[strongSwan] Zyxel zywall and strongswan roadwarrior ipsec/l2tp problem
Pasi Oja-Nisula
pon at iki.fi
Thu Mar 31 09:18:33 CEST 2016
Replying to myself here. I got some more log from the server side. I
can't really make much sense about this, except that "No pre shared
key found" seems interesting. That obviously leads to authentication
failed. But why is the key not found?
Algorithm negotiation doesn't seem quite right either. I see aes and
group14 and they are not defined in either side of this connection.
Pasi
Router# DEBUG[03/30 12:12:18]: LOG: isakmp_udp.c:1635:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - da2bac39 a62137e2
[-1] / 0x00000000 } IP; New SA
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:1680:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode SA: doi = 1, sit = 0x1
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:2218:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode SA: Proposal[0] = 0 .protocol[0] = 1, #
transforms = 3, spi[0]
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:1575:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode SA: trans[0] = 1, id = 1, # sa = #6
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:1575:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode SA: trans[1] = 2, id = 1, # sa = #7
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:1575:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode SA: trans[2] = 3, id = 1, # sa = #4
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:2647:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode VID: data[8] = 0x09002689 dfd6b712
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:2647:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode VID: data[16] = 0xafcad713 68a1f1c9
6b8696fc 77570100
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:2647:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode VID: data[16] = 0x4a131c81 07035845
5c5728f2 0e95452f
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:2647:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode VID: data[16] = 0x90cb8091 3ebb696e
086381b5 ec427b1f
DEBUG[03/30 12:12:18]: LOG: isakmp_state.c:1323:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0401 SA
VID
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:439:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Encryption alg = 5 (3des-cbc)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:470:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Hash alg = 2 (sha1)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:561:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Group = 2, 111e131c
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:529:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Auth method = 1
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:609:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Life duration 86400 secs
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:439:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Encryption alg = 7 (aes-cbc)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:675:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Key length = 128
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:470:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Hash alg = 1 (md5)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:561:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Group = 14, 111d0434
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:529:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Auth method = 1
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:609:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Life duration 86400 secs
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:561:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Group = 14, 111d0434
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:529:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Auth method = 1
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:609:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Life duration 86400 secs
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:710:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Unsupported prf algorithm : 0 ((null))
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:439:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Encryption alg = 5 (3des-cbc)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:470:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Hash alg = 2 (sha1)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:561:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Group = 2, 111e131c
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:529:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Auth method = 1
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:609:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Life duration 86400 secs
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:439:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Encryption alg = 5 (3des-cbc)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:470:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Hash alg = 2 (sha1)
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:561:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Group = 2, 111e131c
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:529:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Auth method = 1
DEBUG[03/30 12:12:18]: LOG: isakmp_attrs.c:609:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Life duration 86400 secs
DEBUG[03/30 12:12:18]: LOG: isakmp_udp.c:818:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Restart packet
DEBUG[03/30 12:12:18]: LOG: isakmp_state.c:1323:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0401 SA
VID
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:708:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Encode packet, version = 1.0, flags =
0x00000000
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:750:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Encode SA: doi = 1, sit = 0x1
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:891:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Encode SA: Proposal[0] = 0 .protocol[0] = 1, #
transforms = 1, spi[0]
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:941:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Encode SA: trans[0] = 1, id = 1, # sa = 6
DEBUG[03/30 12:12:18]: LOG: isakmp_udp.c:1807:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Packet to old negotiation
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:2262:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode KE: ke[128] = 0x74998e98 8ab1c0b6
f368bbf4 2161da6c 7f354d80 fa748497 e3eac6f6 98b05ebe 68704c7f
48923b46...
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:2447:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Decode NONCE: nonce[32] = 0xce6076c7 21fbab71
bcdf6615 2d98b23b e8ac1d45 c7734f91 dc2ce28e 800b26f6
DEBUG[03/30 12:12:18]: LOG: isakmp_state.c:1323:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0012 KE
NONCE
DEBUG[03/30 12:12:18]: LOG: isakmp_output.c:958:s.s.s.s:500
(Responder) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[-1] / 0x00000000 } IP; Nonce data[16] = 0xd3a0f94c 52accabd 56676530
fea48eef
DEBUG[03/30 12:12:18]: LOG: isakmp_reply.c:523:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; No pre shared key found
DEBUG[03/30 12:12:18]: LOG: isakmp_udp.c:2324:s.s.s.s:500 (Responder)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [-1] /
0x00000000 } IP; Error = Authentication failed (24)
DEBUG[03/30 12:12:18]: LOG: isakmp_udp.c:2570:s.s.s.s:500 (Initiator)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [0] /
0x999ef8a7 } Info; Sending negotiation back, error = 24
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:708:s.s.s.s:500
(Initiator) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[0] / 0x999ef8a7 } Info; Encode packet, version = 1.0, flags =
0x00000000
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:1079:s.s.s.s:500
(Initiator) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[0] / 0x999ef8a7 } Info; Encode N: doi = 1, proto = 1, type = 24,
spi[16] = 0xcacb0b60 6cf82cf7 2814219e 0bfe5de1
DEBUG[03/30 12:12:18]: LOG: isakmp_packet.c:1082:s.s.s.s:500
(Initiator) <-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1
[0] / 0x999ef8a7 } Info; Encode N: data[35] = 0x800c0001 00060017
4e6f2070 72652073 68617265 64206b65 7920666f 756e6480 080000
DEBUG[03/30 12:12:18]: LOG: isakmp_init.c:2160:s.s.s.s:500 (Initiator)
<-> c.c.c.c:481 { cacb0b60 6cf82cf7 - 2814219e 0bfe5de1 [0] /
0x999ef8a7 } Info; Deleting negotiation
More information about the Users
mailing list