[strongSwan] Strognswan with Cisco VPN client again
Andreas Steffen
andreas.steffen at strongswan.org
Fri May 21 17:28:35 CEST 2010
Hello Claude,
the relevant error messag ies
: "cisco-vpn"[2] 192.168.3.53:53276 #1:
cannot respond to IPsec SA request because no connection is known
for 0.0.0.0/0===192.168.1.13
[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA,
OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu]
...192.168.3.53:53276
[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT,
CN=Group_xyz, E=admin at restena.lu]===192.168.120.129/32
The client by default wants to tunnel all Internet traffic (no
split tunneling), therefore the gateway must define
leftsubnet=0.0.0.0/0
Regards
Andreas
On 21.05.2010 10:14, Claude Tompers wrote:
> Hello,
>
> After my recently solved problem with the Cisco VPN client, I hit another one. Everything seems to work fine, but the connection won't establish.
> In logs pasted below the text, you can see that the certificate authentication as well as the xauth user authentication work fine. For some reason however, the SA seems to be deleted, and I can't explain why.
> If anyone has an idea, I'd be grateful.
>
> kind regards
> Claude
>
> /etc/ipsec.conf:
>
> ca vpnca
> cacert=VPNCA-cacert.pem
> crluri=VPNCA-crl.pem
> auto=add
>
> config setup
> plutostart=yes
> #plutodebug=control
> charonstart=no
> charondebug="net 0"
> nat_traversal=yes
> crlcheckinterval=10m
> strictcrlpolicy=yes
>
> # Add connections here.
>
> conn %default
> ike=aes256-sha1-modp1536!
> esp=aes256-sha1!
> dpdaction=clear
> dpddelay=300s
> rekeymargin=3m
> keyingtries=1
> left=%defaultroute
> leftcert=vpncert.pem
> leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu"
> right=%any
> rightsourceip=192.168.120.128/25
> auto=add
>
> conn cisco-vpn
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> type=tunnel
> pfs=no
> authby=xauthrsasig
> xauth=server
>
>
> /etc/ipsec.secrets
>
> : RSA vpncert-key.pem
>
> : XAUTH ctompers "verysecretpassword"
>
>
> /var/log/ipsec:
>
> May 21 09:52:40 vpn6-test pluto[31904]: adding interface lo/lo ::1:500
> May 21 09:52:40 vpn6-test pluto[31904]: loading secrets from "/usr/local/etc/ipsec.secrets"
> May 21 09:52:40 vpn6-test pluto[31904]: loaded private key from 'vpncert-key.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: loaded xauth credentials of user 'ctompers'
> May 21 09:52:40 vpn6-test pluto[31904]: loaded CA certificate from '/usr/local/etc/ipsec.d/cacerts/VPNCA-cacert.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: added ca description "vpnca"
> May 21 09:52:40 vpn6-test pluto[31904]: loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: added connection description "cisco-vpn"
> May 21 09:52:40 vpn6-test pluto[31904]: loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: added connection description "ikev2"
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (1160) differs from size specified in ISAKMP HDR (1144)
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [XAUTH]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [Dead Peer Detection]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [FRAGMENTATION 80000000]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [Cisco-Unity]
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: responding to Main Mode from unknown peer 192.168.3.53:53276
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: peer requested 2147483 seconds which exceeds our limit 86400 seconds
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (352) differs from size specified in ISAKMP HDR (336)
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring Vendor ID payload [276f4f549eef9da547a168470992f47f]
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring Vendor ID payload [Cisco-Unity]
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: Peer ID is ID_DER_ASN1_DN: 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu'
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: deleting connection "cisco-vpn" instance with peer 192.168.3.53 {isakmp=#0/ipsec=#0}
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: we have a cert and are sending it upon request
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sent MR3, ISAKMP SA established
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending XAUTH request
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: parsing XAUTH reply
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: extended authentication was successful
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending XAUTH status:
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: parsing XAUTH ack
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: received XAUTH ack, established
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: unsupported ModeCfg attribute 28683?? received.
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: unsupported ModeCfg attribute 28684?? received.
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: peer requested virtual IP %any
> May 21 09:53:09 vpn6-test pluto[31904]: assigning new lease to 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu'
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: assigning virtual IP 192.168.120.129 to peer
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending ModeCfg reply
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sent ModeCfg reply, established
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.1.13[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu]...192.168.3.53:53276[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu]===192.168.120.129/32
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.3.53:53276
> May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
> May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
> May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
> May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> May 21 09:53:29 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x818764bf) not found (maybe expired)
> May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: received Delete SA payload: deleting ISAKMP State #1
> May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276: deleting connection "cisco-vpn" instance with peer 192.168.3.53 {isakmp=#0/ipsec=#0}
> May 21 09:53:59 vpn6-test pluto[31904]: lease 192.168.120.129 by 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu' went offline
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list