[strongSwan] Please, help me with the configuration
Loyc Cossou
loycossou at gmail.com
Sat Sep 29 09:24:33 CEST 2018
Hi,
Sorry for not respecting the rules.
PFA the ipsec.conf, statusall, logs and vpn form.
Regards
------
loyc Cossou
Le ven. 28 sept. 2018 à 17:53, Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> a écrit :
> Hello Loyc,
>
> The critical information is missing and you do not provide any logs, so we
> can not help you.
> Please follow the advice on the HelpRequests page of the wiki[1].
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> Am 22.09.18 um 04:24 schrieb Loyc Cossou:
> > Hi,
> >
> > i am new to strongswan but need you help, please.
> > I have to etablish a VPN with a client having a Cisco ASA 5585x with HA.
> >
> > Bellow are the details.
> >
> > I have set u^the folowwing code but am unable to put the tunnel up. an
> you please ztell me how you would write the ipsec.conf? Here is mine:
> >
> > conn %default
> > ikelifetime=24h
> > keylife=8h
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev2
> >
> > conn Infobip_vpnI
> > leftfirewall=yes
> > authby=secret
> > type=tunnel
> > left=HIDDEN
> > leftid = HIDDEN
> > leftsubnet=HIDDEN
> > leftauth=psk
> > right=HIDDEN
> > rightid=HIDDEN
> > rightsubnet=qi tunet
> > rightauth=psk
> > ikelifetime=24h
> > ike=aes256-sha1!
> > esp=aes256-sha1!
> > lifetime=8h
> >
> > Phase I (IKE Phase):https://mail.google.com/mail/u/0/#inbox?compose=D
> >
> > Encryption algorithm
> >
> >
> >
> > AES256
> >
> > Hash algorithm (Authentication)
> >
> >
> >
> > SHA-1
> >
> > Diffie-Hellman group
> >
> >
> >
> > Group 2 (1024 bits)
> >
> > Key lifetime in seconds
> >
> >
> >
> > 86400
> >
> > Key lifetime in bytes
> >
> >
> >
> > 0
> >
> >
> >
> > Phase II (IPSEC Phase):
> >
> > Encryption algorithm
> >
> >
> >
> > AES256
> >
> > Authentication algorithm
> >
> >
> >
> > SHA-1
> >
> > Perfect Forward Secrecy (PFS)
> >
> >
> >
> > No
> >
> > SA duration in seconds (lifetime)
> >
> >
> >
> > 28800
> >
> > SA duration in KBytes
> >
> >
> >
> > 4608000
> >
> >
> >
> > Please correct me la bas.
> >
> > ------
> > loyc Cossou
> >
> >
> >
> > Mailtrack <
> https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality6&>
> Sender notified by
> > Mailtrack <
> https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality6&>
> 22/09/18 à 03:20:25
> > /×/REMOVE <#>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180929/6a93f9a3/attachment-0001.html>
-------------- next part --------------
config setup
# strictcrlpolicy=no
# uniqueids = no
# charondebug="ike 4, knl 4, cfg 2"
conn %default
mobike=no
conn my-client
keyexchange=ikev1
leftfirewall=yes
ikelifetime=86400s
keylife=28800s
lifetime=28800s
rekeymargin=3m
keyingtries=2
#authby=secret
type=tunnel
left=my-private-local-ip
leftid = my-public-peer-ip
leftsubnet=my-subnet-cidr-block
authby=xauthpsk
leftauth=psk
leftauth2=xauth
xauth_identity=cisco
xauth=client
right=remote-public-peer-ip
rightid=remote-public-peer-ip
rightsubnet=remote-subnet-cidr-block
rightauth=psk
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024!
