Can't get IPSEC to connect, been trying for days.
-
heres the logs, I've tried all sorts of ways to set it up, no luck..
Jan 24 16:06:19 charon 07[NET] <con1|7>received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
Jan 24 16:06:19 charon 07[ENC] <con1|7>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:06:19 charon 07[IKE] <con1|7>received AUTHENTICATION_FAILED notify error
Jan 24 16:06:24 charon 07[NET] <8> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:06:24 charon 07[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:06:24 charon 07[IKE] <8> 110.142.113.249 is initiating an IKE_SA
Jan 24 16:06:24 charon 07[IKE] <8> local host is behind NAT, sending keep alives
Jan 24 16:06:24 charon 07[IKE] <8> remote host is behind NAT
Jan 24 16:06:24 charon 07[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:06:24 charon 07[NET] <8> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:06:24 charon 07[NET] <8> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
Jan 24 16:06:24 charon 07[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 24 16:06:24 charon 07[CFG] <8> looking for peer configs matching 192.168.15.2[120.151.146.229]…110.142.113.249[192.168.1.2]
Jan 24 16:06:24 charon 07[CFG] <bypasslan|8>selected peer config 'bypasslan'
Jan 24 16:06:24 charon 07[IKE] <bypasslan|8>no shared key found for '120.151.146.229' - '192.168.1.2'
Jan 24 16:06:24 charon 07[IKE] <bypasslan|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 24 16:06:24 charon 07[ENC] <bypasslan|8>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:06:24 charon 07[NET] <bypasslan|8>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
Jan 24 16:06:26 charon 07[NET] <9> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:06:26 charon 07[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:06:26 charon 07[IKE] <9> 110.142.113.249 is initiating an IKE_SA
Jan 24 16:06:27 charon 07[IKE] <9> local host is behind NAT, sending keep alives
Jan 24 16:06:27 charon 07[IKE] <9> remote host is behind NAT
Jan 24 16:06:27 charon 07[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:06:27 charon 07[NET] <9> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:06:27 charon 07[NET] <9> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
Jan 24 16:06:27 charon 07[ENC] <9> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 24 16:06:27 charon 07[CFG] <9> looking for peer configs matching 192.168.15.2[120.151.146.229]…110.142.113.249[192.168.1.2]
Jan 24 16:06:27 charon 07[CFG] <bypasslan|9>selected peer config 'bypasslan'
Jan 24 16:06:27 charon 07[IKE] <bypasslan|9>no shared key found for '120.151.146.229' - '192.168.1.2'
Jan 24 16:06:27 charon 07[IKE] <bypasslan|9>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 24 16:06:27 charon 07[ENC] <bypasslan|9>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:06:27 charon 07[NET] <bypasslan|9>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
Jan 24 16:07:11 charon 05[CFG] received stroke: terminate 'con1'
Jan 24 16:07:11 charon 05[CFG] no IKE_SA named 'con1' found
Jan 24 16:07:11 charon 06[CFG] received stroke: initiate 'con1'
Jan 24 16:07:11 charon 05[IKE] <con1|10>initiating IKE_SA con1[10] to 110.142.113.249
Jan 24 16:07:11 charon 05[ENC] <con1|10>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:07:11 charon 05[NET] <con1|10>sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:07:11 charon 05[NET] <con1|10>received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:07:11 charon 05[ENC] <con1|10>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:07:11 charon 05[IKE] <con1|10>local host is behind NAT, sending keep alives
Jan 24 16:07:11 charon 05[IKE] <con1|10>remote host is behind NAT
Jan 24 16:07:11 charon 05[IKE] <con1|10>authentication of '192.168.15.2' (myself) with pre-shared key
Jan 24 16:07:11 charon 05[IKE] <con1|10>establishing CHILD_SA con1{6}
Jan 24 16:07:11 charon 05[ENC] <con1|10>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 24 16:07:11 charon 05[NET] <con1|10>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (272 bytes)
Jan 24 16:07:11 charon 05[NET] <con1|10>received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
Jan 24 16:07:11 charon 05[ENC] <con1|10>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:07:11 charon 05[IKE] <con1|10>received AUTHENTICATION_FAILED notify error</con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></bypasslan|9></bypasslan|9></bypasslan|9></bypasslan|9></bypasslan|9></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></con1|7></con1|7></con1|7> -
more logs
