ellumination.de at lists.strongswan.org
[mailto:users-bounces+hoffmann=ellumination.de at lists.strongswan.org] Im
Auftrag von Jürgen Hoffmann
Gesendet: Samstag, 18. Dezember 2010 12:33
An: users at lists.strongswan.org
Betreff: [strongSwan] problem connecting to juniper ssg5
Hi All,
I am trying to connect my strongswan 4.2.5 Ubuntu Installation to a new
Juniper SSG5 from a contractor. But I keep getting the following in the
logs.- What am I doing wrong?
Dec 18 12:18:04 gate2 pluto[6960]: Starting Pluto (strongSwan Version 4.2.5
THREADS VENDORID)
Dec 18 12:18:04 gate2 pluto[6960]: including NAT-Traversal patch (Version
0.6c) [disabled]
Dec 18 12:18:04 gate2 pluto[6960]: | xauth module: using default
get_secret() function
Dec 18 12:18:04 gate2 pluto[6960]: | xauth module: using default
verify_secret() function
Dec 18 12:18:04 gate2 pluto[6960]: | inserting event EVENT_REINIT_SECRET,
timeout in 3600 seconds
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_AES_CBC
encryption: Ok
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_BLOWFISH_CBC
encryption: Ok
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SERPENT_CBC
encryption: Ok
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_256 hash:
Ok
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_384 hash:
Ok
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_512 hash:
Ok
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_TWOFISH_CBC
encryption: Ok
Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating
OAKLEY_TWOFISH_CBC_SSH encryption: Ok
Dec 18 12:18:04 gate2 pluto[6960]: Testing registered IKE encryption
algorithms:
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_BLOWFISH_CBC self-test not
available
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_3DES_CBC self-test not available
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_AES_CBC self-test not available
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SERPENT_CBC self-test not
available
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_TWOFISH_CBC self-test not
available
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_TWOFISH_CBC_SSH self-test not
available
Dec 18 12:18:04 gate2 pluto[6960]: Testing registered IKE hash algorithms:
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_MD5 hash self-test passed
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_MD5 hmac self-test passed
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SHA hash self-test passed
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SHA hmac self-test passed
Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SHA2_256 hash self-test passed
Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_256 hmac self-test passed
Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_384 hash self-test passed
Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_384 hmac self-test passed
Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_512 hash self-test passed
Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_512 hmac self-test passed
Dec 18 12:18:05 gate2 pluto[6960]: All crypto self-tests passed
Dec 18 12:18:05 gate2 pluto[6960]: Using Linux 2.6 IPsec interface code
Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
'/usr/local/strongswan/etc/ipsec.d/cacerts'
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'strongswanKey.pem'
(1743 bytes)
Dec 18 12:18:06 gate2 pluto[6960]: no passphrase available
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file
'strongswanCert.pem' (1919 bytes)
Dec 18 12:18:06 gate2 pluto[6960]: | authcert inserted
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'serial.old' (17
bytes)
Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'serial' (17 bytes)
Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'index.txt.old'
(191 bytes)
Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file
'index.txt.attr.old' (21 bytes)
Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'index.txt.attr'
(21 bytes)
Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded
Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'index.txt' (359
bytes)
Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded
Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
'/usr/local/strongswan/etc/ipsec.d/aacerts'
Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
'/usr/local/strongswan/etc/ipsec.d/ocspcerts'
Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
'/usr/local/strongswan/etc/ipsec.d/crls'
Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
'/usr/local/strongswan/etc/ipsec.d/acerts'
Dec 18 12:18:06 gate2 pluto[6960]: | inserting event EVENT_LOG_DAILY,
timeout in 42114 seconds
Dec 18 12:18:06 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in 3598
seconds
Dec 18 12:18:06 gate2 pluto[6960]: |
Dec 18 12:18:06 gate2 pluto[6960]: | *received whack message
Dec 18 12:18:06 gate2 pluto[6960]: listening for IKE messages
Dec 18 12:18:06 gate2 pluto[6960]: | found lo with address 127.0.0.1
Dec 18 12:18:06 gate2 pluto[6960]: | found eth1 with address 30.83.252.204
Dec 18 12:18:06 gate2 pluto[6960]: | found eth1:1 with address 30.83.252.231
Dec 18 12:18:06 gate2 pluto[6960]: | found eth1:2 with address 30.83.252.232
Dec 18 12:18:07 gate2 pluto[6960]: | found eth1:3 with address 30.83.252.206
Dec 18 12:18:07 gate2 pluto[6960]: | found eth1:4 with address 30.83.252.207
Dec 18 12:18:07 gate2 pluto[6960]: | found eth3 with address 172.20.50.1
Dec 18 12:18:07 gate2 pluto[6960]: | found vlan2 with address 172.20.40.254
Dec 18 12:18:07 gate2 pluto[6960]: | found vlan3 with address 172.20.20.254
Dec 18 12:18:07 gate2 pluto[6960]: | found vlan4 with address 172.20.10.254
Dec 18 12:18:07 gate2 pluto[6960]: | found vlan5 with address 172.20.30.254
Dec 18 12:18:07 gate2 pluto[6960]: | found vlan6 with address 192.168.2.254
Dec 18 12:18:07 gate2 pluto[6960]: | found ppp0 with address 10.0.2.1
Dec 18 12:18:07 gate2 pluto[6960]: adding interface ppp0/ppp0 10.0.2.1:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan6/vlan6
192.168.2.254:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan5/vlan5
172.20.30.254:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan4/vlan4
172.20.10.254:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan3/vlan3
172.20.20.254:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan2/vlan2
172.20.40.254:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth3/eth3
172.20.50.1:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:4/eth1:4
30.83.252.207:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:3/eth1:3
30.83.252.206:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:2/eth1:2
30.83.252.232:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:1/eth1:1
30.83.252.231:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1/eth1
30.83.252.204:500
Dec 18 12:18:07 gate2 pluto[6960]: adding interface lo/lo 127.0.0.1:500
Dec 18 12:18:07 gate2 pluto[6960]: | found lo with address
0000:0000:0000:0000:0000:0000:0000:0001
Dec 18 12:18:07 gate2 pluto[6960]: adding interface lo/lo ::1:500
Dec 18 12:18:07 gate2 pluto[6960]: loading secrets from
"/usr/local/strongswan/etc/ipsec.secrets"
Dec 18 12:18:07 gate2 pluto[6960]: loaded shared key for @lw.xxx.de
@hq.xxx.de
Dec 18 12:18:07 gate2 pluto[6960]: loaded shared key for @hq.xxx.de
@lw.xxx.de
Dec 18 12:18:07 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in 3597
seconds
Dec 18 12:18:07 gate2 pluto[6960]: |
Dec 18 12:18:07 gate2 pluto[6960]: | *received whack message
Dec 18 12:18:08 gate2 pluto[6960]: | from whack: got --esp=aes128-sha
Dec 18 12:18:08 gate2 pluto[6960]: | esp string values: 12_128-2,
Dec 18 12:18:08 gate2 pluto[6960]: | from whack: got
--ike=aes128-sha-modp1024
Dec 18 12:18:08 gate2 pluto[6960]: | ike string values: 7_128-2-2,
Dec 18 12:18:08 gate2 pluto[6960]: added connection description "net-net"
Dec 18 12:18:08 gate2 pluto[6960]: |
172.20.0.0/16===30.83.252.204[@lw.xxx.de]...2.195.78.10[@hq.xxx.de]===192.16
8.0.0/16
Dec 18 12:18:08 gate2 pluto[6960]: | ike_life: 3600s; ipsec_life: 1200s;
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy:
PSK+ENCRYPT+TUNNEL+PFS
Dec 18 12:18:08 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in 3597
seconds
Dec 18 12:18:08 gate2 pluto[6960]: |
Dec 18 12:18:08 gate2 pluto[6960]: | *received 192 bytes from
2.195.78.10:500 on eth1
Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: ignoring
Vendor ID payload [651ececd748d24be685a79d5f463722820f672df0000001300000614]
Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: received
Vendor ID payload [Dead Peer Detection]
Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: ignoring
Vendor ID payload [HeartBeat Notify 386b0100]
Dec 18 12:18:08 gate2 pluto[6960]: | preparse_isakmp_policy: peer requests
