encrypted Informational Exchange invalid...

Help
2005-11-08
2013-04-10
  • Alessio Cecchi
    Alessio Cecchi
    2005-11-08

    I'm using TauVPN 0.37 for connect to an IpCOP 1.4.8. CLient is windows xp with sp2 and support tools from microsoft web site. I have imported the .p12 Certificate. I have set:

    Server subnet: 192.168.15.0/255.255.255.0
    Server Ip Address: (ipcop red public interface)
    Server local IP: 192.168.15.3
    CA Subject: from importer CA

    But in ipcop log i see:

    23:12:28    pluto[11317]    packet from 195.xxx.xxx.xxx:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 0 0000004]
    23:12:28    pluto[11317]    packet from 195.xxx.xxx.xxx:500: ignoring Vendor ID payload [FRAGMENTATION]
    23:12:28    pluto[11317]    packet from 195.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat- t-ike-02_n]
    23:12:28    pluto[11317]    packet from 195.xxx.xxx.xxx:500: ignoring Vendor ID payload [26244d38eddb61b3172a3 6e3d0cfb819]
    23:12:28    pluto[11317]    "myserverlan"[3] 195.xxx.xxx.xxx #6: responding to Main Mode from unknown peer 194.1 85.53.57
    23:12:28    pluto[11317]    "myserverlan"[3] 195.xxx.xxx.xxx #6: transition from state (null) to state STATE_MAI N_R1
    23:12:28    pluto[11317]    "myserverlan"[3] 195.xxx.xxx.xxx #6: NAT-Traversal: Result using draft-ietf-ipsec-na t-t-ike-02/03: peer is NATed
    23:12:28    pluto[11317]    "myserverlan"[3] 195.xxx.xxx.xxx #6: transition from state STATE_MAIN_R1 to state ST ATE_MAIN_R2
    23:12:28    pluto[11317]    "myserverlan"[3] 195.xxx.xxx.xxx #6: encrypted Informational Exchange message is inv alid because it is for incomplete ISAKMP SA

    Can you help me?

     
    • Alessio Cecchi
      Alessio Cecchi
      2005-11-08

      This is the log og TauVPN:

