hi all I used strongswan as GW and cisco vpn as client (not anyconnect) on Windows 7 to test interoperbility using RSA authentication After entered username/password on client xauth, getting the error"Unable to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0 port=0, the peer sent" from cisco client
The config of GW config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=5 mobike=no keyexchange=ike #dpdaction=clear #dpddelay=2s include /etc/ipsec.cert.conf # cat ipsec.cert.conf conn cert type=tunnel auto=add esp=aes128-sha1! ike=aes128-sha1-modp1024! left=192.168.11.55 right=%any leftauth=pubkey rightauth=pubkey rightauth2=xauth leftsubnet=10.3.1.0/24 rightid=%any rightsourceip=10.3.0.0/28 leftcert=cert.pem # cisco vpn client log: Cisco Systems VPN Client Version 5.0.07.0440 Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 6.1.7600 374 18:08:23.093 07/15/15 Sev=Info/6 CERT/0x63600026 Attempting to find a Certificate using Serial Hash. 375 18:08:23.123 07/15/15 Sev=Info/4 CM/0x63100002 Begin connection process 376 18:08:23.093 07/15/15 Sev=Info/6 CERT/0x63600027 Found a Certificate using Serial Hash. 377 18:08:23.139 07/15/15 Sev=Info/4 CM/0x63100004 Establish secure connection 378 18:08:23.096 07/15/15 Sev=Info/6 CERT/0x63600026 Attempting to find a Certificate using Serial Hash. 379 18:08:23.139 07/15/15 Sev=Info/4 CM/0x63100024 Attempt connection with server "192.168.11.55" 380 18:08:23.097 07/15/15 Sev=Info/6 CERT/0x63600027 Found a Certificate using Serial Hash. 381 18:08:23.143 07/15/15 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 192.168.11.55. 382 18:08:23.101 07/15/15 Sev=Info/6 CERT/0x63600026 Attempting to find a Certificate using Serial Hash. 383 18:08:23.154 07/15/15 Sev=Info/6 CERT/0x63600026 Attempting to find a Certificate using Serial Hash. 384 18:08:23.101 07/15/15 Sev=Info/6 CERT/0x63600027 Found a Certificate using Serial Hash. 385 18:08:23.155 07/15/15 Sev=Info/6 CERT/0x63600027 Found a Certificate using Serial Hash. 386 18:08:23.120 07/15/15 Sev=Info/4 CERT/0x63600015 Cert (cn=vpn3,ou=Dev,o=IBM,st=CA,c=US) verification succeeded. 387 18:08:23.167 07/15/15 Sev=Info/4 IKE/0x63000001 Starting IKE Phase 1 Negotiation 388 18:08:23.167 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 192.168.11.55 389 18:08:23.169 07/15/15 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 390 18:08:23.170 07/15/15 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 391 18:08:23.170 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 392 18:08:23.170 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Unity), VID(Nat-T)) from 192.168.11.55 393 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001 Peer supports XAUTH 394 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001 Peer supports DPD 395 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001 Peer is a Cisco-Unity compliant peer 396 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001 Peer supports NAT-T 397 18:08:23.178 07/15/15 Sev=Info/6 IKE/0x63000001 IOS Vendor ID Contruction successful 398 18:08:23.178 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to 192.168.11.55 399 18:08:23.183 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 400 18:08:23.183 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, NAT-D, NAT-D) from 192.168.11.55 401 18:08:23.239 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 192.168.11.55 402 18:08:23.243 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 403 18:08:23.243 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 192.168.11.55 404 18:08:23.249 07/15/15 Sev=Info/4 CERT/0x63600015 Cert (cn=vpn4,ou=Dev,o=IBM,st=CA,c=US) verification succeeded. 405 18:08:23.250 07/15/15 Sev=Info/4 IKE/0x63000083 IKE Port in use - Local Port = 0xE900, Remote Port = 0x01F4 406 18:08:23.250 07/15/15 Sev=Info/5 IKE/0x63000072 Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device 407 18:08:23.250 07/15/15 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system 408 18:08:23.250 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 409 18:08:23.250 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55 410 18:08:23.250 07/15/15 Sev=Info/4 CM/0x63100015 Launch xAuth application 411 18:08:25.250 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 412 18:08:25.251 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55 413 18:08:27.257 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 414 18:08:27.257 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55 415 18:08:29.258 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 416 18:08:29.258 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55 417 18:08:30.056 07/15/15 Sev=Info/4 CM/0x63100017 xAuth application returned 