[strongSwan] Strognswan with Cisco VPN client again

Claude Tompers claude.tompers at restena.lu
Tue May 25 08:31:56 CEST 2010 

Hello Andreas,

It seems to work now. Thank you very much.

kind regards,
Claude


On Friday 21 May 2010 17:28:35 Andreas Steffen wrote:
> Hello Claude,
> 
> the relevant error messag ies
> : "cisco-vpn"[2] 192.168.3.53:53276 #1:
>     cannot respond to IPsec SA request because no connection is known
>     for 0.0.0.0/0===192.168.1.13
>     [C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA,
>      OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu]
>     ...192.168.3.53:53276
>     [C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT,
>     CN=Group_xyz, E=admin at restena.lu]===192.168.120.129/32
> 
> The client by default wants to tunnel all Internet traffic (no
> split tunneling), therefore the gateway must define
> 
>     leftsubnet=0.0.0.0/0
> 
> Regards
> 
> Andreas
> 
> On 21.05.2010 10:14, Claude Tompers wrote:
> > Hello,
> >
> > After my recently solved problem with the Cisco VPN client, I hit another one. Everything seems to work fine, but the connection won't establish.
> > In logs pasted below the text, you can see that the certificate authentication as well as the xauth user authentication work fine. For some reason however, the SA seems to be deleted, and I can't explain why.
> > If anyone has an idea, I'd be grateful.
> >
> > kind regards
> > Claude
> >
> > /etc/ipsec.conf:
> >
> > ca vpnca
> >          cacert=VPNCA-cacert.pem
> >          crluri=VPNCA-crl.pem
> >          auto=add
> >
> > config setup
> >          plutostart=yes
> >          #plutodebug=control
> >          charonstart=no
> >          charondebug="net 0"
> >          nat_traversal=yes
> >          crlcheckinterval=10m
> >          strictcrlpolicy=yes
> >
> > # Add connections here.
> >
> > conn %default
> >          ike=aes256-sha1-modp1536!
> >          esp=aes256-sha1!
> >          dpdaction=clear
> >          dpddelay=300s
> >          rekeymargin=3m
> >          keyingtries=1
> >          left=%defaultroute
> >          leftcert=vpncert.pem
> >          leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu"
> >          right=%any
> >          rightsourceip=192.168.120.128/25
> >          auto=add
> >
> > conn cisco-vpn
> >          ikelifetime=60m
> >          keylife=20m
> >          rekeymargin=3m
> >          keyingtries=1
> >          type=tunnel
> >          pfs=no
> >          authby=xauthrsasig
> >          xauth=server
> >
> >
> > /etc/ipsec.secrets
> >
> > : RSA vpncert-key.pem
> >
> > : XAUTH ctompers        "verysecretpassword"
> >
> >
> > /var/log/ipsec:
> >
> > May 21 09:52:40 vpn6-test pluto[31904]: adding interface lo/lo ::1:500
> > May 21 09:52:40 vpn6-test pluto[31904]: loading secrets from "/usr/local/etc/ipsec.secrets"
> > May 21 09:52:40 vpn6-test pluto[31904]:   loaded private key from 'vpncert-key.pem'
> > May 21 09:52:40 vpn6-test pluto[31904]:   loaded xauth credentials of user 'ctompers'
> > May 21 09:52:40 vpn6-test pluto[31904]:   loaded CA certificate from '/usr/local/etc/ipsec.d/cacerts/VPNCA-cacert.pem'
> > May 21 09:52:40 vpn6-test pluto[31904]: added ca description "vpnca"
> > May 21 09:52:40 vpn6-test pluto[31904]:   loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem'
> > May 21 09:52:40 vpn6-test pluto[31904]: added connection description "cisco-vpn"
> > May 21 09:52:40 vpn6-test pluto[31904]:   loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem'
> > May 21 09:52:40 vpn6-test pluto[31904]: added connection description "ikev2"
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (1160) differs from size specified in ISAKMP HDR (1144)
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [XAUTH]
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [Dead Peer Detection]
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [FRAGMENTATION 80000000]
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [Cisco-Unity]
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: responding to Main Mode from unknown peer 192.168.3.53:53276
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: peer requested 2147483 seconds which exceeds our limit 86400 seconds
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (352) differs from size specified in ISAKMP HDR (336)
> > May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring Vendor ID payload [276f4f549eef9da547a168470992f47f]
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring Vendor ID payload [Cisco-Unity]
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1: Peer ID is ID_DER_ASN1_DN: 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu'
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: deleting connection "cisco-vpn" instance with peer 192.168.3.53 {isakmp=#0/ipsec=#0}
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: we have a cert and are sending it upon request
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sent MR3, ISAKMP SA established
> > May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending XAUTH request
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: parsing XAUTH reply
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: extended authentication was successful
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending XAUTH status:
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: parsing XAUTH ack
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: received XAUTH ack, established
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: unsupported ModeCfg attribute 28683?? received.
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: unsupported ModeCfg attribute 28684?? received.
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: peer requested virtual IP %any
> > May 21 09:53:09 vpn6-test pluto[31904]: assigning new lease to 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu'
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: assigning virtual IP 192.168.120.129 to peer
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending ModeCfg reply
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sent ModeCfg reply, established
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.1.13[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu]...192.168.3.53:53276[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu]===192.168.120.129/32
> > May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.3.53:53276
> > May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
> > May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> > May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
> > May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> > May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x5913d71e (perhaps this is a duplicated packet)
> > May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> > May 21 09:53:29 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x818764bf) not found (maybe expired)
> > May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1: received Delete SA payload: deleting ISAKMP State #1
> > May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276: deleting connection "cisco-vpn" instance with peer 192.168.3.53 {isakmp=#0/ipsec=#0}
> > May 21 09:53:59 vpn6-test pluto[31904]: lease 192.168.120.129 by 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, E=admin at restena.lu' went offline
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100525/90be67de/attachment.pgp>

More information about the Users mailing list