IPsec doesnt work in or out of office
-
Hi.
We tried to establish a VPN Connection for "Road Warriors" just like the Tutorial will be called. We had serveral problems receiving an answer from the VPN-Server.
I tried some Clients (ios, win, linux, mac) … nothing worked and everywhere is the same problem.
I use the same settings as in the tutorial
here is my ipsec config:
config setup uniqueids = yes conn bypasslan leftsubnet = 192.168.1.0/24 rightsubnet = 192.168.1.0/24 authby = never type = passthrough auto = route conn con1 fragmentation = yes keyexchange = ike reauth = yes forceencaps = yes mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = 80.150.xx.xx right = %any leftid = 80.150.xx.xx ikelifetime = 86400s lifetime = 28800s rightsourceip = 192.168.123.0/24 ike = aes128-sha1-modp1024! esp = aes128-sha1! leftauth = psk rightauth = psk rightauth2 = xauth-generic leftsubnet = 0.0.0.0/0
and the error log:
Jan 18 11:20:42 charon: 15[MGR] <15> checkin and destroy IKE_SA (unnamed)[15] Jan 18 11:20:42 charon: 15[IKE] <15> IKE_SA (unnamed)[15] state change: CONNECTING => DESTROYING Jan 18 11:20:42 charon: 15[MGR] check-in and destroy of IKE_SA successful Jan 18 11:20:46 charon: 15[MGR] checkout IKE_SA by message Jan 18 11:20:46 charon: 15[MGR] created IKE_SA (unnamed)[16] Jan 18 11:20:46 charon: 15[NET] <16> received packet: from 192.168.5.154[500] to 80.150.xx.xx[500] (762 bytes) Jan 18 11:20:46 charon: 15[ENC] <16> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Jan 18 11:20:46 charon: 15[CFG] <16> looking for an ike config for 80.150.xx.xx...192.168.5.154 Jan 18 11:20:46 charon: 15[CFG] <16> candidate: %any...%any, prio 24 Jan 18 11:20:46 charon: 15[CFG] <16> candidate: 80.150.xx.xx...%any, prio 1048 Jan 18 11:20:46 charon: 15[CFG] <16> found matching ike config: 80.150.xx.xx...%any with prio 1048 Jan 18 11:20:46 charon: 15[IKE] <16> received FRAGMENTATION vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received NAT-T (RFC 3947) vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received XAuth vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received Cisco Unity vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> received DPD vendor ID Jan 18 11:20:46 charon: 15[IKE] <16> 192.168.5.154 is initiating a Aggressive Mode IKE_SA Jan 18 11:20:46 charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING Jan 18 11:20:46 charon: 15[CFG] <16> selecting proposal: Jan 18 11:20:46 charon: 15[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Jan 18 11:20:46 charon: 15[CFG] <16> selecting proposal: Jan 18 11:20:46 charon: 15[CFG] <16> proposal matches Jan 18 11:20:46 charon: 15[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Jan 18 11:20:46 charon: 15[CFG] <16> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jan 18 11:20:46 charon: 15[CFG] <16> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jan 18 11:20:46 charon: 15[CFG] <16> looking for XAuthInitPSK peer configs matching 80.150.xx.xx...192.168.5.154[admins] Jan 18 11:20:46 charon: 15[CFG] <16> candidate "bypasslan", match: 1/1/24 (me/other/ike) Jan 18 11:20:46 charon: 15[CFG] <16> candidate "con1", match: 1/1/1048 (me/other/ike) Jan 18 11:20:46 charon: 15[IKE] <16> found 2 matching configs, but none allows XAuthInitPSK authentication using Aggressive Mode Jan 18 11:20:46 charon: 15[IKE] <16> queueing INFORMATIONAL task Jan 18 11:20:46 charon: 15[IKE] <16> activating new tasks Jan 18 11:20:46 charon: 15[IKE] <16> activating INFORMATIONAL task Jan 18 11:20:46 charon: 15[ENC] <16> generating INFORMATIONAL_V1 request 3626808054 [ N(AUTH_FAILED) ] Jan 18 11:20:46 charon: 15[NET] <16> sending packet: from 80.150.xx.xx[500] to 192.168.5.154[500] (56 bytes) Jan 18 11:20:46 charon: 15[MGR] <16> checkin and destroy IKE_SA (unnamed)[16] Jan 18 11:20:46 charon: 15[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING Jan 18 11:20:46 charon: 15[MGR] check-in and destroy of IKE_SA successful Jan 18 11:21:06 charon: 15[MGR] checkout IKE_SA Jan 18 11:21:09 charon: 15[MGR] checkout IKE_SA Jan 18 11:21:12 charon: 15[MGR] checkout IKE_SA Jan 18 11:21:16 charon: 15[MGR] checkout IKE_SA
any idea on where it stucks?