418 18:08:30.056 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55 419 18:08:30.094 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 420 18:08:30.094 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55 421 18:08:30.094 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55 422 18:08:30.094 07/15/15 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system 423 18:08:30.097 07/15/15 Sev=Info/5 IKE/0x6300005E Client sending a firewall request to concentrator 424 18:08:30.097 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55 425 18:08:30.098 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 426 18:08:30.098 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55 427 18:08:30.098 07/15/15 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.3.0.1 428 18:08:30.099 07/15/15 Sev=Info/4 CM/0x63100019 Mode Config data received 429 18:08:30.125 07/15/15 Sev=Info/4 IKE/0x63000056 Received a key request from Driver: Local IP = 10.3.0.1, GW IP = 192.168.11.55, Remote IP = 0.0.0.0 430 18:08:30.126 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.168.11.55 431 18:08:30.128 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 432 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID) from 192.168.11.55 433 18:08:30.128 07/15/15 Sev=Warning/3 IKE/0xE3000060 Unable to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0 port=0, the peer sent 434 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE300009B Failed to process ID payload (MsgHandler:681) 435 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE300009B Failed to process QM Msg 2 (NavigatorQM:455) 436 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE30000A7 Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2263) 437 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.168.11.55 438 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000049 Discarding IPsec SA negotiation, MsgID=A8BAAF56 439 18:08:30.233 07/15/15 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 440 18:08:40.373 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.11.55 441 18:08:40.374 07/15/15 Sev=Info/6 IKE/0x6300003D Sending DPD request to 192.168.11.55, our seq# = 234858457 442 18:08:40.375 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 443 18:08:40.375 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 192.168.11.55 444 18:08:40.375 07/15/15 Sev=Info/5 IKE/0x63000040 Received DPD ACK from 192.168.11.55, seq# received = 234858457, seq# expected = 234858457 445 18:08:50.513 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.11.55 446 18:08:50.514 07/15/15 Sev=Info/6 IKE/0x6300003D Sending DPD request to 192.168.11.55, our seq# = 234858458 447 18:08:50.515 07/15/15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.168.11.55 448 18:08:50.515 07/15/15 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 192.168.11.55 449 18:08:50.515 07/15/15 Sev=Info/5 IKE/0x63000040 Received DPD ACK from 192.168.11.55, seq# received = 234858458, seq# expected = 234858458 450 18:09:00.160 07/15/15 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=9E9978E0D95B4917 R_Cookie=613A22AF838F7C54) reason = DEL_REASON_PEER_NOT_RESPONDING 451 18:09:00.160 07/15/15 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.168.11.55 452 18:09:01.168 07/15/15 Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation (I_Cookie=9E9978E0D95B4917 R_Cookie=613A22AF838F7C54) reason = DEL_REASON_PEER_NOT_RESPONDING 453 18:09:01.168 07/15/15 Sev=Info/4 CM/0x63100012 Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_PEER_NOT_RESPONDING". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system 454 18:09:01.168 07/15/15 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 455 18:09:01.172 07/15/15 Sev=Info/6 CM/0x63100046 Set tunnel established flag in registry to 0. 456 18:09:01.172 07/15/15 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection 457 18:09:01.177 07/15/15 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 458 18:09:01.177 07/15/15 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 459 18:09:01.178 07/15/15 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 460 18:09:01.178 07/15/15 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped the strongswan log # cat /var/log/charon.log 18:24:19 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32- 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64) 18:24:19 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 18:24:19 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" from '/etc/ipsec.d/cacerts/ca.pem' 18:24:19 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 18:24:19 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such file or directory 18:24:19 00[CFG] reading directory