closeaction=restart
lifebytes = 4608000
auto=start
-------------- next part --------------
[root at sms-vpn-gtw1-172-28-5-12 ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.14.70-72.55.amzn2.x86_64, x86_64):
uptime: 31 seconds, since Sep 29 06:27:58 2018
malloc: sbrk 1888256, mmap 0, used 861280, free 1026976
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
172.28.5.12
172.28.5.11
Connections:
my-client: 172.28.5.12...remote-public-peer-ip IKEv1
my-client: local: [my-public-peer-ip] uses pre-shared key authentication
my-client: local: [my-public-peer-ip] uses XAuth authentication: any with XAuth identity 'cisco'
my-client: remote: [remote-public-peer-ip] uses pre-shared key authentication
my-client: child: 172.28.5.0/28 === remote-subnet-cidr-block TUNNEL
Security Associations (0 up, 1 connecting):
my-client[1]: CONNECTING, 172.28.5.12[3my-public-peer-ip]...remote-public-peer-ip[%any]
my-client[1]: IKEv1 SPIs: be16a8f19994c70a_i* 9d04b8fa33fdb623_r
my-client[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
my-client[1]: Tasks queued: QUICK_MODE
my-client[1]: Tasks active: ISAKMP_VENDOR MAIN_MODE
-------------- next part --------------
[root at sms-vpn-gtw1-172-28-5-12 ~]# tail -n 1 -f /var/log/messages | grep charon
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.70-72.55.amzn2.x86_64, x86_64)
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[LIB] openssl FIPS mode(2) - enabled
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loaded IKE secret for my-public-peer-ip
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loaded EAP secret for cisco
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] loaded 0 RADIUS server configurations
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] HA config misses local/remote address
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[CFG] no script for ext-auth script defined, disabled
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 00[JOB] spawning 16 worker threads
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 05[CFG] received stroke: add connection 'my-client'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 05[CFG] added configuration 'my-client'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 06[CFG] received stroke: initiate 'my-client'
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 06[IKE] initiating Main Mode IKE_SA my-client[1] to my-public-peer-ip
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 06[NET] sending packet: from 172.28.5.12[500] to my-public-peer-ip[500] (252 bytes)
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 09[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (132 bytes)
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 09[ENC] parsed ID_PROT response 0 [ SA V V ]
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 09[IKE] received FRAGMENTATION vendor ID
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 09[NET] sending packet: from 172.28.5.12[500] to my-public-peer-ip[500] (244 bytes)
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[IKE] received Cisco Unity vendor ID
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[IKE] received XAuth vendor ID
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[ENC] received unknown vendor ID: 68:c3:1f:e7:33:fc:b6:23:20:d9:93:18:52:63:3e:56
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[IKE] local host is behind NAT, sending keep alives
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 10[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 11[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (40 bytes)
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 11[ENC] parsed INFORMATIONAL_V1 request 0 [ N(PLD_MAL) ]
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 11[ENC] ignoring unprotected INFORMATIONAL from my-public-peer-ip
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 11[IKE] message verification failed
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 11[IKE] ignore malformed INFORMATIONAL request
Sep 29 06:27:58 sms-vpn-gtw1-172-28-5-12 charon: 11[IKE] INFORMATIONAL_V1 request with message ID 0 processing failed
Sep 29 06:28:02 sms-vpn-gtw1-172-28-5-12 charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 3
Sep 29 06:28:02 sms-vpn-gtw1-172-28-5-12 charon: 14[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:28:02 sms-vpn-gtw1-172-28-5-12 charon: 15[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:28:02 sms-vpn-gtw1-172-28-5-12 charon: 15[IKE] received retransmit of response with ID 0, but next request already sent
Sep 29 06:28:09 sms-vpn-gtw1-172-28-5-12 charon: 16[IKE] sending retransmit 2 of request message ID 0, seq 3
Sep 29 06:28:09 sms-vpn-gtw1-172-28-5-12 charon: 16[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:28:09 sms-vpn-gtw1-172-28-5-12 charon: 05[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:28:09 sms-vpn-gtw1-172-28-5-12 charon: 05[IKE] received retransmit of response with ID 0, but next request already sent
Sep 29 06:28:17 sms-vpn-gtw1-172-28-5-12 charon: 06[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:28:17 sms-vpn-gtw1-172-28-5-12 charon: 06[IKE] received retransmit of response with ID 0, but next request already sent
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 10[IKE] sending retransmit 3 of request message ID 0, seq 3
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 10[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 11[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (92 bytes)
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 11[ENC] invalid HASH_V1 payload length, decryption failed?
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 11[ENC] could not decrypt payloads
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 11[IKE] message parsing failed
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 11[IKE] ignore malformed INFORMATIONAL request
Sep 29 06:28:22 sms-vpn-gtw1-172-28-5-12 charon: 11[IKE] INFORMATIONAL_V1 request with message ID 2125879064 processing failed
Sep 29 06:28:42 sms-vpn-gtw1-172-28-5-12 charon: 15[IKE] sending keep alive to my-public-peer-ip[4500]
Sep 29 06:28:45 sms-vpn-gtw1-172-28-5-12 charon: 16[IKE] sending retransmit 4 of request message ID 0, seq 3
