Hello Claude,
the relevant error messag ies
: "cisco-vpn"[2] 192.168.3.53:53276 #1:
cannot respond to IPsec SA request because no connection is known
for 0.0.0.0/0===192.168.1.13
[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA,
OU=IT, CN=vpn6-pub.restena.lu, [email protected]]
...192.168.3.53:53276
[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT,
CN=Group_xyz, [email protected]]===192.168.120.129/32
The client by default wants to tunnel all Internet traffic (no
split tunneling), therefore the gateway must define
leftsubnet=0.0.0.0/0
Regards
Andreas
On 21.05.2010 10:14, Claude Tompers wrote:
> Hello,
>
> After my recently solved problem with the Cisco VPN client, I hit another
> one. Everything seems to work fine, but the connection won't establish.
> In logs pasted below the text, you can see that the certificate
> authentication as well as the xauth user authentication work fine. For some
> reason however, the SA seems to be deleted, and I can't explain why.
> If anyone has an idea, I'd be grateful.
>
> kind regards
> Claude
>
> /etc/ipsec.conf:
>
> ca vpnca
> cacert=VPNCA-cacert.pem
> crluri=VPNCA-crl.pem
> auto=add
>
> config setup
> plutostart=yes
> #plutodebug=control
> charonstart=no
> charondebug="net 0"
> nat_traversal=yes
> crlcheckinterval=10m
> strictcrlpolicy=yes
>
> # Add connections here.
>
> conn %default
> ike=aes256-sha1-modp1536!
> esp=aes256-sha1!
> dpdaction=clear
> dpddelay=300s
> rekeymargin=3m
> keyingtries=1
> left=%defaultroute
> leftcert=vpncert.pem
> leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA,
> OU=IT, CN=vpn6-pub.restena.lu, [email protected]"
> right=%any
> rightsourceip=192.168.120.128/25
> auto=add
>
> conn cisco-vpn
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> type=tunnel
> pfs=no
> authby=xauthrsasig
> xauth=server
>
>
> /etc/ipsec.secrets
>
> : RSA vpncert-key.pem
>
> : XAUTH ctompers "verysecretpassword"
>
>
> /var/log/ipsec:
>
> May 21 09:52:40 vpn6-test pluto[31904]: adding interface lo/lo ::1:500
> May 21 09:52:40 vpn6-test pluto[31904]: loading secrets from
> "/usr/local/etc/ipsec.secrets"
> May 21 09:52:40 vpn6-test pluto[31904]: loaded private key from
> 'vpncert-key.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: loaded xauth credentials of user
> 'ctompers'
> May 21 09:52:40 vpn6-test pluto[31904]: loaded CA certificate from
> '/usr/local/etc/ipsec.d/cacerts/VPNCA-cacert.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: added ca description "vpnca"
> May 21 09:52:40 vpn6-test pluto[31904]: loaded host certificate from
> '/usr/local/etc/ipsec.d/certs/vpncert.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: added connection description
> "cisco-vpn"
> May 21 09:52:40 vpn6-test pluto[31904]: loaded host certificate from
> '/usr/local/etc/ipsec.d/certs/vpncert.pem'
> May 21 09:52:40 vpn6-test pluto[31904]: added connection description "ikev2"
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size
> (1160) differs from size specified in ISAKMP HDR (1144)
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco
> VPN client appends 16 surplus NULL bytes
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276:
> received Vendor ID payload [XAUTH]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276:
> received Vendor ID payload [Dead Peer Detection]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276:
> ignoring Vendor ID payload [FRAGMENTATION 80000000]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276:
> ignoring Vendor ID payload [Cisco-Unity]
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> responding to Main Mode from unknown peer 192.168.3.53:53276
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> peer requested 2147483 seconds which exceeds our limit 86400 seconds
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME
> notification)
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size
> (352) differs from size specified in ISAKMP HDR (336)
> May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco
> VPN client appends 16 surplus NULL bytes
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> ignoring Vendor ID payload [276f4f549eef9da547a168470992f47f]
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> ignoring Vendor ID payload [Cisco-Unity]
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[1] 192.168.3.53:53276 #1:
> Peer ID is ID_DER_ASN1_DN: 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation
> RESTENA, OU=IT, CN=Group_xyz, [email protected]'
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> deleting connection "cisco-vpn" instance with peer 192.168.3.53
> {isakmp=#0/ipsec=#0}
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> we have a cert and are sending it upon request
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sent MR3, ISAKMP SA established
> May 21 09:52:49 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sending XAUTH request
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> parsing XAUTH reply
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> extended authentication was successful
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sending XAUTH status:
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> parsing XAUTH ack
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> received XAUTH ack, established
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> unsupported ModeCfg attribute 28683?? received.
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> unsupported ModeCfg attribute 28684?? received.
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> peer requested virtual IP %any
> May 21 09:53:09 vpn6-test pluto[31904]: assigning new lease to 'C=LU,
> ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz,
> [email protected]'
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> assigning virtual IP 192.168.120.129 to peer
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sending ModeCfg reply
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sent ModeCfg reply, established
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===192.168.1.13[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation
> RESTENA, OU=IT, CN=vpn6-pub.restena.lu,
> [email protected]]...192.168.3.53:53276[C=LU, ST=Luxembourg,
> L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz,
> [email protected]]===192.168.120.129/32
> May 21 09:53:09 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sending encrypted notification INVALID_ID_INFORMATION to 192.168.3.53:53276
> May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x5913d71e (perhaps this is a duplicated packet)
> May 21 09:53:14 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x5913d71e (perhaps this is a duplicated packet)
> May 21 09:53:19 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x5913d71e (perhaps this is a duplicated packet)
> May 21 09:53:24 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
> May 21 09:53:29 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x818764bf) not found (maybe
> expired)
> May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276 #1:
> received Delete SA payload: deleting ISAKMP State #1
> May 21 09:53:59 vpn6-test pluto[31904]: "cisco-vpn"[2] 192.168.3.53:53276:
> deleting connection "cisco-vpn" instance with peer 192.168.3.53
> {isakmp=#0/ipsec=#0}
> May 21 09:53:59 vpn6-test pluto[31904]: lease 192.168.120.129 by 'C=LU,
> ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz,
> [email protected]' went offline
>
>
>
>
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