failed 18:24:19 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 18:24:19 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such file or directory 18:24:19 00[CFG] reading directory failed 18:24:19 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 18:24:19 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such file or directory 18:24:19 00[CFG] reading directory failed 18:24:19 00[CFG] loading crls from '/etc/ipsec.d/crls' 18:24:19 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file or directory 18:24:19 00[CFG] reading directory failed 18:24:19 00[CFG] loading secrets from '/etc/ipsec.secrets' 18:24:19 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/key.pem' 18:24:19 00[CFG] loaded 1 RADIUS server configuration 18:24:19 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-md5 eap-tls eap-identity eap-radius updown 18:24:19 00[LIB] unable to load 12 plugin features (12 due to unmet dependencies) 18:24:19 00[JOB] spawning 16 worker threads 18:24:19 06[CFG] received stroke: add connection 'cert' 18:24:19 06[CFG] adding virtual IP address pool 10.3.0.0/28 18:24:19 06[CFG] loaded certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4" from 'cert.pem' 18:24:19 06[CFG] added configuration 'cert' 18:24:34 08[NET] received packet: from 192.168.11.4[59640] to 192.168.11.55[500] (1160 bytes) 18:24:34 08[ENC] parsed ID_PROT request 0 [ SA V V V V V ] 18:24:34 08[IKE] received XAuth vendor ID 18:24:34 08[IKE] received DPD vendor ID 18:24:34 08[IKE] received FRAGMENTATION vendor ID 18:24:34 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 18:24:34 08[IKE] received Cisco Unity vendor ID 18:24:34 08[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA 18:24:34 08[ENC] generating ID_PROT response 0 [ SA V V V V ] 18:24:34 08[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (160 bytes) 18:24:34 09[NET] received packet: from 192.168.11.4[59640] to 192.168.11.55[500] (288 bytes) 18:24:34 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ] 18:24:34 09[ENC] received unknown vendor ID: 20:7f:78:d5:92:7b:32:88:21:6d:a6:10:54:6b:75:e5 18:24:34 09[IKE] received Cisco Unity vendor ID 18:24:34 09[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" 18:24:34 09[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] 18:24:34 09[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (333 bytes) 18:24:35 10[NET] received packet: from 192.168.11.4[59640] to 192.168.11.55[500] (1692 bytes) 18:24:35 10[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG N(INITIAL_CONTACT) ] 18:24:35 10[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1' 18:24:35 10[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 18:24:35 10[CFG] looking for XAuthInitRSA peer configs matching 192.168.11.55...192.168.11.4 [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3] 18:24:35 10[CFG] selected peer config "cert" 18:24:35 10[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 18:24:35 10[CFG] using trusted ca certificate "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" 18:24:35 10[CFG] checking certificate status of "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 18:24:35 10[CFG] certificate status is not available 18:24:35 10[CFG] reached self-signed root ca with a path length of 0 18:24:35 10[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' with RSA successful 18:24:35 10[IKE] authentication of '192.168.11.55' (myself) successful 18:24:35 10[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4" 18:24:35 10[ENC] generating ID_PROT response 0 [ ID CERT SIG ] 18:24:35 10[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (1516 bytes) 18:24:35 10[ENC] generating TRANSACTION request 1437880664 [ HASH CPRQ(X_USER X_PWD) ] 18:24:35 10[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (76 bytes) 18:24:37 11[IKE] sending retransmit 1 of request message ID 1437880664, seq 1 18:24:37 11[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (76 bytes) 18:24:39 12[IKE] sending retransmit 2 of request message ID 1437880664, seq 1 18:24:39 12[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (76 bytes) 18:24:41 13[IKE] sending retransmit 3 of request message ID 1437880664, seq 1 18:24:41 13[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (76 bytes) 18:24:43 14[IKE] sending retransmit 4 of request message ID 1437880664, seq 1 18:24:43 14[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (76 bytes) 18:24:45 15[IKE] sending retransmit 5 of request message ID 1437880664, seq 1 18:24:45 15[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59640] (76 bytes) 18:24:47 16[IKE] giving up after 5 retransmits ----- failed retry----- 18:24:47 16[IKE] peer not responding, trying again (2/5) 18:24:47 