LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-07-2016, 05:30 AM   #1
bluefool
LQ Newbie
 
Registered: Jun 2016
Posts: 19

Rep: Reputation: Disabled
IPSEC/L2TP VPN Not Connecting with vpnc or StrongSwan


Hi,

I've set up a dual boot with Debian and am trying to move completely off having to use Windows. Pretty much the last thing is to do is to set up my VPN connection to the office Cisco router.

I've tried vpnc and StrongSwan and in each case I can log on and get an IP address on the office LAN, but it then fails. The error on the Cisco router is "Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy"

I've been using the same VPN account set up via Windows DUN for years and it's still working. So I know the VPN account is set up correctly server side. I'm not dogmatic about which method I use, I just want it to work on Linux!

If anyone could help me identify where I'm going wrong I would be very grateful. I'm far from an expert on VPNs I'm afraid so I'm hoping it's something obvious I'm doing wrong.

Here are my config files and output for both programs (usernames and IPs redacted):

VPNC

default.conf

Code:
IPSec gateway (remote IP)
IPSec ID (group ID)
IPSec secret (secret)
Xauth username (user)
Xauth password (pass)
IKE Authmode psk
IKE DH Group dh2
NAT Traversal Mode cisco-udp
Local Port 10000
Output:

Code:
vpnc --enable-1des --debug 2
   
vpnc version 0.5.3r550-2

S1 init_sockaddr
 [2016-06-07 10:14:55]

S2 make_socket
 [2016-06-07 10:14:55]

S3 setup_tunnel
 [2016-06-07 10:14:55]
   using interface tun0

S4 do_phase1_am
 [2016-06-07 10:14:55]

S4.1 create_nonce
 [2016-06-07 10:14:55]

S4.2 dh setup
 [2016-06-07 10:14:55]

S4.3 AM packet_1
 [2016-06-07 10:14:55]

S4.4 AM_packet2
 [2016-06-07 10:14:55]
   (Cisco Unity)
   (Xauth)
   (unknown)
   (unknown)
   got ike lifetime attributes: 2147483 seconds
   IKE SA selected psk+xauth-des-sha1
   peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)
   NAT status: no NAT-T VID seen

S4.5 AM_packet3
 [2016-06-07 10:14:55]

S4.6 cleanup
 [2016-06-07 10:14:55]

S5 do_phase2_xauth
 [2016-06-07 10:14:55]

S5.1 xauth_request
 [2016-06-07 10:14:55]

S5.2 notice_check
 [2016-06-07 10:14:55]

S5.3 type-is-xauth check
 [2016-06-07 10:14:55]

S5.4 xauth type check
 [2016-06-07 10:14:55]

S5.5 do xauth reply
 [2016-06-07 10:14:55]

S5.2 notice_check
 [2016-06-07 10:14:55]

S5.3 type-is-xauth check
 [2016-06-07 10:14:55]

S5.6 process xauth set
 [2016-06-07 10:14:55]

S5.7 send xauth ack
 [2016-06-07 10:14:55]

S5.8 xauth done
 [2016-06-07 10:14:55]

S6 do_phase2_config
 [2016-06-07 10:14:55]

S6.1 phase2_config send modecfg
 [2016-06-07 10:14:55]

S6.2 phase2_config receive modecfg
 [2016-06-07 10:14:56]
   got save password setting: 0
   got pfs setting: 0
   Remote Application Version:    Cisco Systems, Inc ASA5505 Version 7.2(4) built by builders on Sun 06-Apr-08 13:39   
   got address 172.28.80.13

S7 setup_link (phase 2 + main_loop)
 [2016-06-07 10:14:56]

S7.0 run interface setup script
 [2016-06-07 10:14:56]

S7.1 QM_packet1
 [2016-06-07 10:14:56]

S7.2 QM_packet2 send_receive
 [2016-06-07 10:14:56]

S7.3 QM_packet2 validate type
 [2016-06-07 10:14:56]
   got ike lifetime attributes: 86400 seconds
   got delete for old connection, ignoring..
vpnc: no response from target
StrongSwan

ipsec.conf:

Code:
version 2
config setup
        strictcrlpolicy=no

conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=xauthpsk
	type=tunnel

conn "ADSL"
        keyexchange=ikev1
        ikelifetime=1440m
        keylife=60m
        aggressive=yes
        ike=des-sha1-modp1024 
        esp=des-sha1-modp1024
        xauth=client              #Xauth client mode 
        left=(local IP)          #local IP used to connect to IOS
	leftsubnet=(local subnet/24)
        leftid=(group)
        leftsourceip=%config      #apply received IP    
        leftauth=psk
        rightauth=psk
        leftauth2=xauth           #use PSK for group RA and Xauth for user 
        right=(remote IP)        #gateway IP 
        rightsubnet=172.28.0.0/16
        xauth_identity=(user)       #identity for Xauth, password in ipsec.secrets
        auto=add
Output:

