[strongSwan] WG: problem connecting to juniper ssg5

Andreas Steffen andreas.steffen at strongswan.org
Mon Dec 20 05:40:31 CET 2010


Hello Jürgen,

it seems that the PSK is not the same on the Juniper
and strongSwan side. Therefore the first encrypted packet
cannot be decrypted correctly.

: "net-net" #1: byte 2 of ISAKMP Identification Payload must be zero,
                but is not
: "net-net" #1: probable authentication failure (mismatch of preshared
                secrets?): malformed payload in packet

Why do you define two PSKs for the same connection?

:   loaded shared key for @lw.xxx.de @hq.xxx.de
:   loaded shared key for @hq.xxx.de @lw.xxx.de

Regards

Andreas

On 12/19/2010 11:13 PM, Jürgen Hoffmann wrote:
> Hi all,
> 
>  
> 
> this is my ipsec.conf
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
>         plutodebug=control
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         # nat_traversal=yes
>         charonstart=no
>         #plutostart=no
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         mobike=no
>         ike=aes128-sha-modp1024
>         esp=aes128-sha
> 
> conn net-net
>         left=30.83.252.204
>         leftsubnet=172.20.0.0/16
>         leftid=@lw.ziv.de
>         leftfirewall=yes
>         lefthostaccess=yes
>         right=2.195.78.10
>         rightsubnet=192.168.0.0/16,2.195.74.7/32
>         rightid=@hq.xxx.de
>         auto=add
>         pfs=yes
> 
> *Von:*users-bounces+hoffmann=ellumination.de at lists.strongswan.org
> [mailto:users-bounces+hoffmann=ellumination.de at lists.strongswan.org] *Im
> Auftrag von *Jürgen Hoffmann
> *Gesendet:* Samstag, 18. Dezember 2010 12:33
> *An:* users at lists.strongswan.org
> *Betreff:* [strongSwan] problem connecting to juniper ssg5
> 
> Hi All,
> 
> I am trying to connect my strongswan 4.2.5 Ubuntu Installation to a new
> Juniper SSG5 from a contractor. But I keep getting the following in the
> logs.- What am I doing wrong?
> 
> Dec 18 12:18:04 gate2 pluto[6960]: Starting Pluto (strongSwan Version
> 4.2.5 THREADS VENDORID)
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   including NAT-Traversal patch
> (Version 0.6c) [disabled]
> 
> Dec 18 12:18:04 gate2 pluto[6960]: | xauth module: using default
> get_secret() function
> 
> Dec 18 12:18:04 gate2 pluto[6960]: | xauth module: using default
> verify_secret() function
> 
> Dec 18 12:18:04 gate2 pluto[6960]: | inserting event
> EVENT_REINIT_SECRET, timeout in 3600 seconds
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_AES_CBC
> encryption: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating
> OAKLEY_BLOWFISH_CBC encryption: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating
> OAKLEY_SERPENT_CBC encryption: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_256
> hash: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_384
> hash: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_512
> hash: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating
> OAKLEY_TWOFISH_CBC encryption: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating
> OAKLEY_TWOFISH_CBC_SSH encryption: Ok
> 
> Dec 18 12:18:04 gate2 pluto[6960]: Testing registered IKE encryption
> algorithms:
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_BLOWFISH_CBC self-test not
> available
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_3DES_CBC self-test not available
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_AES_CBC self-test not available
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_SERPENT_CBC self-test not
> available
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_TWOFISH_CBC self-test not
> available
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_TWOFISH_CBC_SSH self-test
> not available
> 
> Dec 18 12:18:04 gate2 pluto[6960]: Testing registered IKE hash algorithms:
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_MD5 hash self-test passed
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_MD5 hmac self-test passed
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_SHA hash self-test passed
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_SHA hmac self-test passed
> 
> Dec 18 12:18:04 gate2 pluto[6960]:   OAKLEY_SHA2_256 hash self-test passed
> 
> Dec 18 12:18:05 gate2 pluto[6960]:   OAKLEY_SHA2_256 hmac self-test passed
> 
> Dec 18 12:18:05 gate2 pluto[6960]:   OAKLEY_SHA2_384 hash self-test passed
> 
> Dec 18 12:18:05 gate2 pluto[6960]:   OAKLEY_SHA2_384 hmac self-test passed
> 
> Dec 18 12:18:05 gate2 pluto[6960]:   OAKLEY_SHA2_512 hash self-test passed
> 
> Dec 18 12:18:05 gate2 pluto[6960]:   OAKLEY_SHA2_512 hmac self-test passed
> 
> Dec 18 12:18:05 gate2 pluto[6960]: All crypto self-tests passed
> 
> Dec 18 12:18:05 gate2 pluto[6960]: Using Linux 2.6 IPsec interface code
> 
> Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
> '/usr/local/strongswan/etc/ipsec.d/cacerts'
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file
> 'strongswanKey.pem' (1743 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   no passphrase available
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file
> 'strongswanCert.pem' (1919 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]: |   authcert inserted
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file 'serial.old'
> (17 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   file coded in unknown format, discarded
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file 'serial' (17 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   file coded in unknown format, discarded