16[IKE] initiating Main Mode IKE_SA cert[1] to %any 18:24:47 16[ENC] generating ID_PROT request 0 [ SA V V V V V ] 18:24:47 16[NET] sending packet: from 192.168.11.55[500] to 0.0.0.0[500] (176 bytes) 18:24:47 05[NET] received packet: from 192.168.11.55[500] to 192.168.11.55[500] (176 bytes) 18:24:47 05[ENC] parsed ID_PROT response 0 [ SA V V V V V ] 18:24:47 05[IKE] received XAuth vendor ID 18:24:47 05[IKE] received DPD vendor ID 18:24:47 05[IKE] received Cisco Unity vendor ID 18:24:47 05[IKE] received NAT-T (RFC 3947) vendor ID 18:24:47 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 18:24:47 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] 18:24:47 05[NET] sending packet: from 192.168.11.55[500] to 192.168.11.55[500] (244 bytes) 18:24:47 07[NET] received packet: from 192.168.11.55[500] to 192.168.11.55[500] (244 bytes) 18:24:47 07[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] 18:24:47 07[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" 18:24:47 07[IKE] authentication of '192.168.11.55' (myself) successful 18:24:47 07[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4" 18:24:47 07[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ ] 18:24:47 07[NET] sending packet: from 192.168.11.55[500] to 192.168.11.55[500] (1612 bytes) 18:24:47 06[NET] received packet: from 192.168.11.55[500] to 192.168.11.55[500] (1612 bytes) 18:24:47 06[ENC] invalid ID_V1 payload length, decryption failed? 18:24:47 06[ENC] could not decrypt payloads 18:24:47 06[IKE] message parsing failed 18:24:47 06[ENC] generating INFORMATIONAL_V1 request 1677057335 [ HASH N(PLD_MAL) ] 18:24:47 06[NET] sending packet: from 192.168.11.55[500] to 192.168.11.55[500] (76 bytes) 18:24:47 06[IKE] ID_PROT response with message ID 0 processing failed 18:24:47 08[NET] received packet: from 192.168.11.55[500] to 192.168.11.55[500] (76 bytes) 18:24:47 08[ENC] parsed INFORMATIONAL_V1 request 1677057335 [ HASH N(PLD_MAL) ] 18:24:47 08[IKE] received PAYLOAD_MALFORMED error notify 18:27:42 15[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (1160 bytes) 18:27:42 15[ENC] parsed ID_PROT request 0 [ SA V V V V V ] 18:27:42 15[IKE] received XAuth vendor ID 18:27:42 15[IKE] received DPD vendor ID 18:27:42 15[IKE] received FRAGMENTATION vendor ID 18:27:42 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 18:27:42 15[IKE] received Cisco Unity vendor ID 18:27:42 15[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA 18:27:42 15[ENC] generating ID_PROT response 0 [ SA V V V V ] 18:27:42 15[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (160 bytes) 18:27:42 16[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (288 bytes) 18:27:42 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ] 18:27:42 16[ENC] received unknown vendor ID: 6b:5e:df:fd:d9:5a:49:17:3b:24:e1:32:64:cc:c0:e7 18:27:42 16[IKE] received Cisco Unity vendor ID 18:27:42 16[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" 18:27:42 16[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] 18:27:42 16[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (333 bytes) 18:27:42 05[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (1692 bytes) 18:27:42 05[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG N(INITIAL_CONTACT) ] 18:27:42 05[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1' 18:27:42 05[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 18:27:42 05[CFG] looking for XAuthInitRSA peer configs matching 192.168.11.55...192.168.11.4 [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3] 18:27:42 05[CFG] selected peer config "cert" 18:27:42 05[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 18:27:42 05[CFG] using trusted ca certificate "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" 18:27:42 05[CFG] checking certificate status of "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 18:27:42 05[CFG] certificate status is not available 18:27:42 05[CFG] reached self-signed root ca with a path length of 0 18:27:42 05[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' with RSA successful 18:27:42 05[IKE] authentication of '192.168.11.55' (myself) successful 18:27:42 05[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4" 18:27:42 05[ENC] generating ID_PROT response 0 [ ID CERT SIG ] 18:27:42 05[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (1516 bytes) 18:27:42 05[ENC] generating TRANSACTION request 1729591383 [ HASH CPRQ(X_USER X_PWD) ] 18:27:42 05[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (76 bytes) 18:27:44 07[IKE] sending retransmit 1 of request message ID 1729591383, seq 1 18:27:44 07[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (76 bytes) 18:27:46 06[IKE] sending retransmit 2 of request message ID 1729591383, seq 