IPsec doesnt work in or out of office

ganjawizard

Hi.

We tried to establish a VPN Connection for "Road Warriors" just like the Tutorial will be called. We had serveral problems receiving an answer from the VPN-Server.

I tried some Clients (ios, win, linux, mac) … nothing worked and everywhere is the same problem.

I use the same settings as in the tutorial

here is my ipsec config:


config setup
	uniqueids = yes

conn bypasslan
	leftsubnet = 192.168.1.0/24
	rightsubnet = 192.168.1.0/24
	authby = never
	type = passthrough
	auto = route

conn con1
	fragmentation = yes
	keyexchange = ike
	reauth = yes
	forceencaps = yes
	mobike = no
	rekey = yes
	installpolicy = yes
	type = tunnel
	dpdaction = clear
	dpddelay = 10s
	dpdtimeout = 60s
	auto = add
	left = 80.150.xx.xx
	right = %any
	leftid = 80.150.xx.xx
	ikelifetime = 86400s
	lifetime = 28800s
	rightsourceip = 192.168.123.0/24
	ike = aes128-sha1-modp1024!
	esp = aes128-sha1!
	leftauth = psk
	rightauth = psk
	rightauth2 = xauth-generic
	leftsubnet = 0.0.0.0/0

and the error log:

Jan 18 11:20:42 	charon: 15[MGR] <15> checkin and destroy IKE_SA (unnamed)[15]
Jan 18 11:20:42 	charon: 15[IKE] <15> IKE_SA (unnamed)[15] state change: CONNECTING => DESTROYING
Jan 18 11:20:42 	charon: 15[MGR] check-in and destroy of IKE_SA successful
Jan 18 11:20:46 	charon: 15[MGR] checkout IKE_SA by message
Jan 18 11:20:46 	charon: 15[MGR] created IKE_SA (unnamed)[16]
Jan 18 11:20:46 	charon: 15[NET] <16> received packet: from 192.168.5.154[500] to 80.150.xx.xx[500] (762 bytes)
Jan 18 11:20:46 	charon: 15[ENC] <16> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Jan 18 11:20:46 	charon: 15[CFG] <16> looking for an ike config for 80.150.xx.xx...192.168.5.154
Jan 18 11:20:46 	charon: 15[CFG] <16> candidate: %any...%any, prio 24
Jan 18 11:20:46 	charon: 15[CFG] <16> candidate: 80.150.xx.xx...%any, prio 1048
Jan 18 11:20:46 	charon: 15[CFG] <16> found matching ike config: 80.150.xx.xx...%any with prio 1048
Jan 18 11:20:46 	charon: 15[IKE] <16> received FRAGMENTATION vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received NAT-T (RFC 3947) vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received XAuth vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received Cisco Unity vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> received DPD vendor ID
Jan 18 11:20:46 	charon: 15[IKE] <16> 192.168.5.154 is initiating a Aggressive Mode IKE_SA
Jan 18 11:20:46 	charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING
Jan 18 11:20:46 	charon: 15[CFG] <16> selecting proposal:
Jan 18 11:20:46 	charon: 15[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Jan 18 11:20:46 	charon: 15[CFG] <16> selecting proposal:
Jan 18 11:20:46 	charon: 15[CFG] <16> proposal matches
Jan 18 11:20:46 	charon: 15[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Jan 18 11:20:46 	charon: 15[CFG] <16> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 18 11:20:46 	charon: 15[CFG] <16> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 18 11:20:46 	charon: 15[CFG] <16> looking for XAuthInitPSK peer configs matching 80.150.xx.xx...192.168.5.154[admins]
Jan 18 11:20:46 	charon: 15[CFG] <16> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jan 18 11:20:46 	charon: 15[CFG] <16> candidate "con1", match: 1/1/1048 (me/other/ike)
Jan 18 11:20:46 	charon: 15[IKE] <16> found 2 matching configs, but none allows XAuthInitPSK authentication using Aggressive Mode
Jan 18 11:20:46 	charon: 15[IKE] <16> queueing INFORMATIONAL task
Jan 18 11:20:46 	charon: 15[IKE] <16> activating new tasks
Jan 18 11:20:46 	charon: 15[IKE] <16> activating INFORMATIONAL task
Jan 18 11:20:46 	charon: 15[ENC] <16> generating INFORMATIONAL_V1 request 3626808054 [ N(AUTH_FAILED) ]
Jan 18 11:20:46 	charon: 15[NET] <16> sending packet: from 80.150.xx.xx[500] to 192.168.5.154[500] (56 bytes)
Jan 18 11:20:46 	charon: 15[MGR] <16> checkin and destroy IKE_SA (unnamed)[16]
Jan 18 11:20:46 	charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING
Jan 18 11:20:46 	charon: 15[MGR] check-in and destroy of IKE_SA successful
Jan 18 11:21:06 	charon: 15[MGR] checkout IKE_SA
Jan 18 11:21:09 	charon: 15[MGR] checkout IKE_SA
Jan 18 11:21:12 	charon: 15[MGR] checkout IKE_SA
Jan 18 11:21:16 	charon: 15[MGR] checkout IKE_SA

any idea on where it stucks?