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file 'index.txt.old'
> (191 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   file coded in unknown format, discarded
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file
> 'index.txt.attr.old' (21 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   file coded in unknown format, discarded
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file
> 'index.txt.attr' (21 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   file coded in unknown format, discarded
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   loaded CA cert file 'index.txt'
> (359 bytes)
> 
> Dec 18 12:18:06 gate2 pluto[6960]:   file coded in unknown format, discarded
> 
> Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
> '/usr/local/strongswan/etc/ipsec.d/aacerts'
> 
> Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
> '/usr/local/strongswan/etc/ipsec.d/ocspcerts'
> 
> Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
> '/usr/local/strongswan/etc/ipsec.d/crls'
> 
> Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory
> '/usr/local/strongswan/etc/ipsec.d/acerts'
> 
> Dec 18 12:18:06 gate2 pluto[6960]: | inserting event EVENT_LOG_DAILY,
> timeout in 42114 seconds
> 
> Dec 18 12:18:06 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in
> 3598 seconds
> 
> Dec 18 12:18:06 gate2 pluto[6960]: |
> 
> Dec 18 12:18:06 gate2 pluto[6960]: | *received whack message
> 
> Dec 18 12:18:06 gate2 pluto[6960]: listening for IKE messages
> 
> Dec 18 12:18:06 gate2 pluto[6960]: | found lo with address 127.0.0.1
> 
> Dec 18 12:18:06 gate2 pluto[6960]: | found eth1 with address 30.83.252.204
> 
> Dec 18 12:18:06 gate2 pluto[6960]: | found eth1:1 with address 30.83.252.231
> 
> Dec 18 12:18:06 gate2 pluto[6960]: | found eth1:2 with address 30.83.252.232
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found eth1:3 with address 30.83.252.206
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found eth1:4 with address 30.83.252.207
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found eth3 with address 172.20.50.1
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found vlan2 with address 172.20.40.254
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found vlan3 with address 172.20.20.254
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found vlan4 with address 172.20.10.254
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found vlan5 with address 172.20.30.254
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found vlan6 with address 192.168.2.254
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found ppp0 with address 10.0.2.1
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface ppp0/ppp0 10.0.2.1:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan6/vlan6
> 192.168.2.254:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan5/vlan5
> 172.20.30.254:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan4/vlan4
> 172.20.10.254:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan3/vlan3
> 172.20.20.254:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan2/vlan2
> 172.20.40.254:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth3/eth3
> 172.20.50.1:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:4/eth1:4
> 30.83.252.207:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:3/eth1:3
> 30.83.252.206:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:2/eth1:2
> 30.83.252.232:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:1/eth1:1
> 30.83.252.231:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1/eth1
> 30.83.252.204:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface lo/lo 127.0.0.1:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | found lo with address
> 0000:0000:0000:0000:0000:0000:0000:0001
> 
> Dec 18 12:18:07 gate2 pluto[6960]: adding interface lo/lo ::1:500
> 
> Dec 18 12:18:07 gate2 pluto[6960]: loading secrets from
> "/usr/local/strongswan/etc/ipsec.secrets"
> 
> Dec 18 12:18:07 gate2 pluto[6960]:   loaded shared key for @lw.xxx.de
> @hq.xxx.de
> 
> Dec 18 12:18:07 gate2 pluto[6960]:   loaded shared key for @hq.xxx.de
> @lw.xxx.de
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in
> 3597 seconds
> 
> Dec 18 12:18:07 gate2 pluto[6960]: |
> 
> Dec 18 12:18:07 gate2 pluto[6960]: | *received whack message
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | from whack: got --esp=aes128-sha
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | esp string values: 12_128-2,
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | from whack: got
> --ike=aes128-sha-modp1024
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | ike string values: 7_128-2-2,
> 
> Dec 18 12:18:08 gate2 pluto[6960]: added connection description "net-net"
> 
> Dec 18 12:18:08 gate2 pluto[6960]: |
> 172.20.0.0/16===30.83.252.204[@lw.xxx.de]...2.195.78.10[@hq.xxx.de]===192.168.0.0/16
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | ike_life: 3600s; ipsec_life: 1200s;
> rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy:
> PSK+ENCRYPT+TUNNEL+PFS
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in
> 3597 seconds
> 
> Dec 18 12:18:08 gate2 pluto[6960]: |
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | *received 192 bytes from
> 2.195.78.10:500 on eth1
> 
> Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: ignoring
> Vendor ID payload [651ececd748d24be685a79d5f463722820f672df0000001300000614]
> 
> Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: received
> Vendor ID payload [Dead Peer Detection]
> 
> Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: ignoring
> Vendor ID payload [HeartBeat Notify 386b0100]
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | preparse_isakmp_policy: peer
> requests PSK authentication
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | creating state object #1 at 0x8106fc0
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | ICOOKIE:  b6 79 4d 82  4f 45 f4 93
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | RCOOKIE:  40 0d af 34  06 a6 96 c8
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | peer:  52 c3 4e 0a
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | state hash entry 30
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | inserting event EVENT_SO_DISCARD,
> timeout in 0 seconds for #1
> 
> Dec 18 12:18:08 gate2 pluto[6960]: "net-net" #1: responding to Main Mode
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT,
> timeout in 10 seconds for #1
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 10
> seconds for #1
> 
> Dec 18 12:18:08 gate2 pluto[6960]: |
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | *received 196 bytes from
> 2.195.78.10:500 on eth1
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | ICOOKIE:  b6 79 4d 82  4f 45 f4 93
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | RCOOKIE:  40 0d af 34  06 a6 96 c8
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | peer:  52 c3 4e 0a
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | state hash entry 30
> 
> Dec 18 12:18:08 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R1
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT,
> timeout in 10 seconds for #1
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 10
> seconds for #1
> 
> Dec 18 12:18:09 gate2 pluto[6960]: |
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | *received 68 bytes from
> 2.195.78.10:500 on eth1
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | ICOOKIE:  b6 79 4d 82  4f 45 f4 93
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | RCOOKIE:  40 0d af 34  06 a6 96 c8
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | peer:  52 c3 4e 0a
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | state hash entry 30
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2
> 
> Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP
> Identification Payload must be zero, but is not
> 
> Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: probable authentication
> failure (mismatch of preshared secrets?): malformed payload in packet
> 
> Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: sending encrypted
> notification PAYLOAD_MALFORMED to 2.195.78.10:500
> 
> Dec 18 12:18:09 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 9
> seconds for #1
> 
> Dec 18 12:18:12 gate2 pluto[6960]: |
> 
> Dec 18 12:18:12 gate2 pluto[6960]: | *received 68 bytes from
> 2.195.78.10:500 on eth1
> 
> Dec 18 12:18:12 gate2 pluto[6960]: | ICOOKIE:  b6 79 4d 82  4f 45 f4 93
> 
> Dec 18 12:18:12 gate2 pluto[6960]: | RCOOKIE:  40 0d af 34  06 a6 96 c8
> 
> Dec 18 12:18:13 gate2 pluto[6960]: | peer:  52 c3 4e 0a
> 
> Dec 18 12:18:13 gate2 pluto[6960]: | state hash entry 30
> 
> Dec 18 12:18:13 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2
> 
> Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP
> Identification Payload must be zero, but is not
> 
> Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: probable authentication
> failure (mismatch of preshared secrets?): malformed payload in packet
> 
> Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: sending encrypted
> notification PAYLOAD_MALFORMED to 2.195.78.10:500
> 
> Dec 18 12:18:13 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 6
> seconds for #1
> 
> Dec 18 12:18:16 gate2 pluto[6960]: |
> 
> Dec 18 12:18:16 gate2 pluto[6960]: | *received 68 bytes from
> 2.195.78.10:500 on eth1
> 
> Dec 18 12:18:16 gate2 pluto[6960]: | ICOOKIE:  b6 79 4d 82  4f 45 f4 93
> 
> Dec 18 12:18:17 gate2 pluto[6960]: | RCOOKIE:  40 0d af 34  06 a6 96 c8
> 
> Dec 18 12:18:17 gate2 pluto[6960]: | peer:  52 c3 4e 0a
> 
> Dec 18 12:18:17 gate2 pluto[6960]: | state hash entry 30
> 
> Dec 18 12:18:17 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2
> 
> Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP
> Identification Payload must be zero, but is not
> 
> Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: probable authentication
> failure (mismatch of preshared secrets?): malformed payload in packet
> 
> Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: sending encrypted
> notification PAYLOAD_MALFORMED to 2.195.78.10:500
> 
> Dec 18 12:18:17 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 2
> seconds for #1
> 
> Dec 18 12:18:18 gate2 pluto[6960]: |
> 
> Dec 18 12:18:18 gate2 pluto[6960]: | *time to handle event
> 
> Dec 18 12:18:18 gate2 pluto[6960]: | event after this is
> EVENT_REINIT_SECRET in 3586 seconds
> 
> Dec 18 12:18:19 gate2 pluto[6960]: | handling event EVENT_RETRANSMIT for
> 2.195.78.10 "net-net" #1
> 
> Dec 18 12:18:19 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT,
> timeout in 20 seconds for #1
> 
> Dec 18 12:18:19 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 20
> seconds for #1
> 
>  
> 
> Any help is highly appreciated
> 
>  
> 
> Kind regards
> 
>  
> 
> Juergen Hoffmann
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list