      11-08: 23:44:45:609:2dc Initialization OK
      11-08: 23:44:54:78:118 Acquire from driver: op=0000000C src=192.168.0.164.0 dst=192.168.15.3.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=217.19.151.10 Inbound TunnelEndpt=192.168.0.164
      11-08: 23:44:54:78:274 Filter to match: Src 217.19.151.10 Dst 192.168.0.164
      11-08: 23:44:54:78:274 MM PolicyName: 1
      11-08: 23:44:54:78:274 MMPolicy dwFlags 2 SoftSAExpireTime 28800
      11-08: 23:44:54:78:274 MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 2
      11-08: 23:44:54:78:274 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
      11-08: 23:44:54:78:274 MMOffer[1] LifetimeSec 28800 QMLimit 0 DHGroup 2
      11-08: 23:44:54:78:274 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
      11-08: 23:44:54:78:274 MMOffer[2] LifetimeSec 28800 QMLimit 0 DHGroup 1
      11-08: 23:44:54:78:274 MMOffer[2] Encrypt: DES CBC Hash: SHA
      11-08: 23:44:54:78:274 MMOffer[3] LifetimeSec 28800 QMLimit 0 DHGroup 1
      11-08: 23:44:54:78:274 MMOffer[3] Encrypt: DES CBC Hash: MD5
      11-08: 23:44:54:78:274 Auth[0]:RSA Sig C=IT, S=Toscana, L=Prato, O=Prisma SRL, OU=Montemurlo, CN=Prisma SRL CA, E=info@prisma-s AuthFlags 0
      11-08: 23:44:54:78:274 QM PolicyName: Host-Guest-net filter action dwFlags 1
      11-08: 23:44:54:78:274 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3500
      11-08: 23:44:54:78:274 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
      11-08: 23:44:54:78:274  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
      11-08: 23:44:54:78:274 Starting Negotiation: src = 192.168.0.164.0500, dst = 217.19.151.10.0500, proto = 00, context = 0000000C, ProxySrc = 192.168.0.164.0000, ProxyDst = 192.168.15.0.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.0
      11-08: 23:44:54:78:274 constructing ISAKMP Header
      11-08: 23:44:54:78:274 constructing SA (ISAKMP)
      11-08: 23:44:54:78:274 Constructing Vendor MS NT5 ISAKMPOAKLEY
      11-08: 23:44:54:78:274 Constructing Vendor FRAGMENTATION
      11-08: 23:44:54:78:274 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
      11-08: 23:44:54:78:274 Constructing Vendor Vid-Initial-Contact
      11-08: 23:44:54:78:274
      11-08: 23:44:54:78:274 Sending: SA = 0x000E0D20 to 217.19.151.10:Type 2.500
      11-08: 23:44:54:78:274 ISAKMP Header: (V1.0), len = 276
      11-08: 23:44:54:78:274   I-COOKIE d63f59f355755e07
      11-08: 23:44:54:78:274   R-COOKIE 0000000000000000
      11-08: 23:44:54:78:274   exchange: Oakley Main Mode
      11-08: 23:44:54:78:274   flags: 0
      11-08: 23:44:54:78:274   next payload: SA
      11-08: 23:44:54:78:274   message ID: 00000000
      11-08: 23:44:54:78:274 Ports S:f401 D:f401
      11-08: 23:44:54:609:668 retransmit: sa = 000E0D20 centry 00000000 , count = 1
      11-08: 23:44:54:609:668
      11-08: 23:44:54:609:668 Sending: SA = 0x000E0D20 to 217.19.151.10:Type 2.500
      11-08: 23:44:54:609:668 ISAKMP Header: (V1.0), len = 276
      11-08: 23:44:54:609:668   I-COOKIE d63f59f355755e07
      11-08: 23:44:54:609:668   R-COOKIE 0000000000000000
      11-08: 23:44:54:609:668   exchange: Oakley Main Mode
      11-08: 23:44:54:609:668   flags: 0
      11-08: 23:44:54:609:668   next payload: SA
      11-08: 23:44:54:609:668   message ID: 00000000
      11-08: 23:44:54:609:668 Ports S:f401 D:f401
      11-08: 23:44:56:609:668 retransmit: sa = 000E0D20 centry 00000000 , count = 2
      11-08: 23:44:56:609:668
      11-08: 23:44:56:609:668 Sending: SA = 0x000E0D20 to 217.19.151.10:Type 2.500
      11-08: 23:44:56:609:668 ISAKMP Header: (V1.0), len = 276
      11-08: 23:44:56:609:668   I-COOKIE d63f59f355755e07
      11-08: 23:44:56:609:668   R-COOKIE 0000000000000000
      11-08: 23:44:56:609:668   exchange: Oakley Main Mode
      11-08: 23:44:56:609:668   flags: 0
      11-08: 23:44:56:609:668   next payload: SA
      11-08: 23:44:56:609:668   message ID: 00000000
      11-08: 23:44:56:609:668 Ports S:f401 D:f401
      11-08: 23:44:59:328:67c fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:00:343:298 fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:00:609:668 retransmit: sa = 000E0D20 centry 00000000 , count = 3
      11-08: 23:45:00:609:668
      11-08: 23:45:00:609:668 Sending: SA = 0x000E0D20 to 217.19.151.10:Type 2.500
      11-08: 23:45:00:609:668 ISAKMP Header: (V1.0), len = 276
      11-08: 23:45:00:609:668   I-COOKIE d63f59f355755e07