PSK authentication
Dec 18 12:18:08 gate2 pluto[6960]: | creating state object #1 at 0x8106fc0
Dec 18 12:18:08 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93
Dec 18 12:18:08 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8
Dec 18 12:18:08 gate2 pluto[6960]: | peer: 52 c3 4e 0a
Dec 18 12:18:08 gate2 pluto[6960]: | state hash entry 30
Dec 18 12:18:08 gate2 pluto[6960]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #1
Dec 18 12:18:08 gate2 pluto[6960]: "net-net" #1: responding to Main Mode
Dec 18 12:18:08 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Dec 18 12:18:08 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Dec 18 12:18:08 gate2 pluto[6960]: |
Dec 18 12:18:08 gate2 pluto[6960]: | *received 196 bytes from
2.195.78.10:500 on eth1
Dec 18 12:18:08 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93
Dec 18 12:18:08 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8
Dec 18 12:18:08 gate2 pluto[6960]: | peer: 52 c3 4e 0a
Dec 18 12:18:08 gate2 pluto[6960]: | state hash entry 30
Dec 18 12:18:08 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R1
Dec 18 12:18:09 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Dec 18 12:18:09 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Dec 18 12:18:09 gate2 pluto[6960]: |
Dec 18 12:18:09 gate2 pluto[6960]: | *received 68 bytes from 2.195.78.10:500
on eth1
Dec 18 12:18:09 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93
Dec 18 12:18:09 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8
Dec 18 12:18:09 gate2 pluto[6960]: | peer: 52 c3 4e 0a
Dec 18 12:18:09 gate2 pluto[6960]: | state hash entry 30
Dec 18 12:18:09 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2
Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP
Identification Payload must be zero, but is not
Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: sending encrypted
notification PAYLOAD_MALFORMED to 2.195.78.10:500
Dec 18 12:18:09 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 9
seconds for #1
Dec 18 12:18:12 gate2 pluto[6960]: |
Dec 18 12:18:12 gate2 pluto[6960]: | *received 68 bytes from 2.195.78.10:500
on eth1
Dec 18 12:18:12 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93
Dec 18 12:18:12 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8
Dec 18 12:18:13 gate2 pluto[6960]: | peer: 52 c3 4e 0a
Dec 18 12:18:13 gate2 pluto[6960]: | state hash entry 30
Dec 18 12:18:13 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2
Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP
Identification Payload must be zero, but is not
Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: sending encrypted
notification PAYLOAD_MALFORMED to 2.195.78.10:500
Dec 18 12:18:13 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 6
seconds for #1
Dec 18 12:18:16 gate2 pluto[6960]: |
Dec 18 12:18:16 gate2 pluto[6960]: | *received 68 bytes from 2.195.78.10:500
on eth1
Dec 18 12:18:16 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93
Dec 18 12:18:17 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8
Dec 18 12:18:17 gate2 pluto[6960]: | peer: 52 c3 4e 0a
Dec 18 12:18:17 gate2 pluto[6960]: | state hash entry 30
Dec 18 12:18:17 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2
Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP
Identification Payload must be zero, but is not
Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: sending encrypted
notification PAYLOAD_MALFORMED to 2.195.78.10:500
Dec 18 12:18:17 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 2
seconds for #1
Dec 18 12:18:18 gate2 pluto[6960]: |
Dec 18 12:18:18 gate2 pluto[6960]: | *time to handle event
Dec 18 12:18:18 gate2 pluto[6960]: | event after this is EVENT_REINIT_SECRET
in 3586 seconds
Dec 18 12:18:19 gate2 pluto[6960]: | handling event EVENT_RETRANSMIT for
2.195.78.10 "net-net" #1
Dec 18 12:18:19 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT,
timeout in 20 seconds for #1
Dec 18 12:18:19 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 20
seconds for #1
Any help is highly appreciated
Kind regards
Juergen Hoffmann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101219/3fc9e0fa/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Unbenannte Anlage 00243.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101219/3fc9e0fa/attachment.txt>
More information about the Users
mailing list