This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

with new ALS6 no VPN with ASC possible

Hi List,

As soon as a ASC tried with the ASL to connect i get myself the following error message.

ipsec.log

2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: ignoring unknown Vendor ID payload [da8e937880010000]
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: received Vendor ID payload [XAUTH]
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: received Vendor ID payload [RFC 3947] method set to=109
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: received Vendor ID payload [Dead Peer Detection]
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: ignoring unknown Vendor ID payload [101fb0b35c5a4f4c08b919f1ce0d3e4a]
2005:07:18-11:26:08 (none) pluto[23248]: packet from 192.168.1.68:500: received Vendor ID payload [Cisco-Unity]
2005:07:18-11:26:08 (none) pluto[23248]: "S_NCP-TEST_0"[9] 192.168.1.68 #45: responding to Main Mode from unknown peer 192.168.1.68
2005:07:18-11:26:08 (none) pluto[23248]: "S_NCP-TEST_0"[9] 192.168.1.68 #45: policy does not allow OAKLEY_RSA_SIG authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
2005:07:18-11:26:08 (none) pluto[23248]: "S_NCP-TEST_0"[9] 192.168.1.68 #45: no acceptable Oakley Transform
2005:07:18-11:26:08 (none) pluto[23248]: "S_NCP-TEST_0"[9] 192.168.1.68 #45: sending notification NO_PROPOSAL_CHOSEN to 192.168.1.68:500
2005:07:18-11:26:08 (none) pluto[23248]: "S_NCP-TEST_0"[9] 192.168.1.68 #45: failed to build notification for spisize=0
2005:07:18-11:26:08 (none) pluto[23248]: "S_NCP-TEST_0"[9] 192.168.1.68: deleting connection "S_NCP-TEST_0" instance with peer 192.168.1.68 {isakmp=#0/ipsec=#0}

With the version ASL5 there were no problems.

Basis for the ASL6 installation was the backup file of the ASL5.
An import on the ASC from the ASL6 generated User Config file, are not successful also.

What is the problem?

Stefan

This thread was automatically locked due to age.

Parents

0 Ari Maniatis over 20 years ago

We were only able to get ASC to work with Astaro when PFS (perfect forwarding secrecy) was switched on. Maybe that helps...
Cancel
Vote Up 0 Vote Down

Cancel
0 omega over 20 years ago in reply to Ari Maniatis

With v6.001 and ASC8.2 I only get a connection after forcing the ASL
to reload its ipsec-configuration by selecting anouter policy (3des instead of AES) for the roadwarrior.

ASC can connect then. After disconnection the asc the next connect does not work.

The configuration was imported. I never tried with v5.

(5 mins later.....)
After some tries WITHOUT CHANGING the configuration,it now seems to work. Maybe a reboot of the firewall will restore the problems......
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to omega

Hi all,

I tested the following.

Test 1)

Restart Firewall or Ipsec. Result, no connection possible between ASC and ASL.

Test 2)
After the restart of Firewall or Ipsec the following did still additionally.
additionally restart of all Roadwarrior

Result, ASL and ASC connection successfully.

Regards one ipsec.log sees one the following in such a way.

If the connection ASL to ASC does not come, one sees the following in ipsec.log.

Info, it exist several Roadwarrior.

The ASL tried alone only with the first Roadwarrior a connection generate, which finds you in the ASL definition.

Only after that the Roadwarrior to be restarted again, works these correctly.

Stefan
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 StefanS_01 over 20 years ago in reply to omega

Hi all,

I tested the following.

Test 1)

Restart Firewall or Ipsec. Result, no connection possible between ASC and ASL.

Test 2)
After the restart of Firewall or Ipsec the following did still additionally.
additionally restart of all Roadwarrior

Result, ASL and ASC connection successfully.

Regards one ipsec.log sees one the following in such a way.

If the connection ASL to ASC does not come, one sees the following in ipsec.log.

Info, it exist several Roadwarrior.

The ASL tried alone only with the first Roadwarrior a connection generate, which finds you in the ASL definition.

Only after that the Roadwarrior to be restarted again, works these correctly.

Stefan
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 StefanS_01 over 20 years ago in reply to StefanS_01

Hi list,

Problem found.
Is gives an Bug with the ASL and road warrior.
This Bug can be reproduced here.

If the first road warrior has a PSK key in the ASL and all following road warrior has a X509 Key,
a ASC Client cannot make a connection with X509.
In the ipsec logfile one sees to generate the ASL tried alone a connection with the PSK road warrior.

Here only two things help:

Restart of all road warrior, or the PSK road warrior in the ASL delete.

Stefan
Cancel
Vote Up 0 Vote Down

Cancel
0 maygyver over 20 years ago in reply to StefanS_01

Hi,

I think the manual says only one PSK Roadwarrior possible.

cu may

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to maygyver

hi,
so clearly is not written in the manual.
I did not have problems with the ALS 5 with this definition (Roadwarrior).
In addition point i from our Distri that it probably problems with the ASL6 gives here.

cu

Stefan
Cancel
Vote Up 0 Vote Down

Cancel
0 maygyver over 20 years ago in reply to StefanS_01

have a look here http://portal.knowledgebase.net/display/2/kb/article.asp?aid=137180

it says:
The easier of the two methods is using PSK; however, you are limited to having only one connection at one time.

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to maygyver

The link above produces the following:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near '='.

/display/2/kb/article.asp, line 27
Cancel
Vote Up 0 Vote Down

Cancel
0 maygyver over 20 years ago in reply to SalishSwede

try again, must work!

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to maygyver

tried again... does not work
Cancel
Vote Up 0 Vote Down

Cancel
0 Caspritz over 20 years ago in reply to SalishSwede

[ QUOTE ]
tried again... does not work

[/ QUOTE ]

Do you use Firefox or Mozilla? If yes, please read the following:

If you encounter blank pages when attempting to utilize the Astaro KnowledgeBase with a Mozilla-Based browser, this is likely cookie-related. Due to pages in the KnowledgeBase opening from frames that are sourced from various sites there is a setting in the cookie setup that will cause blank pages if enabled.

To ensure correct operation when viewing our KnowledgeBase, go to Tools-->Options and select the Privacy area. Under Cookies, ensure that the "For originating Web Site only" checkbox is left UNCHECKED.

Otherwise just retry. The site is up and running.

Caspritz
Cancel
Vote Up 0 Vote Down

Cancel