IPsec doesnt work in or out of office



  • Hi.

    We tried to establish a VPN Connection for "Road Warriors" just like the Tutorial will be called. We had serveral problems receiving an answer from the VPN-Server.

    I tried some Clients (ios, win, linux, mac) … nothing worked and everywhere is the same problem.

    I use the same settings as in the tutorial

    here is my ipsec config:

    
    config setup
    	uniqueids = yes
    
    conn bypasslan
    	leftsubnet = 192.168.1.0/24
    	rightsubnet = 192.168.1.0/24
    	authby = never
    	type = passthrough
    	auto = route
    
    conn con1
    	fragmentation = yes
    	keyexchange = ike
    	reauth = yes
    	forceencaps = yes
    	mobike = no
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = clear
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = add
    	left = 80.150.xx.xx
    	right = %any
    	leftid = 80.150.xx.xx
    	ikelifetime = 86400s
    	lifetime = 28800s
    	rightsourceip = 192.168.123.0/24
    	ike = aes128-sha1-modp1024!
    	esp = aes128-sha1!
    	leftauth = psk
    	rightauth = psk
    	rightauth2 = xauth-generic
    	leftsubnet = 0.0.0.0/0
    
    

    and the error log:

    Jan 18 11:20:42 	charon: 15[MGR] <15> checkin and destroy IKE_SA (unnamed)[15]
    Jan 18 11:20:42 	charon: 15[IKE] <15> IKE_SA (unnamed)[15] state change: CONNECTING => DESTROYING
    Jan 18 11:20:42 	charon: 15[MGR] check-in and destroy of IKE_SA successful
    Jan 18 11:20:46 	charon: 15[MGR] checkout IKE_SA by message
    Jan 18 11:20:46 	charon: 15[MGR] created IKE_SA (unnamed)[16]
    Jan 18 11:20:46 	charon: 15[NET] <16> received packet: from 192.168.5.154[500] to 80.150.xx.xx[500] (762 bytes)
    Jan 18 11:20:46 	charon: 15[ENC] <16> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Jan 18 11:20:46 	charon: 15[CFG] <16> looking for an ike config for 80.150.xx.xx...192.168.5.154
    Jan 18 11:20:46 	charon: 15[CFG] <16> candidate: %any...%any, prio 24
    Jan 18 11:20:46 	charon: 15[CFG] <16> candidate: 80.150.xx.xx...%any, prio 1048
    Jan 18 11:20:46 	charon: 15[CFG] <16> found matching ike config: 80.150.xx.xx...%any with prio 1048
    Jan 18 11:20:46 	charon: 15[IKE] <16> received FRAGMENTATION vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received NAT-T (RFC 3947) vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received XAuth vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received Cisco Unity vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> received DPD vendor ID
    Jan 18 11:20:46 	charon: 15[IKE] <16> 192.168.5.154 is initiating a Aggressive Mode IKE_SA
    Jan 18 11:20:46 	charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING
    Jan 18 11:20:46 	charon: 15[CFG] <16> selecting proposal:
    Jan 18 11:20:46 	charon: 15[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
    Jan 18 11:20:46 	charon: 15[CFG] <16> selecting proposal:
    Jan 18 11:20:46 	charon: 15[CFG] <16> proposal matches
    Jan 18 11:20:46 	charon: 15[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Jan 18 11:20:46 	charon: 15[CFG] <16> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jan 18 11:20:46 	charon: 15[CFG] <16> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jan 18 11:20:46 	charon: 15[CFG] <16> looking for XAuthInitPSK peer configs matching 80.150.xx.xx...192.168.5.154[admins]
    Jan 18 11:20:46 	charon: 15[CFG] <16> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Jan 18 11:20:46 	charon: 15[CFG] <16> candidate "con1", match: 1/1/1048 (me/other/ike)
    Jan 18 11:20:46 	charon: 15[IKE] <16> found 2 matching configs, but none allows XAuthInitPSK authentication using Aggressive Mode
    Jan 18 11:20:46 	charon: 15[IKE] <16> queueing INFORMATIONAL task
    Jan 18 11:20:46 	charon: 15[IKE] <16> activating new tasks
    Jan 18 11:20:46 	charon: 15[IKE] <16> activating INFORMATIONAL task
    Jan 18 11:20:46 	charon: 15[ENC] <16> generating INFORMATIONAL_V1 request 3626808054 [ N(AUTH_FAILED) ]
    Jan 18 11:20:46 	charon: 15[NET] <16> sending packet: from 80.150.xx.xx[500] to 192.168.5.154[500] (56 bytes)
    Jan 18 11:20:46 	charon: 15[MGR] <16> checkin and destroy IKE_SA (unnamed)[16]
    Jan 18 11:20:46 	charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING
    Jan 18 11:20:46 	charon: 15[MGR] check-in and destroy of IKE_SA successful
    Jan 18 11:21:06 	charon: 15[MGR] checkout IKE_SA
    Jan 18 11:21:09 	charon: 15[MGR] checkout IKE_SA
    Jan 18 11:21:12 	charon: 15[MGR] checkout IKE_SA
    Jan 18 11:21:16 	charon: 15[MGR] checkout IKE_SA
    

    any idea on where it stucks?


Log in to reply