Project

General

Profile

Issue #3515

Not able to connect Strongswan client with same network.

Added by Mahesh Dudhani 2 months ago. Updated 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.4
Resolution:

Description

Hi Team,

strongSwan IPSec PSK XAuth VPN client cannot connect from LAN to data center. Works fine outside our LAN. Check ports 5OO and 4500

Regards
Mahesh Dudhani

History

#1 Updated by Mahesh Dudhani 2 months ago

Please find the below logs.

Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 3.6.5, armv7l)
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[LIB] openssl FIPS mode(0) - disabled
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG]   loaded IKE secret for %any
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG]   loaded EAP secret for @jreddy
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] read 0 triplets from /etc/ipsec.d/triplets.dat
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-sim eap-sim-file eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic led unity counters
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 00[JOB] spawning 7 worker threads
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 05[CFG] received stroke: add connection 'myvpn'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 05[CFG] added configuration 'myvpn'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 06[CFG] received stroke: initiate 'myvpn'
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 06[IKE] initiating Main Mode IKE_SA myvpn[1] to xx.xx.xx.xx
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V V V V ]
Jul 15 11:20:31 2020 slc0844 SLC-SLB/charon: 06[NET] sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (216 bytes)
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 05[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (124 bytes)
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 05[ENC] parsed ID_PROT response 0 [ SA V V ]
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 05[IKE] received FRAGMENTATION vendor ID
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 05[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 05[NET] sending packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (244 bytes)
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (304 bytes)
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[IKE] received Cisco Unity vendor ID
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[IKE] received XAuth vendor ID
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[ENC] received unknown vendor ID: b9:ef:f9:04:07:cf:6a:bf:47:ae:a2:ca:a3:08:d3:b3
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[IKE] local host is behind NAT, sending keep alives
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 07[NET] sending packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (100 bytes)
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 06[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (40 bytes)
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 06[ENC] parsed INFORMATIONAL_V1 request 0 [ N(PLD_MAL) ]
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 06[ENC] ignoring unprotected INFORMATIONAL from xx.xx.xx.xx
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 06[IKE] message verification failed
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 06[IKE] ignore malformed INFORMATIONAL request
Jul 15 11:20:32 2020 slc0844 SLC-SLB/charon: 06[IKE] INFORMATIONAL_V1 request with message ID 0 processing failed
# Jul 15 11:20:36 2020 slc0844 SLC-SLB/charon: 07[IKE] sending retransmit 1 of request message ID 0, seq 3
Jul 15 11:20:36 2020 slc0844 SLC-SLB/charon: 07[NET] sending packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (100 bytes)
Jul 15 11:20:36 2020 slc0844 SLC-SLB/charon: 05[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (304 bytes)
Jul 15 11:20:36 2020 slc0844 SLC-SLB/charon: 05[IKE] received retransmit of response with ID 0, but next request already sent
Jul 15 11:20:43 2020 slc0844 SLC-SLB/charon: 06[IKE] sending retransmit 2 of request message ID 0, seq 3
Jul 15 11:20:43 2020 slc0844 SLC-SLB/charon: 06[NET] sending packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (100 bytes)
Jul 15 11:20:43 2020 slc0844 SLC-SLB/charon: 07[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (304 bytes)
Jul 15 11:20:43 2020 slc0844 SLC-SLB/charon: 07[IKE] received retransmit of response with ID 0, but next request already sent
Jul 15 11:20:51 2020 slc0844 SLC-SLB/charon: 06[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (304 bytes)
Jul 15 11:20:51 2020 slc0844 SLC-SLB/charon: 06[IKE] received retransmit of response with ID 0, but next request already sent
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[IKE] sending retransmit 3 of request message ID 0, seq 3
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[NET] sending packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (100 bytes)
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (84 bytes)
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[ENC] invalid HASH_V1 payload length, decryption failed?
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[ENC] could not decrypt payloads
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[IKE] message parsing failed
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[IKE] ignore malformed INFORMATIONAL request
Jul 15 11:20:56 2020 slc0844 SLC-SLB/charon: 06[IKE] INFORMATIONAL_V1 request with message ID 3185332658 processing failed
Jul 15 11:21:16 2020 slc0844 SLC-SLB/charon: 06[IKE] sending keep alive to xx.xx.xx.xx[4500]
Jul 15 11:21:19 2020 slc0844 SLC-SLB/charon: 07[IKE] sending retransmit 4 of request message ID 0, seq 3
Jul 15 11:21:19 2020 slc0844 SLC-SLB/charon: 07[NET] sending packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (100 bytes)
Jul 15 11:21:39 2020 slc0844 SLC-SLB/charon: 05[IKE] sending keep alive to xx.xx.xx.xx[4500]
Jul 15 11:21:59 2020 slc0844 SLC-SLB/charon: 07[IKE] sending keep alive to xx.xx.xx.xx[4500]
Jul 15 11:22:01 2020 slc0844 SLC-SLB/charon: 05[IKE] sending retransmit 5 of request message ID 0, seq 3
Jul 15 11:22:01 2020 slc0844 SLC-SLB/charon: 05[NET] sending packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (100 bytes)
Jul 15 11:22:21 2020 slc0844 SLC-SLB/charon: 06[IKE] sending keep alive to xx.xx.xx.xx[4500]
Jul 15 11:22:41 2020 slc0844 SLC-SLB/charon: 07[IKE] sending keep alive to xx.xx.xx.xx[4500]
Jul 15 11:23:01 2020 slc0844 SLC-SLB/charon: 05[IKE] sending keep alive to xx.xx.xx.xx[4500]
Jul 15 11:23:17 2020 slc0844 SLC-SLB/charon: 06[IKE] giving up after 5 retransmits
Jul 15 11:23:17 2020 slc0844 SLC-SLB/charon: 06[IKE] peer not responding, trying again (2/3)

#2 Updated by Tobias Brunner 2 months ago

  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal

Make sure the PSK is correct (and if the server has multiple available that it selects the correct one).

Also available in: Atom PDF