1 18:27:46 06[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (76 bytes) 18:27:48 08[IKE] sending retransmit 3 of request message ID 1729591383, seq 1 18:27:48 08[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (76 bytes) ------- get username/password ----- 18:27:49 09[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (92 bytes) 18:27:49 09[ENC] parsed TRANSACTION response 1729591383 [ HASH CPRP(X_USER X_PWD) ] 18:27:49 09[IKE] PAM authentication of 'admin' successful 18:27:49 09[IKE] XAuth authentication of 'admin' successful 18:27:49 09[ENC] generating TRANSACTION request 2041229808 [ HASH CPS(X_STATUS) ] 18:27:49 09[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (76 bytes) 18:27:49 10[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (60 bytes) 18:27:49 10[ENC] parsed TRANSACTION response 2041229808 [ HASH CP ] 18:27:49 10[IKE] IKE_SA cert[2] established between 192.168.11.55 [192.168.11.55]...192.168.11.4[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3] 18:27:49 10[IKE] scheduling reauthentication in 3407s 18:27:49 10[IKE] maximum IKE_SA lifetime 3587s 18:27:49 12[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (204 bytes) 18:27:49 12[ENC] unknown attribute type (28683) 18:27:49 12[ENC] unknown attribute type (28684) 18:27:49 12[ENC] parsed TRANSACTION request 3997764575 [ HASH CPRQ(ADDR MASK DNS NBNS EXP U_BANNER U_SAVEPWD U_DEFDOM U_SPLITINC U_SPLITDNS U_PFS (28683) U_BKPSRV (28684) VER U_FWTYPE U_DDNSHOST U_NATTPORT U_LOCALLAN) ] 18:27:49 12[IKE] peer requested virtual IP %any 18:27:49 12[CFG] assigning new lease to 'admin' 18:27:49 12[IKE] assigning virtual IP 10.3.0.1 to peer 'admin' 18:27:49 12[ENC] generating TRANSACTION response 3997764575 [ HASH CPRP(ADDR) ] 18:27:49 12[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (76 bytes) 18:27:49 13[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (1036 bytes) 18:27:49 13[ENC] parsed QUICK_MODE request 2830806870 [ HASH SA No ID ID ] 18:27:49 13[IKE] received 2147483s lifetime, configured 1200s 18:27:49 13[ENC] generating QUICK_MODE response 2830806870 [ HASH SA No ID ID ] ---- enter QM then the client got invalid ID payload ------ 18:27:49 13[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (188 bytes) 18:27:49 14[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (76 bytes) 18:27:49 14[ENC] parsed INFORMATIONAL_V1 request 1748929456 [ HASH D ] 18:27:49 14[IKE] received DELETE for ESP CHILD_SA with SPI 99de1a47 18:27:49 14[IKE] CHILD_SA not found, ignored 18:27:59 07[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (92 bytes) 18:27:59 07[ENC] parsed INFORMATIONAL_V1 request 2690483197 [ HASH N(DPD) ] 18:27:59 07[ENC] generating INFORMATIONAL_V1 request 846596827 [ HASH N(DPD_ACK) ] 18:27:59 07[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (92 bytes) 18:28:09 06[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (92 bytes) 18:28:09 06[ENC] parsed INFORMATIONAL_V1 request 741866151 [ HASH N(DPD) ] 18:28:09 06[ENC] generating INFORMATIONAL_V1 request 2693244661 [ HASH N(DPD_ACK) ] 18:28:09 06[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[59648] (92 bytes) 18:28:19 09[NET] received packet: from 192.168.11.4[59648] to 192.168.11.55[500] (92 bytes) 18:28:19 09[ENC] parsed INFORMATIONAL_V1 request 2657653456 [ HASH D ] 18:28:19 09[IKE] received DELETE for IKE_SA cert[2] 18:28:19 09[IKE] deleting IKE_SA cert[2] between 192.168.11.55[192.168.11.55]...192.168.11.4 [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3] 18:28:19 09[CFG] lease 10.3.0.1 by 'admin' went offline 20:16:21 07[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (1160 bytes) 20:16:21 07[ENC] parsed ID_PROT request 0 [ SA V V V V V ] 20:16:21 07[IKE] received XAuth vendor ID 20:16:21 07[IKE] received DPD vendor ID 20:16:21 07[IKE] received FRAGMENTATION vendor ID 20:16:21 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 20:16:21 07[IKE] received Cisco Unity vendor ID 20:16:21 07[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA 20:16:21 07[ENC] generating ID_PROT response 0 [ SA V V V V ] 20:16:21 07[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (160 bytes) 20:16:21 06[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (288 bytes) 20:16:21 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ] 20:16:21 06[ENC] received unknown vendor ID: 1b:46:5c:a1:26:50:a7:e7:d8:ff:60:b4:de:86:0f:f7 20:16:21 06[IKE] received Cisco Unity vendor ID 20:16:21 06[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" 20:16:21 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] 20:16:21 06[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (333 bytes) 20:16:21 08[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (1692 