Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 6935 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to see what EST-P1 proposals has been sent to XG ?

Slawski

I'm trying to connect a Mac to XG using L2TP VPN. It does not work. XG complains about not matching policies. I can make Cisco IPSec VPN client to work, but I wonder if it is possible to debug proposals received.

It should be possible somehow...

If not I will have to return to debugging VPN on Linux... ehh...



This thread was automatically locked due to age.
  • 0

    Slawski,

    do you see something interesting inside ipsec.log from /var/tslog ?

    Thanks

  • 0 in reply to lferrara

    One line:

    Dec 07 23:59:47 "MyConnection"[6] {RW_WAN_IP} #98: cannot respond to IPsec SA request because no connection is known for {FW_WAN_IP}:17/1701...{RW_WAN_IP}[{RW_LAN_IP}]:17/%any==={RW_LAN_IP}/32

     

    It looks like it cannot find a suitable address selector but I don't know why. It is a "road warrior" scenario - no IDs should be required.

     
  • 0 in reply to lferrara

    Oh, setting Local ID to DNS name helped to go one step further...

    now...

    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: responding to Main Mode from unknown peer {RW_WAN_IP}
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP2048] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP2048] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: OAKLEY_SHA2_512 is not supported. Attribute OAKLEY_HASH_ALGORITHM
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1536] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP1536] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA2_256, OAKLEY_GROUP_MODP1024] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: STATE_MAIN_R1: sent MR1, expecting MI2
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: STATE_MAIN_R2: sent MR2, expecting MI3
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: Main mode peer ID is ID_IPV4_ADDR: '{RW_LAN_IP}'
    Dec 08 00:33:42 "MyConnection"[1] {RW_WAN_IP} #102: switched from "MyConnection" to "MyConnection"
    Dec 08 00:33:42 "MyConnection"[2] {RW_WAN_IP} #102: deleting connection "MyConnection" instance with peer {RW_WAN_IP} {isakmp=#0/ipsec=#0}
    Dec 08 00:33:42 "MyConnection"[2] {RW_WAN_IP} #102: I did not send a certificate because I do not have one.
    Dec 08 00:33:42 "MyConnection"[2] {RW_WAN_IP} #102: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
    Dec 08 00:33:42 "MyConnection"[2] {RW_WAN_IP} #102: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
    Dec 08 00:33:42 "MyConnection"[2] {RW_WAN_IP} #102: Dead Peer Detection (RFC 3706): enabled
    Dec 08 00:33:45 "MyConnection"[2] {RW_WAN_IP} #102: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Dec 08 00:33:49 "MyConnection"[2] {RW_WAN_IP} #102: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Dec 08 00:33:52 "MyConnection"[2] {RW_WAN_IP} #102: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
    Dec 08 00:34:04 "MyConnection"[2] {RW_WAN_IP} #102: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3

     

    Looks like the client is incompatible... really strange.

  • 0 in reply to lferrara

    ... and Windows 10 also fails to connect. I'm stuck.

  • 0

    Hi Slawek,

    If you are trying to connect using L2TP as an Administrator user on MAC then, try the same being a normal user. Any help with that.

    We have a known issue with L2TP daemon and which is associated with JIRA- NC-13017. No ETA on the fix.

    Thanks

  • 0 in reply to sachingurung

    Ok, I understand. I will skip L2TP then.

    Any roadmap for IKEv2 ?

  • 0 in reply to Slawski

    Hi,

    We have an open request on IKEv2 and support is pushing it. I really wish to see that included in v17. I will check out with the developers and if I get an ETA I will update you through a DM.

    Thanks