Code:
initiating Aggressive Mode IKE_SA ADSL[1] to (remote IP)
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from (local IP)[500] to (remote IP)[500] (434 bytes)
received packet: from (remote IP)[500] to (local IP)[500] (420 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (108 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (76 bytes)
parsed TRANSACTION request 2798627525 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2798627525 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (84 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (68 bytes)
parsed TRANSACTION request 3033165335 [ HASH CPS(X_STATUS) ]
XAuth authentication of '(user)' (myself) successful
IKE_SA ADSL[1] established between (local IP)[(group)]...(remote IP)[(remote IP)]
scheduling reauthentication in 86082s
maximum IKE_SA lifetime 86262s
generating TRANSACTION response 3033165335 [ HASH CPA(X_STATUS) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (68 bytes)
generating TRANSACTION request 2611185267 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (84 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (68 bytes)
parsed TRANSACTION response 2611185267 [ HASH CPRP(ADDR) ]
installing new virtual IP 172.28.80.12
generating QUICK_MODE request 1009442552 [ HASH SA No KE ID ID ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (308 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3691512445 [ HASH D ]
received DELETE for IKE_SA ADSL[1]
deleting IKE_SA ADSL[1] between (local IP)[(group)]...(remote IP)[(remote IP)]
installing new virtual IP 172.28.80.12
initiating Aggressive Mode IKE_SA ADSL[2] to (remote IP)
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from (local IP)[500] to (remote IP)[500] (434 bytes)
establishing connection 'ADSL' failed
Thanks in advance for any assistance!
 
Old 06-08-2016, 01:50 PM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
According to Cisco it's probably your tunnel group or group name.
If you know your tunnel group/group name is correct and you copied your configuration information from a windows configuration, retype the same line directly below it and then delete the original line. Windows encodes endline differently than Linux so even cutting and pasting from one platform to the other can cause problems.
 
Old 06-08-2016, 06:15 PM   #3
bluefool
LQ Newbie
 
Registered: Jun 2016
Posts: 19

Original Poster
Rep: Reputation: Disabled
Thanks for your reply dijetlo.

I typed the group name manually I'm afraid. I don't know how to find the group name from a Windows configuration. It didn't seem to be in the ".pbk" file.

That group name is the one assigned to my user in the router's configuration. It's capitalised correctly and everything. It must be correct as I tried using the only other group name configured on the router and it failed almost straight away.

Is there any other logging I could check or something?
 
Old 06-08-2016, 06:27 PM   #4
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
grep charon /var/log/* and pull /var/log/authlog and /var/log/deamonlog (if it's there).
If you don't find anything there, you can turn up the logging in the configuration (or the command line if it's running in daemon mode)
 
Old 08-12-2016, 06:43 AM   #5
bluefool
LQ Newbie
 
Registered: Jun 2016
Posts: 19

Original Poster
Rep: Reputation: Disabled
I couldn't find anything further in the logs than was reported at the command line. I've set my user profile to specify the VPN Group Policy and VPN Group Lock (rather than having them as "Inherit") on the VPN server and have got a little further. Now the vpnc command shows the following:

Code:
.....
S7 setup_link (phase 2 + main_loop)
 [2016-08-12 11:20:20]

S7.0 run interface setup script
 [2016-08-12 11:20:20]

S7.1 QM_packet1
 [2016-08-12 11:20:20]

S7.2 QM_packet2 send_receive
 [2016-08-12 11:20:20]

S7.3 QM_packet2 validate type
 [2016-08-12 11:20:20]
   got ike lifetime attributes: 86400 seconds
received notice of type  (ISAKMP_N_NO_PROPOSAL_CHOSEN)(14), giving up

S7.5 QM_packet2 check reject offer
 [2016-08-12 11:20:20]
   

---!!!!!!!!! entering phase2_fatal !!!!!!!!!---



S7.11 send isakmp termination message
 [2016-08-12 11:20:20]
vpnc: quick mode response rejected:  (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
  * concentrator configured to require a firewall
     this locks out even Cisco clients on any platform except windows
     which is an obvious security improvement. There is no workaround (yet).
  * concentrator configured to require IP compression
     this is not yet supported by vpnc.
     Note: the Cisco Concentrator Documentation recommends against using
     compression, except on low-bandwith (read: ISDN) links, because it
     uses much CPU-resources on the concentrator
The server logging indicates (read from bottom up):

Code:
4	Sep 20 2008	01:58:54	113019			 Group = (redacted), Username = (redacted), IP = (redacted), Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3	Sep 20 2008	01:58:54	713902			 Group = (redacted), Username = (redacted), IP = (redacted), Removing peer from correlator table failed, no match!
3	Sep 20 2008	01:58:54	713902			 Group = (redacted), Username = (redacted), IP = (redacted), QM FSM error (P2 struct &0xd11b5a8, mess id 0x25b8cb0d)!
5	Sep 20 2008	01:58:54	713904			 Group = (redacted), Username = (redacted), IP = (redacted), All IPSec SA proposals found unacceptable!
3	Sep 20 2008	01:58:54	713119			 Group = (redacted), Username = (redacted), IP = (redacted), PHASE 1 COMPLETED
Does anyone know what might be causing this? Thanks in advance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
L2TP over IPSec VPN on Ubuntu 16.04 marle1337 Linux - General 4 06-02-2016 08:42 AM
VPN with l2tp over ipsec rafspiny Linux - Networking 2 11-15-2015 06:27 AM
Strongswan-to-Strongswan IPsec VPN - slow with pure ESP, fast w/UDP encapsulation? psycroptic Linux - Networking 0 11-20-2014 08:44 AM
StrongSWAN L2TP IPSec VPN with PSK and DynDNS configuration chridazi Linux - Server 3 10-17-2012 06:41 AM
Problem with setting L2TP VPN in kubuntu using strongswan AmirGooran Linux - Networking 0 05-11-2012 04:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration