Upgrade to 2.2.4 –> The VPN Shared Secret is incorrect
-
Some additional information.
/var/etc/ipsec: cat ipsec.secrets
203.97.236.202 @dgw.kiwi : PSK 0<changed to="" protect="" me="">=
203.97.236.202 dgwilson : PSK 0<changed to="" protect="" me="">=In the gui the Distinguished name is defined as "dgw.kiwi" - without the quotes.
- David</changed></changed>
-
I'm continuing to look and this and experiment by changing various settings… without success.
Anyway... I put the IKE SA debug mode to highest... below is the final part of the log file... I trust this will be of assistance.
... this is a bug right? Do I need to log a bug for it?
... can I look at the code for this? Where do I look? not sure I want to go here...Aug 6 19:46:51 charon: 11[IKE] <con2|3>sending retransmit 1 of response message ID 0, seq 1
Aug 6 19:46:51 charon: 11[IKE] <con2|3>sending retransmit 1 of response message ID 0, seq 1
Aug 6 19:46:47 charon: 11[IKE] <con2|3>INFORMATIONAL_V1 request with message ID 3698334349 processing failed
Aug 6 19:46:47 charon: 11[IKE] <con2|3>INFORMATIONAL_V1 request with message ID 3698334349 processing failed
Aug 6 19:46:47 charon: 11[IKE] <con2|3>ignore malformed INFORMATIONAL request
Aug 6 19:46:47 charon: 11[IKE] <con2|3>ignore malformed INFORMATIONAL request
Aug 6 19:46:47 charon: 11[IKE] <con2|3>message parsing failed
Aug 6 19:46:47 charon: 11[IKE] <con2|3>message parsing failed
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 79 A8 9B 58 75 8C 17 95 00 CF ED 66 9D 5C C8 9D y..Xu…...f...
Aug 6 19:46:47 charon: 11[IKE] <con2|3>next IV for MID 3698334349 => 16 bytes @ 0x29c52cc0
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 79 A8 9B 58 75 8C 17 95 00 CF ED 66 9D 5C C8 9D y..Xu…...f...
Aug 6 19:46:47 charon: 11[IKE] <con2|3>next IV for MID 3698334349 => 16 bytes @ 0x29c52cc0
Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 21 CC 87 A1 !…
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 13 3F 59 46 CD E8 8D C4 90 C4 CF 45 F7 7B 18 6A .?YF…....E.{.j
Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_hash => 20 bytes @ 0x288f4220
Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 21 CC 87 A1 !…
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 13 3F 59 46 CD E8 8D C4 90 C4 CF 45 F7 7B 18 6A .?YF…....E.{.j
Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_hash => 20 bytes @ 0x288f4220
Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: C0 A8 0A 8C 01 F4 …...
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 76 F5 2A 36 4A CF BE 56 48 89 D8 53 79 59 FD 05 v.*6J..VH..SyY..
Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_chunk => 22 bytes @ 0xbeff3d70
Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: C0 A8 0A 8C 01 F4 …...
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 76 F5 2A 36 4A CF BE 56 48 89 D8 53 79 59 FD 05 v.*6J..VH..SyY..
Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_chunk => 22 bytes @ 0xbeff3d70
Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 32 67 7D 21 2g}!
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 37 EB 39 57 FF 4D DB A5 B8 49 21 10 F0 99 47 F9 7.9W.M…I!...G.
Aug 6 19:46:47 charon: 11[IKE] <con2|3>HASH_R => 20 bytes @ 0x288f4220
Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 32 67 7D 21 2g}!
Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 37 EB 39 57 FF 4D DB A5 B8 49 21 10 F0 99 47 F9 7.9W.M…I!...G.
Aug 6 19:46:47 charon: 11[IKE] <con2|3>HASH_R => 20 bytes @ 0x288f4220</con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3> -
And more debug settings turned on…
Invalid HASH_V1 payload length, description failed....
could not decrypt payloads ...A problem with the IKEv1 decryption??????
Aug 6 20:02:25 charon: 04[IKE] <con2|4>message parsing failed
Aug 6 20:02:25 charon: 04[IKE] <con2|4>message parsing failed
Aug 6 20:02:25 charon: 04[ENC] <con2|4>could not decrypt payloads
Aug 6 20:02:25 charon: 04[ENC] <con2|4>could not decrypt payloads
Aug 6 20:02:25 charon: 04[ENC] <con2|4>invalid HASH_V1 payload length, decryption failed?
Aug 6 20:02:25 charon: 04[ENC] <con2|4>invalid HASH_V1 payload length, decryption failed?
Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 9F 20 CA 1E 76 43 21 1C F9 55 32 CA 7A 41 B9 06 . ..vC!..U2.zA..
Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: B1 88 23 C1 87 78 7C 65 7D 48 18 28 B0 C5 F1 E3 ..#..x|e}H.(….
Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: CD B2 1F 0E DA FC 34 8A 7D EF AE A9 87 55 3E 7E …...4.}....U>~
Aug 6 20:02:25 charon: 04[ENC] <con2|4>plain => 48 bytes @ 0x2a093160
Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 9F 20 CA 1E 76 43 21 1C F9 55 32 CA 7A 41 B9 06 . ..vC!..U2.zA..
Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: B1 88 23 C1 87 78 7C 65 7D 48 18 28 B0 C5 F1 E3 ..#..x|e}H.(….
Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: CD B2 1F 0E DA FC 34 8A 7D EF AE A9 87 55 3E 7E …...4.}....U>~
Aug 6 20:02:25 charon: 04[ENC] <con2|4>plain => 48 bytes @ 0x2a093160
Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 7E 9F 84 3A CA 15 B9 B0 9C F2 59 42 8C 89 8F 4F ~..:…...YB...O
Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: BB E9 E4 BC 7B EF F4 9E 5E 85 28 EC A0 56 21 E8 ….{...^.(..V!.
Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: F2 A5 D0 0C 60 E8 C7 2E FE 0F 52 33 53 D3 AC 1A …......R3S... Aug 6 20:02:25 charon: 04[ENC] <con2|4>encrypted => 48 bytes @ 0x2a093160 Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 7E 9F 84 3A CA 15 B9 B0 9C F2 59 42 8C 89 8F 4F ~..:…...YB...O Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: BB E9 E4 BC 7B EF F4 9E 5E 85 28 EC A0 56 21 E8 ….{...^.(..V!. Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: F2 A5 D0 0C 60 E8 C7 2E FE 0F 52 33 53 D3 AC 1A …......R3S...
Aug 6 20:02:25 charon: 04[ENC] <con2|4>encrypted => 48 bytes @ 0x2a093160
Aug 6 20:02:25 charon: 04[ENC] <con2|4>decrypting payloads:
Aug 6 20:02:25 charon: 04[ENC] <con2|4>decrypting payloads:
Aug 6 20:02:25 charon: 04[IKE] <con2|4>0: C4 A3 00 AE 5C EE 73 4F D3 78 C4 62 79 3E 18 03 …..sO.x.by>..
Aug 6 20:02:25 charon: 04[IKE] <con2|4>next IV for MID 3073414076 => 16 bytes @ 0x29c4e800
Aug 6 20:02:25 charon: 04[IKE] <con2|4>0: C4 A3 00 AE 5C EE 73 4F D3 78 C4 62 79 3E 18 03 …..sO.x.by>..
Aug 6 20:02:25 charon: 04[IKE] <con2|4>next IV for MID 3073414076 => 16 bytes @ 0x29c4e800
Aug 6 20:02:25 charon: 04[ENC] <con2|4>found an encrypted payload
Aug 6 20:02:25 charon: 04[ENC] <con2|4>found an encrypted payload–------------------------------------------------------------------------------------------------------------------
And more debug settings...
IKEv1
Authentication: Mutual PSK + Xauth
Negotiation: Agressive--> invalid shared secret
... yes I'm trying to connect internally on the network to test. It's worked in the past.
Aug 6 20:24:09 charon: 09[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
Aug 6 20:24:09 charon: 09[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
Aug 6 20:24:09 charon: 09[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
Aug 6 20:24:05 charon: 09[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 2747622485 processing failed
Aug 6 20:24:05 charon: 09[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 2747622485 processing failed
Aug 6 20:24:05 charon: 09[IKE] <con2|1>ignore malformed INFORMATIONAL request
Aug 6 20:24:05 charon: 09[IKE] <con2|1>ignore malformed INFORMATIONAL request
Aug 6 20:24:05 charon: 09[IKE] <con2|1>message parsing failed
Aug 6 20:24:05 charon: 09[IKE] <con2|1>message parsing failed
Aug 6 20:24:05 charon: 09[ENC] <con2|1>could not decrypt payloads
Aug 6 20:24:05 charon: 09[ENC] <con2|1>invalid HASH_V1 payload length, decryption failed?
Aug 6 20:24:05 charon: 09[NET] <con2|1>received packet: from 192.168.10.140[4500] to 203.97.236.202[4500] (76 bytes)
Aug 6 20:24:05 charon: 09[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
Aug 6 20:24:05 charon: 09[ENC] <con2|1>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Aug 6 20:24:05 charon: 09[CFG] <1> selected peer config "con2"
Aug 6 20:24:05 charon: 09[CFG] <1> looking for XAuthInitPSK peer configs matching 203.97.236.202…192.168.10.140[dgw.kiwi]
Aug 6 20:24:05 charon: 09[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
Aug 6 20:24:05 charon: 09[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
Aug 6 20:24:05 charon: 09[IKE] <1> received DPD vendor ID
Aug 6 20:24:05 charon: 09[IKE] <1> received DPD vendor ID
Aug 6 20:24:05 charon: 09[IKE] <1> received Cisco Unity vendor ID
Aug 6 20:24:05 charon: 09[IKE] <1> received Cisco Unity vendor ID
Aug 6 20:24:05 charon: 09[IKE] <1> received XAuth vendor ID
Aug 6 20:24:05 charon: 09[IKE] <1> received XAuth vendor ID</con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4> -
You have the client connecting to an IP or hostname?
