Hello Jürgen, I assume that you want to do certificate-based authentication but you seem to have a lot of things misconfigured. Could you send your ipsec.conf file?
Regards Andreas On 12/18/2010 12:33 PM, Jürgen Hoffmann wrote: > Hi All, > > I am trying to connect my strongswan 4.2.5 Ubuntu Installation to a new > Juniper SSG5 from a contractor. But I keep getting the following in the > logs.- What am I doing wrong? > > Dec 18 12:18:04 gate2 pluto[6960]: Starting Pluto (strongSwan Version > 4.2.5 THREADS VENDORID) > > Dec 18 12:18:04 gate2 pluto[6960]: including NAT-Traversal patch > (Version 0.6c) [disabled] > > Dec 18 12:18:04 gate2 pluto[6960]: | xauth module: using default > get_secret() function > > Dec 18 12:18:04 gate2 pluto[6960]: | xauth module: using default > verify_secret() function > > Dec 18 12:18:04 gate2 pluto[6960]: | inserting event > EVENT_REINIT_SECRET, timeout in 3600 seconds > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_AES_CBC > encryption: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating > OAKLEY_BLOWFISH_CBC encryption: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating > OAKLEY_SERPENT_CBC encryption: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_256 > hash: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_384 > hash: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating OAKLEY_SHA2_512 > hash: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating > OAKLEY_TWOFISH_CBC encryption: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: ike_alg: Activating > OAKLEY_TWOFISH_CBC_SSH encryption: Ok > > Dec 18 12:18:04 gate2 pluto[6960]: Testing registered IKE encryption > algorithms: > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_BLOWFISH_CBC self-test not > available > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_3DES_CBC self-test not available > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_AES_CBC self-test not available > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SERPENT_CBC self-test not > available > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_TWOFISH_CBC self-test not > available > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_TWOFISH_CBC_SSH self-test > not available > > Dec 18 12:18:04 gate2 pluto[6960]: Testing registered IKE hash algorithms: > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_MD5 hash self-test passed > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_MD5 hmac self-test passed > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SHA hash self-test passed > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SHA hmac self-test passed > > Dec 18 12:18:04 gate2 pluto[6960]: OAKLEY_SHA2_256 hash self-test passed > > Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_256 hmac self-test passed > > Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_384 hash self-test passed > > Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_384 hmac self-test passed > > Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_512 hash self-test passed > > Dec 18 12:18:05 gate2 pluto[6960]: OAKLEY_SHA2_512 hmac self-test passed > > Dec 18 12:18:05 gate2 pluto[6960]: All crypto self-tests passed > > Dec 18 12:18:05 gate2 pluto[6960]: Using Linux 2.6 IPsec interface code > > Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory > '/usr/local/strongswan/etc/ipsec.d/cacerts' > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file > 'strongswanKey.pem' (1743 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: no passphrase available > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file > 'strongswanCert.pem' (1919 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: | authcert inserted > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'serial.old' > (17 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'serial' (17 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'index.txt.old' > (191 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file > 'index.txt.attr.old' (21 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file > 'index.txt.attr' (21 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded > > Dec 18 12:18:06 gate2 pluto[6960]: loaded CA cert file 'index.txt' > (359 bytes) > > Dec 18 12:18:06 gate2 pluto[6960]: file coded in unknown format, discarded > > Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory > '/usr/local/strongswan/etc/ipsec.d/aacerts' > > Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory > '/usr/local/strongswan/etc/ipsec.d/ocspcerts' > > Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory > '/usr/local/strongswan/etc/ipsec.d/crls' > > Dec 18 12:18:06 gate2 pluto[6960]: Changing to directory > '/usr/local/strongswan/etc/ipsec.d/acerts' > > Dec 18 12:18:06 gate2 pluto[6960]: | inserting event EVENT_LOG_DAILY, > timeout in 42114 seconds > > Dec 18 12:18:06 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in > 3598 seconds > > Dec 18 12:18:06 gate2 pluto[6960]: | > > Dec 18 12:18:06 gate2 pluto[6960]: | *received whack message > > Dec 18 12:18:06 gate2 pluto[6960]: listening for IKE messages > > Dec 18 12:18:06 gate2 pluto[6960]: | found lo with address 127.0.0.1 > > Dec 18 12:18:06 gate2 pluto[6960]: | found eth1 with address 30.83.252.204 > > Dec 18 12:18:06 gate2 pluto[6960]: | found eth1:1 with address 30.83.252.231 > > Dec 18 12:18:06 gate2 pluto[6960]: | found eth1:2 with address 30.83.252.232 > > Dec 18 12:18:07 gate2 pluto[6960]: | found eth1:3 with address 30.83.252.206 > > Dec 18 12:18:07 gate2 pluto[6960]: | found eth1:4 with address 30.83.252.207 > > Dec 18 12:18:07 gate2 pluto[6960]: | found eth3 with address 172.20.50.1 > > Dec 18 12:18:07 gate2 pluto[6960]: | found vlan2 with address 172.20.40.254 > > Dec 18 12:18:07 gate2 pluto[6960]: | found vlan3 with address 172.20.20.254 > > Dec 18 12:18:07 gate2 pluto[6960]: | found vlan4 with address 172.20.10.254 > > Dec 18 12:18:07 gate2 pluto[6960]: | found vlan5 with address 172.20.30.254 > > Dec 18 12:18:07 gate2 pluto[6960]: | found vlan6 with address 192.168.2.254 > > Dec 18 12:18:07 gate2 pluto[6960]: | found ppp0 with address 10.0.2.1 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface ppp0/ppp0 10.0.2.1:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan6/vlan6 > 192.168.2.254:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan5/vlan5 > 172.20.30.254:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan4/vlan4 > 172.20.10.254:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan3/vlan3 > 172.20.20.254:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface vlan2/vlan2 > 172.20.40.254:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth3/eth3 > 172.20.50.1:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:4/eth1:4 > 30.83.252.207:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:3/eth1:3 > 30.83.252.206:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:2/eth1:2 > 30.83.252.232:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1:1/eth1:1 > 30.83.252.231:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface eth1/eth1 > 30.83.252.204:500 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface lo/lo 127.0.0.1:500 > > Dec 18 12:18:07 gate2 pluto[6960]: | found lo with address > 0000:0000:0000:0000:0000:0000:0000:0001 > > Dec 18 12:18:07 gate2 pluto[6960]: adding interface lo/lo ::1:500 > > Dec 18 12:18:07 gate2 pluto[6960]: loading secrets from > "/usr/local/strongswan/etc/ipsec.secrets" > > Dec 18 12:18:07 gate2 pluto[6960]: loaded shared key for @lw.xxx.de > @hq.xxx.de > > Dec 18 12:18:07 gate2 pluto[6960]: loaded shared key for @hq.xxx.de > @lw.xxx.de > > Dec 18 12:18:07 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in > 3597 seconds > > Dec 18 12:18:07 gate2 pluto[6960]: | > > Dec 18 12:18:07 gate2 pluto[6960]: | *received whack message > > Dec 18 12:18:08 gate2 pluto[6960]: | from whack: got --esp=aes128-sha > > Dec 18 12:18:08 gate2 pluto[6960]: | esp string values: 12_128-2, > > Dec 18 12:18:08 gate2 pluto[6960]: | from whack: got > --ike=aes128-sha-modp1024 > > Dec 18 12:18:08 gate2 pluto[6960]: | ike string values: 7_128-2-2, > > Dec 18 12:18:08 gate2 pluto[6960]: added connection description "net-net" > > Dec 18 12:18:08 gate2 pluto[6960]: | > 172.20.0.0/[email protected]]...2.195.78.10[@hq.xxx.de]===192.168.0.0/16 > > Dec 18 12:18:08 gate2 pluto[6960]: | ike_life: 3600s; ipsec_life: 1200s; > rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy: > PSK+ENCRYPT+TUNNEL+PFS > > Dec 18 12:18:08 gate2 pluto[6960]: | next event EVENT_REINIT_SECRET in > 3597 seconds > > Dec 18 12:18:08 gate2 pluto[6960]: | > > Dec 18 12:18:08 gate2 pluto[6960]: | *received 192 bytes from > 2.195.78.10:500 on eth1 > > Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: ignoring > Vendor ID payload [651ececd748d24be685a79d5f463722820f672df0000001300000614] > > Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: received > Vendor ID payload [Dead Peer Detection] > > Dec 18 12:18:08 gate2 pluto[6960]: packet from 2.195.78.10:500: ignoring > Vendor ID payload [HeartBeat Notify 386b0100] > > Dec 18 12:18:08 gate2 pluto[6960]: | preparse_isakmp_policy: peer > requests PSK authentication > > Dec 18 12:18:08 gate2 pluto[6960]: | creating state object #1 at 0x8106fc0 > > Dec 18 12:18:08 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93 > > Dec 18 12:18:08 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8 > > Dec 18 