[
https://issues.apache.org/jira/browse/CLOUDSTACK-9712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
DeepthiMachiraju updated CLOUDSTACK-9712:
-----------------------------------------
Labels: PVR (was: )
> Establishing Remote access VPN is failing due to mismatch of preshared
> secrets post Disable/Enable VPN.
> --------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9712
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9712
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.9.0
> Reporter: DeepthiMachiraju
> Priority: Critical
> Labels: PVR
> Attachments: management-server.rar
>
>
> - On a Isolated Network enable VPN , and configure few VPN users.
> - Deploy a windows 2012R2 VM in the shared network . Create a new VPN
> connection by providing the NAt ip , select L2tp in the confguration and
> provide the psk provided by cloudstack.
> - Try logging with the vpn users created above.
> Observations :
> - User fails to login with the following error message at client : " Error
> 789 : The L2TP connection attempt failed because the security layer
> encountered a processing error during initial negotiations with the remote
> computer ".
> - Each time VPN is DIsabled/Enabled , new key is stored in ipsec.any.secrets.
> root@r-5-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
> : PSK "O3rEXqxgMXRvNkPRXaqtkg43"
> : PSK "ZwEcGeHKnE9z2zpPht9eh77T"
> : PSK "7CUjMgwO8sbMJXjyHhRg2NDp"
> Note : when the older psk are deleted and only the current key is retained in
> the file , remote vpn is established sucessfully.
> =============================================auth.log==============================================
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received
> Vendor ID payload [RFC 3947] method set to=109
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
> using method 109
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring
> Vendor ID payload [FRAGMENTATION]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring
> Vendor ID payload [MS-Negotiation Discovery Capable]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring
> Vendor ID payload [Vid-Initial-Contact]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring
> Vendor ID payload [IKE CGA version 1]
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> responding to Main Mode from unknown peer 10.147.52.62
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple
> ipsec.secrets entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple
> ipsec.secrets entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple
> ipsec.secrets entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple
> ipsec.secrets entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next
> payload type of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable
> authentication failure (mismatch of preshared secrets?): malformed payload in
> packet
> Dec 28 10:49:30 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:30 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c
> 4f 0d 4c 9e
> Dec 28 10:49:30 r-5-VM pluto[2828]: | 3e 71 6f 48
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending
> notification PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next
> payload type of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable
> authentication failure (mismatch of preshared secrets?): malformed payload in
> packet
> Dec 28 10:49:31 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:31 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c
> 4f 0d 4c 9e
> Dec 28 10:49:31 r-5-VM pluto[2828]: | 3e 71 6f 48
> Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending
> notification PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next
> payload type of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable
> authentication failure (mismatch of preshared secrets?): malformed payload in
> packet
> Dec 28 10:49:32 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:32 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c
> 4f 0d 4c 9e
> Dec 28 10:49:32 r-5-VM pluto[2828]: | 3e 71 6f 48
> Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending
> notification PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next
> payload type of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable
> authentication failure (mismatch of preshared secrets?): malformed payload in
> packet
> Dec 28 10:49:35 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:35 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c
> 4f 0d 4c 9e
> Dec 28 10:49:35 r-5-VM pluto[2828]: | 3e 71 6f 48
> Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending
> notification PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next
> payload type of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable
> authentication failure (mismatch of preshared secrets?): malformed payload in
> packet
> Dec 28 10:49:42 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:42 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c
> 4f 0d 4c 9e
> Dec 28 10:49:42 r-5-VM pluto[2828]: | 3e 71 6f 48
> Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending
> notification PAYLOAD_MALFORMED to 10.147.52.62:500
> =================================================================================================
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
