Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPsec doesnt work in or out of office

    IPsec
    1
    1
    1071
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ganjawizard last edited by

      Hi.

      We tried to establish a VPN Connection for "Road Warriors" just like the Tutorial will be called. We had serveral problems receiving an answer from the VPN-Server.

      I tried some Clients (ios, win, linux, mac) … nothing worked and everywhere is the same problem.

      I use the same settings as in the tutorial

      here is my ipsec config:

      
      config setup
      	uniqueids = yes
      
      conn bypasslan
      	leftsubnet = 192.168.1.0/24
      	rightsubnet = 192.168.1.0/24
      	authby = never
      	type = passthrough
      	auto = route
      
      conn con1
      	fragmentation = yes
      	keyexchange = ike
      	reauth = yes
      	forceencaps = yes
      	mobike = no
      	rekey = yes
      	installpolicy = yes
      	type = tunnel
      	dpdaction = clear
      	dpddelay = 10s
      	dpdtimeout = 60s
      	auto = add
      	left = 80.150.xx.xx
      	right = %any
      	leftid = 80.150.xx.xx
      	ikelifetime = 86400s
      	lifetime = 28800s
      	rightsourceip = 192.168.123.0/24
      	ike = aes128-sha1-modp1024!
      	esp = aes128-sha1!
      	leftauth = psk
      	rightauth = psk
      	rightauth2 = xauth-generic
      	leftsubnet = 0.0.0.0/0
      
      

      and the error log:

      Jan 18 11:20:42 	charon: 15[MGR] <15> checkin and destroy IKE_SA (unnamed)[15]
      Jan 18 11:20:42 	charon: 15[IKE] <15> IKE_SA (unnamed)[15] state change: CONNECTING => DESTROYING
      Jan 18 11:20:42 	charon: 15[MGR] check-in and destroy of IKE_SA successful
      Jan 18 11:20:46 	charon: 15[MGR] checkout IKE_SA by message
      Jan 18 11:20:46 	charon: 15[MGR] created IKE_SA (unnamed)[16]
      Jan 18 11:20:46 	charon: 15[NET] <16> received packet: from 192.168.5.154[500] to 80.150.xx.xx[500] (762 bytes)
      Jan 18 11:20:46 	charon: 15[ENC] <16> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Jan 18 11:20:46 	charon: 15[CFG] <16> looking for an ike config for 80.150.xx.xx...192.168.5.154
      Jan 18 11:20:46 	charon: 15[CFG] <16> candidate: %any...%any, prio 24
      Jan 18 11:20:46 	charon: 15[CFG] <16> candidate: 80.150.xx.xx...%any, prio 1048
      Jan 18 11:20:46 	charon: 15[CFG] <16> found matching ike config: 80.150.xx.xx...%any with prio 1048
      Jan 18 11:20:46 	charon: 15[IKE] <16> received FRAGMENTATION vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received NAT-T (RFC 3947) vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received XAuth vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received Cisco Unity vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> received DPD vendor ID
      Jan 18 11:20:46 	charon: 15[IKE] <16> 192.168.5.154 is initiating a Aggressive Mode IKE_SA
      Jan 18 11:20:46 	charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING
      Jan 18 11:20:46 	charon: 15[CFG] <16> selecting proposal:
      Jan 18 11:20:46 	charon: 15[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
      Jan 18 11:20:46 	charon: 15[CFG] <16> selecting proposal:
      Jan 18 11:20:46 	charon: 15[CFG] <16> proposal matches
      Jan 18 11:20:46 	charon: 15[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
      Jan 18 11:20:46 	charon: 15[CFG] <16> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Jan 18 11:20:46 	charon: 15[CFG] <16> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Jan 18 11:20:46 	charon: 15[CFG] <16> looking for XAuthInitPSK peer configs matching 80.150.xx.xx...192.168.5.154[admins]
      Jan 18 11:20:46 	charon: 15[CFG] <16> candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Jan 18 11:20:46 	charon: 15[CFG] <16> candidate "con1", match: 1/1/1048 (me/other/ike)
      Jan 18 11:20:46 	charon: 15[IKE] <16> found 2 matching configs, but none allows XAuthInitPSK authentication using Aggressive Mode
      Jan 18 11:20:46 	charon: 15[IKE] <16> queueing INFORMATIONAL task
      Jan 18 11:20:46 	charon: 15[IKE] <16> activating new tasks
      Jan 18 11:20:46 	charon: 15[IKE] <16> activating INFORMATIONAL task
      Jan 18 11:20:46 	charon: 15[ENC] <16> generating INFORMATIONAL_V1 request 3626808054 [ N(AUTH_FAILED) ]
      Jan 18 11:20:46 	charon: 15[NET] <16> sending packet: from 80.150.xx.xx[500] to 192.168.5.154[500] (56 bytes)
      Jan 18 11:20:46 	charon: 15[MGR] <16> checkin and destroy IKE_SA (unnamed)[16]
      Jan 18 11:20:46 	charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING
      Jan 18 11:20:46 	charon: 15[MGR] check-in and destroy of IKE_SA successful
      Jan 18 11:21:06 	charon: 15[MGR] checkout IKE_SA
      Jan 18 11:21:09 	charon: 15[MGR] checkout IKE_SA
      Jan 18 11:21:12 	charon: 15[MGR] checkout IKE_SA
      Jan 18 11:21:16 	charon: 15[MGR] checkout IKE_SA
      

      any idea on where it stucks?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post