12:18:08 gate2 pluto[6960]: | peer: 52 c3 4e 0a > > Dec 18 12:18:08 gate2 pluto[6960]: | state hash entry 30 > > Dec 18 12:18:08 gate2 pluto[6960]: | inserting event EVENT_SO_DISCARD, > timeout in 0 seconds for #1 > > Dec 18 12:18:08 gate2 pluto[6960]: "net-net" #1: responding to Main Mode > > Dec 18 12:18:08 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT, > timeout in 10 seconds for #1 > > Dec 18 12:18:08 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 10 > seconds for #1 > > Dec 18 12:18:08 gate2 pluto[6960]: | > > Dec 18 12:18:08 gate2 pluto[6960]: | *received 196 bytes from > 2.195.78.10:500 on eth1 > > Dec 18 12:18:08 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93 > > Dec 18 12:18:08 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8 > > Dec 18 12:18:08 gate2 pluto[6960]: | peer: 52 c3 4e 0a > > Dec 18 12:18:08 gate2 pluto[6960]: | state hash entry 30 > > Dec 18 12:18:08 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R1 > > Dec 18 12:18:09 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT, > timeout in 10 seconds for #1 > > Dec 18 12:18:09 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 10 > seconds for #1 > > Dec 18 12:18:09 gate2 pluto[6960]: | > > Dec 18 12:18:09 gate2 pluto[6960]: | *received 68 bytes from > 2.195.78.10:500 on eth1 > > Dec 18 12:18:09 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93 > > Dec 18 12:18:09 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8 > > Dec 18 12:18:09 gate2 pluto[6960]: | peer: 52 c3 4e 0a > > Dec 18 12:18:09 gate2 pluto[6960]: | state hash entry 30 > > Dec 18 12:18:09 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2 > > Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP > Identification Payload must be zero, but is not > > Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: probable authentication > failure (mismatch of preshared secrets?): malformed payload in packet > > Dec 18 12:18:09 gate2 pluto[6960]: "net-net" #1: sending encrypted > notification PAYLOAD_MALFORMED to 2.195.78.10:500 > > Dec 18 12:18:09 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 9 > seconds for #1 > > Dec 18 12:18:12 gate2 pluto[6960]: | > > Dec 18 12:18:12 gate2 pluto[6960]: | *received 68 bytes from > 2.195.78.10:500 on eth1 > > Dec 18 12:18:12 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93 > > Dec 18 12:18:12 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8 > > Dec 18 12:18:13 gate2 pluto[6960]: | peer: 52 c3 4e 0a > > Dec 18 12:18:13 gate2 pluto[6960]: | state hash entry 30 > > Dec 18 12:18:13 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2 > > Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP > Identification Payload must be zero, but is not > > Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: probable authentication > failure (mismatch of preshared secrets?): malformed payload in packet > > Dec 18 12:18:13 gate2 pluto[6960]: "net-net" #1: sending encrypted > notification PAYLOAD_MALFORMED to 2.195.78.10:500 > > Dec 18 12:18:13 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 6 > seconds for #1 > > Dec 18 12:18:16 gate2 pluto[6960]: | > > Dec 18 12:18:16 gate2 pluto[6960]: | *received 68 bytes from > 2.195.78.10:500 on eth1 > > Dec 18 12:18:16 gate2 pluto[6960]: | ICOOKIE: b6 79 4d 82 4f 45 f4 93 > > Dec 18 12:18:17 gate2 pluto[6960]: | RCOOKIE: 40 0d af 34 06 a6 96 c8 > > Dec 18 12:18:17 gate2 pluto[6960]: | peer: 52 c3 4e 0a > > Dec 18 12:18:17 gate2 pluto[6960]: | state hash entry 30 > > Dec 18 12:18:17 gate2 pluto[6960]: | state object #1 found, in STATE_MAIN_R2 > > Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: byte 2 of ISAKMP > Identification Payload must be zero, but is not > > Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: probable authentication > failure (mismatch of preshared secrets?): malformed payload in packet > > Dec 18 12:18:17 gate2 pluto[6960]: "net-net" #1: sending encrypted > notification PAYLOAD_MALFORMED to 2.195.78.10:500 > > Dec 18 12:18:17 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 2 > seconds for #1 > > Dec 18 12:18:18 gate2 pluto[6960]: | > > Dec 18 12:18:18 gate2 pluto[6960]: | *time to handle event > > Dec 18 12:18:18 gate2 pluto[6960]: | event after this is > EVENT_REINIT_SECRET in 3586 seconds > > Dec 18 12:18:19 gate2 pluto[6960]: | handling event EVENT_RETRANSMIT for > 2.195.78.10 "net-net" #1 > > Dec 18 12:18:19 gate2 pluto[6960]: | inserting event EVENT_RETRANSMIT, > timeout in 20 seconds for #1 > > Dec 18 12:18:19 gate2 pluto[6960]: | next event EVENT_RETRANSMIT in 20 > seconds for #1 > > Any help is highly appreciated > > Kind regards > > Juergen Hoffmann > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