-
Client is connecting to an IP Address.
Always has. Hmmm, recommended config change somewhere? Interesting.
- David
-
Was curious if by FQDN, in case that made it not match ipsec.secrets for some reason.
Try changing your IP in ipsec.secrets to:
%any @dgw.kiwi : PSK ...Then run 'ipsec stop && ipsec start' and try to connect again. If you have other connections you don't want to drop, just a 'ipsec rereadall' will suffice, a stop/start just makes really sure everything previous is cleared out, and any SAs are deleted.
If that doesn't work, try omitting the %any part in the above. If that doesn't work, take the leading part out entirely so you have something like:
: PSK ...And let us know the results.
-
I changed ipsec.secrets to:
%any @dgw.kiwi : PSK 0<deleted>=
203.97.236.202 dgwilson : PSK 0<deleted>=Initiated the stop and start… from the command line.
Received the same error... Shared Secret is incorrect.I confirm that the contents of ipsec.secrets was correct before and after the connection.
Stopping and starting the service via the GUI causes ipsec.secrets to be re-created. (I suspect you knew that. :-) )Aug 7 17:39:31 charon: 15[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
Aug 7 17:39:31 charon: 15[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
Aug 7 17:39:31 charon: 15[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
Aug 7 17:39:27 charon: 15[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 3403150820 processing failed
Aug 7 17:39:27 charon: 15[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 3403150820 processing failed
Aug 7 17:39:27 charon: 15[IKE] <con2|1>ignore malformed INFORMATIONAL request
Aug 7 17:39:27 charon: 15[IKE] <con2|1>ignore malformed INFORMATIONAL request
Aug 7 17:39:27 charon: 15[IKE] <con2|1>message parsing failed
Aug 7 17:39:27 charon: 15[IKE] <con2|1>message parsing failed
Aug 7 17:39:27 charon: 15[ENC] <con2|1>could not decrypt payloads
Aug 7 17:39:27 charon: 15[ENC] <con2|1>invalid HASH_V1 payload length, decryption failed?
Aug 7 17:39:27 charon: 15[NET] <con2|1>received packet: from 192.168.10.140[4500] to 203.97.236.202[4500] (76 bytes)
Aug 7 17:39:27 charon: 15[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
Aug 7 17:39:27 charon: 15[ENC] <con2|1>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Aug 7 17:39:27 charon: 15[CFG] <1> selected peer config "con2"
Aug 7 17:39:27 charon: 15[CFG] <1> looking for XAuthInitPSK peer configs matching 203.97.236.202…192.168.10.140[dgw.kiwi]
Aug 7 17:39:27 charon: 15[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
Aug 7 17:39:27 charon: 15[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
Aug 7 17:39:27 charon: 15[IKE] <1> received DPD vendor ID
Aug 7 17:39:27 charon: 15[IKE] <1> received DPD vendor ID
Aug 7 17:39:27 charon: 15[IKE] <1> received Cisco Unity vendor ID
Aug 7 17:39:27 charon: 15[IKE] <1> received Cisco Unity vendor ID
Aug 7 17:39:27 charon: 15[IKE] <1> received XAuth vendor ID
Aug 7 17:39:27 charon: 15[IKE] <1> received XAuth vendor ID
Aug 7 17:39:27 charon: 15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 7 17:39:27 charon: 15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></deleted></deleted> -
I have continued… removing the %any
... that met with the same fate of Shared Secret is incorrect.and continuing again to remove the dgw.kiwi so that I'm left with : PSK...
and... we have a connection! Success.
I'm happy to continue the playing and experimenting to assist with the fault diagnosis.
Let me know what you'd like me to do.- David
-
and continuing again to remove the dgw.kiwi so that I'm left with : PSK…
and... we have a connection! Success.
I had the same issue (Update from 2.1 -> 2.2.4, IPsec Phase1 keeps failing)
I can confirm, this worked for me as well….
woohoo!
-
Stopping and starting the service via the GUI causes ipsec.secrets to be re-created. (I suspect you knew that. :-) )
Yeah, I meant to run those commands from the shell, which won't regenerate the conf files.
and… we have a connection! Success.
Ok good, thanks for that. I'll check into that further to see what the difference is.
-
I had the same issue (Update from 2.1 -> 2.2.4, IPsec Phase1 keeps failing)
I can confirm, this worked for me as well….
With iOS and/or OS X mobile clients?
-
I have tested on iOS as well.
The connection failed until I repeated the edits required on ipsec.secrets by making it look like…
: PSK ...
- David
-
Issue and solution confirmed. Thanks for all the help.
-
@cmb:
I had the same issue (Update from 2.1 -> 2.2.4, IPsec Phase1 keeps failing)
I can confirm, this worked for me as well….
With iOS and/or OS X mobile clients?
For me this solved the issue on Windows with Shrewsoft VPN Client.