Jan 24 16:14:12 charon 13[NET] <11> sending packet: from 192.168.0.1[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:14:12 charon 13[NET] <11> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
Jan 24 16:14:12 charon 13[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 24 16:14:12 charon 13[CFG] <11> looking for peer configs matching 192.168.15.2[120.151.146.229]…110.142.113.249[192.168.1.2]
Jan 24 16:14:12 charon 13[CFG] <bypasslan|11>selected peer config 'bypasslan'
Jan 24 16:14:12 charon 13[IKE] <bypasslan|11>no shared key found for '120.151.146.229' - '192.168.1.2'
Jan 24 16:14:12 charon 13[IKE] <bypasslan|11>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 24 16:14:12 charon 13[ENC] <bypasslan|11>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:14:13 charon 13[NET] <bypasslan|11>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
Jan 24 16:14:22 charon 11[CFG] rereading secrets
Jan 24 16:14:22 charon 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Jan 24 16:14:22 charon 11[CFG] loaded IKE secret for %any 110.142.113.249
Jan 24 16:14:22 charon 11[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan 24 16:14:22 charon 11[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan 24 16:14:22 charon 11[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan 24 16:14:22 charon 11[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan 24 16:14:22 charon 11[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Jan 24 16:14:22 charon 13[CFG] received stroke: unroute 'bypasslan'
Jan 24 16:14:22 ipsec_starter 28108 shunt policy 'bypasslan' uninstalled
Jan 24 16:14:22 charon 10[CFG] received stroke: delete connection 'bypasslan'
Jan 24 16:14:22 charon 10[CFG] deleted connection 'bypasslan'
Jan 24 16:14:22 charon 11[CFG] received stroke: unroute 'con1'
Jan 24 16:14:22 ipsec_starter 28108 configuration 'con1' unrouted
Jan 24 16:14:22 charon 13[CFG] received stroke: delete connection 'con1'
Jan 24 16:14:22 charon 13[CFG] deleted connection 'con1'
Jan 24 16:14:22 charon 13[CFG] received stroke: add connection 'bypasslan'
Jan 24 16:14:22 charon 13[CFG] added configuration 'bypasslan'
Jan 24 16:14:22 charon 10[CFG] received stroke: route 'bypasslan'
Jan 24 16:14:22 ipsec_starter 28108 'bypasslan' shunt PASS policy installed
Jan 24 16:14:22 charon 08[CFG] received stroke: add connection 'con1'
Jan 24 16:14:22 charon 08[CFG] added configuration 'con1'
Jan 24 16:14:22 charon 08[CFG] received stroke: route 'con1'
Jan 24 16:14:22 ipsec_starter 28108 'con1' routed
Jan 24 16:14:26 charon 10[CFG] received stroke: terminate 'con1'
Jan 24 16:14:26 charon 10[CFG] no IKE_SA named 'con1' found
Jan 24 16:14:26 charon 16[CFG] received stroke: initiate 'con1'
Jan 24 16:14:26 charon 10[IKE] <con1|12>initiating IKE_SA con1[12] to 110.142.113.249
Jan 24 16:14:26 charon 10[ENC] <con1|12>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:14:26 charon 10[NET] <con1|12>sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:14:26 charon 10[NET] <con1|12>received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:14:26 charon 10[ENC] <con1|12>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:14:26 charon 10[IKE] <con1|12>local host is behind NAT, sending keep alives
Jan 24 16:14:26 charon 10[IKE] <con1|12>remote host is behind NAT
Jan 24 16:14:26 charon 10[IKE] <con1|12>authentication of '192.168.15.2' (myself) with pre-shared key
Jan 24 16:14:26 charon 10[IKE] <con1|12>establishing CHILD_SA con1{8}
Jan 24 16:14:26 charon 10[ENC] <con1|12>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 24 16:14:26 charon 10[NET] <con1|12>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (272 bytes)
Jan 24 16:14:27 charon 10[NET] <con1|12>received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
Jan 24 16:14:27 charon 10[ENC] <con1|12>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:14:27 charon 10[IKE] <con1|12>received AUTHENTICATION_FAILED notify error</con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11> -
You are behind NAT. You probably need to explicitly set the public IP address as your identifier in the phase 1.
If your address is dynamic, you will probably need to set a distinguished name instead.
The other side is rejecting the authentication. You will need to be on the same page with them.
-
Thanks mate, that fixed it. Legend.
-
Also Fixed mine, Thanks for your insight again Derelict
-
and mine. Thanks !
-
Three year old post saved the few remaining hair on my well scratched head. Such a simple fix - thank you!
-
Laughs! A post from 4 years ago managed to get me out of a problem I was having. Thank you very much!