[Openswan Users] IPSec VPN Fortigate Phase 2 stuck

Hajder Rabiee hajderr at gmail.com
Sat May 2 07:40:48 EDT 2015


Posting updated configuration, adding aggresive mode in accordance to info
received. Suddenly I get an error about invalid hash information. Thought
the parameters were correctly set...

*ipsec auto --status*

000 "office":     myip=unset; hisip=unset;
000 "office":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "office":   policy:
PSK+AUTHENTICATE+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
32,24; interface: wlan0;
000 "office":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "office":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5); flags=-strict
000 "office":   IKE algorithms found:
 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)
000 "office":   AH algorithms wanted: SHA1(2)_000; pfsgroup=MODP1536(5);
flags=-strict
000 "office":   AH algorithms loaded: SHA1(2)_160
000
000 #3: "office":500 STATE_AGGR_I1 (sent AI1, expecting AR1); none in -1s;
lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #3: pending Phase 2 for "office" replacing #0

*Trying to up the connection*

➜  /etc  sudo ipsec auto --up office
112 "office" #1: STATE_AGGR_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: received Vendor ID payload [XAUTH]
003 "office" #1: ignoring unknown Vendor ID payload
[8299031757a36082c6a621de00050282]
003 "office" #1: received Hash Payload does not match computed value
223 "office" #1: STATE_AGGR_I1: INVALID_HASH_INFORMATION

*Updated config*

conn office
    aggrmode=yes
     left=%defaultroute
     right=<vpn gateway>
     phase2=ah
     phase2alg=sha1;modp1536
     type=transport
     ike=3des-sha1;modp1536

     authby=secret
     pfs=no
     compress=no
     keyingtries=%forever

On Fri, May 1, 2015 at 3:04 PM, Hajder Rabiee <hajderr at gmail.com> wrote:

> Hi
>
> In my secrets conf I already had
> %any <vpn ip> : PSK "key"
>
> but after adding, it still didn't work
>
> @mykey: PSK "key"
>
> ➜  ~  sudo ipsec auto --add office
> ➜  ~  sudo ipsec auto --up office
> 104 "office" #1: STATE_MAIN_I1: initiate
> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "office" #1: ignoring unknown Vendor ID payload
> [8299031757a36082c6a621de00050282]
> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
> 031 "office" #1: max number of retransmissions (2) reached STATE_MAIN_I3.
> Possible authentication failure: no acceptable response to our first
> encrypted message
> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
> releasing whack
>
> On Fri, May 1, 2015 at 12:17 PM, Hajder Rabiee <hajderr at gmail.com> wrote:
>
>> Hi
>>
>> In my secrets conf I already had
>> %any <vpn ip> : PSK "key"
>>
>> but after adding, it still didn't work
>>
>> @mykey: PSK "key"
>>
>> ➜  ~  sudo ipsec auto --add office
>> ➜  ~  sudo ipsec auto --up office
>> 104 "office" #1: STATE_MAIN_I1: initiate
>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>> 003 "office" #1: ignoring unknown Vendor ID payload
>> [8299031757a36082c6a621de00050282]
>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
>> 031 "office" #1: max number of retransmissions (2) reached
>> STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
>> our first encrypted message
>> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
>> releasing whack
>>
>>
>>
>> On Fri, May 1, 2015 at 10:47 AM, Paul Young <paul at arkig.com> wrote:
>>
>>> I think - not entirely sure!
>>>
>>> you need a leftid to tie in your secret key.
>>>
>>> So in the conn:
>>>
>>> *leftid=@something*
>>>
>>> and then in the secret file:
>>>
>>> *@something: PSK "<blah>"*
>>>
>>> Cheers,
>>> Paul Young
>>>
>>>
>>>
>>> On 1 May 2015 at 17:17, Hajder Rabiee <hajderr at gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> Trying to setup a VPN connection to Office Fortigate but I can't pass
>>>> phase 2.
>>>>
>>>> Received info from sysadmins:
>>>>
>>>>
>>>>    - PSK
>>>>    - IKE v1
>>>>    - Aggressive mode
>>>>
>>>>    - Phase1 3DES-SHA1
>>>>    - DH group 5
>>>>    - Key lifetime 28800
>>>>
>>>>    - XAUTH PAP Server (not sure if this necessary to know)
>>>>
>>>>    - Phase2 3DES-SHA1
>>>>    - PFS no
>>>>
>>>>
>>>>
>>>> *This is one of many configuration attempts, I've tried adding/removing
>>>> different parameters.*
>>>>
>>>> config setup
>>>> interfaces=%defaultroute
>>>> plutodebug="control parsing"
>>>> #klipsdebug=all
>>>> plutoopts="--interface=wlan0"
>>>> dumpdir=/var/run/pluto/
>>>> nat_traversal=no
>>>> virtual_private=%v4:
>>>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>>> oe=off
>>>> protostack=netkey
>>>>
>>>> conn office
>>>>  left=%defaultroute
>>>>  right=<my gateway ip>
>>>>
>>>>  phase2=ah
>>>>  phase2alg=sha1;modp1536
>>>>  type=transport
>>>>  authby=secret
>>>>  pfs=no
>>>>  compress=no
>>>>     keyingtries=%forever
>>>>
>>>> *This is the output*
>>>> ➜  /etc  sudo service ipsec restart
>>>> ➜  /etc  sudo ipsec auto --add office && sudo ipsec auto --up office
>>>> 104 "office" #1: STATE_MAIN_I1: initiate
>>>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>>>> 003 "office" #1: ignoring unknown Vendor ID payload
>>>> [8299031757a36082c6a621de00050282]
>>>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for
>>>> response
>>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for
>>>> response
>>>> 031 "office" #1: max number of retransmissions (2) reached
>>>> STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
>>>> our first encrypted message
>>>> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
>>>> releasing whack
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Med vänliga hälsningar / Best Regards
>>>> Hajder
>>>>
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>>
>>>
>>
>>
>> --
>> Med vänliga hälsningar / Best Regards
>> Hajder
>>
>
>
>
> --
> Med vänliga hälsningar / Best Regards
> Hajder
>



-- 
Med vänliga hälsningar / Best Regards
Hajder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150502/6cb07fa6/attachment.html>


More information about the Users mailing list