Sep 29 06:28:45 sms-vpn-gtw1-172-28-5-12 charon: 16[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:29:05 sms-vpn-gtw1-172-28-5-12 charon: 07[IKE] sending keep alive to my-public-peer-ip[4500]
Sep 29 06:29:25 sms-vpn-gtw1-172-28-5-12 charon: 09[IKE] sending keep alive to my-public-peer-ip[4500]
Sep 29 06:29:27 sms-vpn-gtw1-172-28-5-12 charon: 10[IKE] sending retransmit 5 of request message ID 0, seq 3
Sep 29 06:29:27 sms-vpn-gtw1-172-28-5-12 charon: 10[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:29:47 sms-vpn-gtw1-172-28-5-12 charon: 13[IKE] sending keep alive to my-public-peer-ip[4500]
Sep 29 06:30:07 sms-vpn-gtw1-172-28-5-12 charon: 12[IKE] sending keep alive to my-public-peer-ip[4500]
Sep 29 06:30:27 sms-vpn-gtw1-172-28-5-12 charon: 16[IKE] sending keep alive to my-public-peer-ip[4500]
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 05[IKE] giving up after 5 retransmits
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 05[IKE] peer not responding, trying again (2/2)
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 05[IKE] initiating Main Mode IKE_SA my-client[1] to my-public-peer-ip
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 05[NET] sending packet: from 172.28.5.12[500] to my-public-peer-ip[500] (252 bytes)
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 07[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (132 bytes)
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 07[ENC] parsed ID_PROT response 0 [ SA V V ]
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 07[IKE] received FRAGMENTATION vendor ID
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 07[NET] sending packet: from 172.28.5.12[500] to my-public-peer-ip[500] (244 bytes)
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[IKE] received Cisco Unity vendor ID
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[IKE] received XAuth vendor ID
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[ENC] received unknown vendor ID: db:8a:bf:79:ee:3c:24:26:43:9e:c2:50:47:e8:1d:f3
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 08[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 06[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (40 bytes)
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 06[ENC] parsed INFORMATIONAL_V1 request 0 [ N(PLD_MAL) ]
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 06[ENC] ignoring unprotected INFORMATIONAL from my-public-peer-ip
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 06[IKE] message verification failed
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 06[IKE] ignore malformed INFORMATIONAL request
Sep 29 06:30:43 sms-vpn-gtw1-172-28-5-12 charon: 06[IKE] INFORMATIONAL_V1 request with message ID 0 processing failed
Sep 29 06:30:47 sms-vpn-gtw1-172-28-5-12 charon: 13[IKE] sending retransmit 1 of request message ID 0, seq 3
Sep 29 06:30:47 sms-vpn-gtw1-172-28-5-12 charon: 13[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:30:47 sms-vpn-gtw1-172-28-5-12 charon: 12[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:30:47 sms-vpn-gtw1-172-28-5-12 charon: 12[IKE] received retransmit of response with ID 0, but next request already sent
Sep 29 06:30:54 sms-vpn-gtw1-172-28-5-12 charon: 14[IKE] sending retransmit 2 of request message ID 0, seq 3
Sep 29 06:30:54 sms-vpn-gtw1-172-28-5-12 charon: 14[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:30:54 sms-vpn-gtw1-172-28-5-12 charon: 15[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:30:54 sms-vpn-gtw1-172-28-5-12 charon: 15[IKE] received retransmit of response with ID 0, but next request already sent
Sep 29 06:31:02 sms-vpn-gtw1-172-28-5-12 charon: 16[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (304 bytes)
Sep 29 06:31:02 sms-vpn-gtw1-172-28-5-12 charon: 16[IKE] received retransmit of response with ID 0, but next request already sent
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 05[IKE] sending retransmit 3 of request message ID 0, seq 3
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 05[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 07[NET] received packet: from my-public-peer-ip[500] to 172.28.5.12[500] (92 bytes)
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 07[ENC] invalid HASH_V1 payload length, decryption failed?
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 07[ENC] could not decrypt payloads
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 07[IKE] message parsing failed
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 07[IKE] ignore malformed INFORMATIONAL request
Sep 29 06:31:07 sms-vpn-gtw1-172-28-5-12 charon: 07[IKE] INFORMATIONAL_V1 request with message ID 3124322014 processing failed
Sep 29 06:31:30 sms-vpn-gtw1-172-28-5-12 charon: 11[IKE] sending retransmit 4 of request message ID 0, seq 3
Sep 29 06:31:30 sms-vpn-gtw1-172-28-5-12 charon: 11[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:32:12 sms-vpn-gtw1-172-28-5-12 charon: 13[IKE] sending retransmit 5 of request message ID 0, seq 3
Sep 29 06:32:12 sms-vpn-gtw1-172-28-5-12 charon: 13[NET] sending packet: from 172.28.5.12[4500] to my-public-peer-ip[4500] (108 bytes)
Sep 29 06:33:28 sms-vpn-gtw1-172-28-5-12 charon: 05[IKE] giving up after 5 retransmits
Sep 29 06:33:28 sms-vpn-gtw1-172-28-5-12 charon: 05[IKE] establishing IKE_SA failed, peer not responding
-------------- next part --------------
== REOMTE PEER ==
Terminating Equipment and Operating System: Cisco ASA 5585x with HA
VPN – Peer IP Address remote-public-peer-ip
VPN Access Permission - Primary host: ip1, ip2, ip3
Phase I : (IKE Phase)
Encryption algorithm: AES256
Hash algorithm (Authentication): SHA-1
Diffie-Hellman group: Group 2 (1024 bits)
Key lifetime in seconds: 86400
Key lifetime in bytes: 0
Phase II : (IPSEC Phase)
Encryption algorithm: AES256
Authentication algorithm: SHA-1
Perfect Forward Secrecy (PFS): No
SA duration in seconds (lifetime): 28800
SA duration in KBytes: 4608000
== LOCAL PEER ==
VPN Gateway IP Address (Peer IP address): my-public-peer-ip
VPN Access Permission (Hosts): myIP1, myIP2
Encryption Scheme : IKE
IKE Phase 1 Group No. : Group 2 (1024 bits)
Key Exchange Encryption : AES256
Data Integrity Method : SHA-1
Authentication Method : Pre-shared
Support Aggressive Mode : NO
Use Compression Method : NO
Use Perfect Forward Secrecy : NO
More information about the Users
mailing list