      11-08: 23:45:00:609:668   R-COOKIE 0000000000000000
      11-08: 23:45:00:609:668   exchange: Oakley Main Mode
      11-08: 23:45:00:609:668   flags: 0
      11-08: 23:45:00:609:668   next payload: SA
      11-08: 23:45:00:609:668   message ID: 00000000
      11-08: 23:45:00:609:668 Ports S:f401 D:f401
      11-08: 23:45:01:359:67c fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:02:375:67c fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:03:390:67c fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:04:406:298 fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:05:421:298 fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:06:437:298 fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:07:453:298 fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:08:484:298 fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:08:609:668 retransmit: sa = 000E0D20 centry 00000000 , count = 4
      11-08: 23:45:08:609:668
      11-08: 23:45:08:609:668 Sending: SA = 0x000E0D20 to 217.19.151.10:Type 2.500
      11-08: 23:45:08:609:668 ISAKMP Header: (V1.0), len = 276
      11-08: 23:45:08:609:668   I-COOKIE d63f59f355755e07
      11-08: 23:45:08:609:668   R-COOKIE 0000000000000000
      11-08: 23:45:08:609:668   exchange: Oakley Main Mode
      11-08: 23:45:08:609:668   flags: 0
      11-08: 23:45:08:609:668   next payload: SA
      11-08: 23:45:08:609:668   message ID: 00000000
      11-08: 23:45:08:609:668 Ports S:f401 D:f401
      11-08: 23:45:09:500:67c fill_isakmp: SA 000E0D20 not finished
      11-08: 23:45:10:531:2dc isadb_schedule_kill_oldPolicy_sas: 43164d62-4b9c-42de-aeabddc635ec1633 4
      11-08: 23:45:10:531:2dc isadb_schedule_kill_oldPolicy_sas: 9ba95ba9-82bb-40bc-b541fd9f53069666 4
      11-08: 23:45:10:531:2dc isadb_schedule_kill_oldPolicy_sas: f2b514c7-075d-4bf4-a47b77c6f0f3b798 3
      11-08: 23:45:10:531:2dc isadb_schedule_kill_oldPolicy_sas: b357de22-6b7c-4b4e-9b81452c786d29f8 3
      11-08: 23:45:10:531:2dc isadb_schedule_kill_oldPolicy_sas: d391e383-fd01-4f8d-a5269cc7ec8b7fb5 1
      11-08: 23:45:10:531:2dc isadb_schedule_kill_oldPolicy_sas: d2026c6e-7d9c-460e-a0c7b1b21cd64a4b 2
      11-08: 23:45:10:531:2dc isadb_schedule_kill_oldPolicy_sas: e39152eb-adfb-43d1-a12a0f8233a382fe 2
      11-08: 23:45:10:546:274 entered kill_old_policy_sas 4
      11-08: 23:45:10:546:274 entered kill_old_policy_sas 3
      11-08: 23:45:10:546:274 entered kill_old_policy_sas 3
      11-08: 23:45:10:546:274 SA Dead. sa:000E0D20 status:3619
      11-08: 23:45:10:546:274 isadb_set_status sa:000E0D20 centry:00000000 status 3619
      11-08: 23:45:10:546:274 Modalit Scambio chiave (modalit principale)
      11-08: 23:45:10:546:274 Indirizzo IP di origine 192.168.0.164  Mask indirizzo IP di origine 255.255.255.255  Indirizzo IP di destinazione 217.19.151.10  Mask indirizzo IP di destinazione 255.255.255.255  Protocollo 0  Porta di origine 0  Porta di destinazione 0  Idirizzo locale IKE 192.168.0.164  Indirizzo peer IKE 217.19.151.10
      11-08: 23:45:10:546:6f8 entered kill_old_policy_sas 4
      11-08: 23:45:10:546:274
      11-08: 23:45:10:546:274 Utente
      11-08: 23:45:10:546:274 Il nuovo criterio invalida SA formati con il vecchio criterio
      11-08: 23:45:10:546:294 entered kill_old_policy_sas 1
      11-08: 23:45:10:546:274 0x0 0x0
      11-08: 23:45:10:546:274 constructing ISAKMP Header
      11-08: 23:45:10:546:274 constructing DELETE. MM 000E0D20
      11-08: 23:45:10:546:274
      11-08: 23:45:10:546:274 Sending: SA = 0x000E0D20 to 217.19.151.10:Type 1.500
      11-08: 23:45:10:546:274 ISAKMP Header: (V1.0), len = 56
      11-08: 23:45:10:546:274   I-COOKIE d63f59f355755e07
      11-08: 23:45:10:546:274   R-COOKIE 0000000000000000
      11-08: 23:45:10:546:274   exchange: ISAKMP Informational Exchange
      11-08: 23:45:10:546:274   flags: 0
      11-08: 23:45:10:546:274   next payload: DELETE
      11-08: 23:45:10:546:274   message ID: e1b48195
      11-08: 23:45:10:546:274 Ports S:f401 D:f401
      11-08: 23:45:10:546:294 entered kill_old_policy_sas 2
      11-08: 23:45:10:546:294 entered kill_old_policy_sas 2
      11-08: 23:45:30:625:274 ClearFragList

       
    • Try it first with preshared key. Maybe there's s.th wrong with the certificate. You have used the '@' character in the CA subject. This could lead to problems - stay with alpanumeric characters.

      Good luck