[8.165][BUG][OPEN] IPsec conf error

Hi All

While configuring IPsec remote access I got the following error:


***2011:06:12-12:21:30 ***** confd[27432]: >=========================================================================
2011:06:12-12:21:30 ***** confd[27432]: E Use of uninitialized value in substitution iterator at /Info/ipsec.pm line 358.
2011:06:12-12:21:30 ***** confd[27432]: 
2011:06:12-12:21:30 ***** confd[27432]:  1. sys::_warn:47() /sys.pm
2011:06:12-12:21:30 ***** confd[27432]:  2. Info::ipsec::get_asc_ipsec_config:358() /Info/ipsec.pm
2011:06:12-12:21:30 ***** confd[27432]:  3. (eval):1() (eval 889)
2011:06:12-12:21:30 ***** confd[27432]:  4. sys::AUTOLOAD:323() /sys.pm
2011:06:12-12:21:30 ***** confd[27432]:  5. (eval):1() (eval 884)
2011:06:12-12:21:30 ***** confd[27432]:  6. Astaro::RPC::server_loop:173() /rpc.pm
2011:06:12-12:21:30 ***** confd[27432]:  7. rpc::launch:27() /rpc.pm
2011:06:12-12:21:30 ***** confd[27432]:  8. main::_rpc:1822() confd.pl
2011:06:12-12:21:30 ***** confd[27432]:  9. main::top-level:285() confd.pl

Since then the CPU is high

root 18029 82.3 0.7 39584 29080 ? R 14:49 0:00 \_ confd [worker[:P]rpc:system]

Thanks

Parents

0 wingman over 13 years ago

Detailed config
1)Under Remote Access ,all methods are disabled apart from IPSEC
2)IPSEC has the following config:
2.1)Connection to the external interface with predefined policy 128 AES and certificate based( There is no option for pre shared key as per manual )
2.2)Enable XAUTH with user "wingman"
2.3) automatic packet filter rules enabled#
2.4) Use Dead peer detection and NAT traversal enabled
2.5) Local certificate : clientAuth certificate for *******

when my iphone tries to connect i get the following message "Negotiation with the VPN server failed"

Relevant log from ASG


2011:06:16-14:11:54 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: no suitable connection for peer 'C=uk, L=******, O=******, CN=******.home.dyndns.org, E=******@******.gr'
2011:06:16-14:11:54 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: sending encrypted notification INVALID_ID_INFORMATION to 82.132.211.84:50200
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: Peer ID is ID_DER_ASN1_DN: 'C=uk, L=******, O=******, CN=******.home.dyndns.org, E=******@******.gr'
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: crl not found
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: certificate status unknown
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: no suitable connection for peer 'C=uk, L=******, O=******, CN=******.home.dyndns.org, E=******@******.gr'
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: sending encrypted notification INVALID_ID_INFORMATION to 82.132.211.84:50200
2011:06:16-14:12:14 ****** pluto[11764]: ERROR: asynchronous network error report on ppp0 for message to 82.132.211.84 port 50200, complainant 82.132.211.84: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
2011:06:16-14:12:53 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: max number of retransmissions (2) reached STATE_MAIN_R2
2011:06:16-14:12:53 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200: deleting connection "D_******" instance with peer 82.132.211.84 {isakmp=#0/ipsec=#0}

If I user cisco VPN client instead, it works fine. What is the difference between Remote Access>IPSEC and Remote Access>Cisco VPN client

Reply

0 wingman over 13 years ago


2011:06:16-14:11:54 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: no suitable connection for peer 'C=uk, L=******, O=******, CN=******.home.dyndns.org, E=******@******.gr'
2011:06:16-14:11:54 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: sending encrypted notification INVALID_ID_INFORMATION to 82.132.211.84:50200
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: Peer ID is ID_DER_ASN1_DN: 'C=uk, L=******, O=******, CN=******.home.dyndns.org, E=******@******.gr'
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: crl not found
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: certificate status unknown
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: no suitable connection for peer 'C=uk, L=******, O=******, CN=******.home.dyndns.org, E=******@******.gr'
2011:06:16-14:12:07 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: sending encrypted notification INVALID_ID_INFORMATION to 82.132.211.84:50200
2011:06:16-14:12:14 ****** pluto[11764]: ERROR: asynchronous network error report on ppp0 for message to 82.132.211.84 port 50200, complainant 82.132.211.84: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
2011:06:16-14:12:53 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200 #1: max number of retransmissions (2) reached STATE_MAIN_R2
2011:06:16-14:12:53 ****** pluto[11764]: "D_******"[1] 82.132.211.84:50200: deleting connection "D_******" instance with peer 82.132.211.84 {isakmp=#0/ipsec=#0}

If I user cisco VPN client instead, it works fine. What is the difference between Remote Access>IPSEC and Remote Access>Cisco VPN client

Children

No Data