[strongSwan] Strognswan with Cisco VPN client again

Claude Tompers claude.tompers at restena.lu
Fri May 21 10:14:25 CEST 2010


Hello,

After my recently solved problem with the Cisco VPN client, I hit another one. Everything seems to work fine, but the connection won't establish.
In logs pasted below the text, you can see that the certificate authentication as well as the xauth user authentication work fine. For some reason however, the SA seems to be deleted, and I can't explain why.
If anyone has an idea, I'd be grateful.

kind regards
Claude

/etc/ipsec.conf:

ca vpnca
        cacert=VPNCA-cacert.pem
        crluri=VPNCA-crl.pem
        auto=add

config setup
        plutostart=yes
        #plutodebug=control
        charonstart=no
        charondebug="net 0"
        nat_traversal=yes
        crlcheckinterval=10m
        strictcrlpolicy=yes

# Add connections here.

conn %default
        ike=aes256-sha1-modp1536!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekeymargin=3m
        keyingtries=1
        left=%defaultroute
        leftcert=vpncert.pem
        leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu"
        right=%any
        rightsourceip=192.168.120.128/25
        auto=add

conn cisco-vpn
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        type=tunnel
        pfs=no
        authby=xauthrsasig
        xauth=server


/etc/ipsec.secrets

: RSA vpncert-key.pem

: XAUTH ctompers        "verysecretpassword"


/var/log/ipsec:

May 21 09:52:40 vpn6-test pluto[31904]: adding interface lo/lo ::1:500
May 21 09:52:40 vpn6-test pluto[31904]: loading secrets from "/usr/local/etc/ipsec.secrets"
May 21 09:52:40 vpn6-test pluto[31904]:   loaded private key from 'vpncert-key.pem'
May 21 09:52:40 vpn6-test pluto[31904]:   loaded xauth credentials of user 'ctompers'
May 21 09:52:40 vpn6-test pluto[31904]:   loaded CA certificate from '/usr/local/etc/ipsec.d/cacerts/VPNCA-cacert.pem'
May 21 09:52:40 vpn6-test pluto[31904]: added ca description "vpnca"
May 21 09:52:40 vpn6-test pluto[31904]:   loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem'
May 21 09:52:40 vpn6-test pluto[31904]: added connection description "cisco-vpn"
May 21 09:52:40 vpn6-test pluto[31904]:   loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem'
May 21 09:52:40 vpn6-test pluto[31904]: added connection description "ikev2"
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (1160) differs from size specified in ISAKMP HDR (1144)
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [XAUTH]
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [Dead Peer Detection]
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [FRAGMENTATION 80000000]
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [Cisco-Unity]
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: responding to Main Mode from unknown peer 192.168.3.53:53276
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: peer requested 2147483 seconds which exceeds our limit 86400 seconds
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (352) differs from size specified in ISAKMP HDR (336)
May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring Vendor ID payload [276f4f549eef9da547a168470992f47f]
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring Vendor ID payload [Cisco-Unity]
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: Peer ID is ID_DER_ASN1_DN: 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu'
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: deleting connection "cisco-vpn" instance with peer 192.168.3.53 {isakmp=#0/ipsec=#0}
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: we have a cert and are sending it upon request
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sent MR3, ISAKMP SA established
May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending XAUTH request
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: parsing XAUTH reply
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: extended authentication was successful
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending XAUTH status:
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: parsing XAUTH ack
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: received XAUTH ack, established
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: unsupported ModeCfg attribute 28683?? received.
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: unsupported ModeCfg attribute 28684?? received.
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: peer requested virtual IP %any
May 21 09:53:09 vpn6-test pluto[31904]: assigning new lease to 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu'
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: assigning virtual IP 192.168.120.129 to peer
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending ModeCfg reply
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sent ModeCfg reply, established
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.1.13[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu]...192.168.3.53:53276[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu]===192.168.120.129/32
May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.3.53:53276
May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
May 21 09:53:29 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x818764bf) not found (maybe expired)
May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: received Delete SA payload: deleting ISAKMP State #1
May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276: deleting connection "cisco-vpn" instance with peer 192.168.3.53 {isakmp=#0/ipsec=#0}
May 21 09:53:59 vpn6-test pluto[31904]: lease 192.168.120.129 by 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu' went offline

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100521/ca2ad77d/attachment.pgp>


More information about the Users mailing list