bytes) 20:16:21 08[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG N(INITIAL_CONTACT) ] 20:16:21 08[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1' 20:16:21 08[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 20:16:21 08[CFG] looking for XAuthInitRSA peer configs matching 192.168.11.55...192.168.11.4 [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3] 20:16:21 08[CFG] selected peer config "cert" 20:16:21 08[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 20:16:21 08[CFG] using trusted ca certificate "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" 20:16:21 08[CFG] checking certificate status of "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3" 20:16:21 08[CFG] certificate status is not available 20:16:21 08[CFG] reached self-signed root ca with a path length of 0 20:16:21 08[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' with RSA successful 20:16:21 08[IKE] authentication of '192.168.11.55' (myself) successful 20:16:21 08[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4" 20:16:21 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ] 20:16:21 08[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (1516 bytes) 20:16:21 08[ENC] generating TRANSACTION request 2850616008 [ HASH CPRQ(X_USER X_PWD) ] 20:16:21 08[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (76 bytes) 20:16:23 09[IKE] sending retransmit 1 of request message ID 2850616008, seq 1 20:16:23 09[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (76 bytes) 20:16:25 10[IKE] sending retransmit 2 of request message ID 2850616008, seq 1 20:16:25 10[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (76 bytes) 20:16:26 11[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (92 bytes) 20:16:26 11[ENC] parsed TRANSACTION response 2850616008 [ HASH CPRP(X_USER X_PWD) ] 20:16:26 11[IKE] PAM authentication of 'admin' successful 20:16:26 11[IKE] XAuth authentication of 'admin' successful 20:16:26 11[ENC] generating TRANSACTION request 588066412 [ HASH CPS(X_STATUS) ] 20:16:26 11[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (76 bytes) 20:16:26 12[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (60 bytes) 20:16:26 12[ENC] parsed TRANSACTION response 588066412 [ HASH CP ] 20:16:26 12[IKE] IKE_SA cert[3] established between 192.168.11.55 [192.168.11.55]...192.168.11.4[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3] 20:16:26 12[IKE] scheduling reauthentication in 3273s 20:16:26 12[IKE] maximum IKE_SA lifetime 3453s 20:16:26 14[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (204 bytes) 20:16:26 14[ENC] unknown attribute type (28683) 20:16:26 14[ENC] unknown attribute type (28684) 20:16:26 14[ENC] parsed TRANSACTION request 2406481829 [ HASH CPRQ(ADDR MASK DNS NBNS EXP U_BANNER U_SAVEPWD U_DEFDOM U_SPLITINC U_SPLITDNS U_PFS (28683) U_BKPSRV (28684) VER U_FWTYPE U_DDNSHOST U_NATTPORT U_LOCALLAN) ] 20:16:26 14[IKE] peer requested virtual IP %any 20:16:26 14[CFG] reassigning offline lease to 'admin' 20:16:26 14[IKE] assigning virtual IP 10.3.0.1 to peer 'admin' 20:16:26 14[ENC] generating TRANSACTION response 2406481829 [ HASH CPRP(ADDR) ] 20:16:26 14[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (76 bytes) 20:16:26 15[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (1036 bytes) 20:16:26 15[ENC] parsed QUICK_MODE request 4244192973 [ HASH SA No ID ID ] 20:16:26 15[IKE] received 2147483s lifetime, configured 1200s 20:16:26 15[ENC] generating QUICK_MODE response 4244192973 [ HASH SA No ID ID ] 20:16:26 15[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (188 bytes) 20:16:26 16[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (76 bytes) 20:16:26 16[ENC] parsed INFORMATIONAL_V1 request 2557155737 [ HASH D ] 20:16:26 16[IKE] received DELETE for ESP CHILD_SA with SPI f3a12707 20:16:26 16[IKE] CHILD_SA not found, ignored 20:16:36 09[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (92 bytes) 20:16:36 09[ENC] parsed INFORMATIONAL_V1 request 2004113721 [ HASH N(DPD) ] 20:16:36 09[ENC] generating INFORMATIONAL_V1 request 3836705764 [ HASH N(DPD_ACK) ] 20:16:36 09[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (92 bytes) 20:16:46 10[NET] received packet: from 192.168.11.4[62110] to 192.168.11.55[500] (92 bytes) 20:16:46 10[ENC] parsed INFORMATIONAL_V1 request 3010810231 [ HASH N(DPD) ] 20:16:46 10[ENC] generating INFORMATIONAL_V1 request 2810321439 [ HASH N(DPD_ACK) ] 20:16:46 10[NET] sending packet: from 192.168.11.55[500] to 192.168.11.4[62110] (92 bytes) # The question the client what it expects?? what is wrong of GW config ? I did use subjectnameALT to 10.3.1.1 and 192.168.11.55 Any input, I am very appreciated Tom
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
