Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 31212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

no connection has been authorized with policy=PSK

jimf81
2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | ******parse ISAKMP Oakley attribute: 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | af+type: OAKLEY_AUTHENTICATION_METHOD 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | length/value: 1 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | ******parse ISAKMP Oakley attribute: 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | af+type: OAKLEY_LIFE_TYPE 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | length/value: 1 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | ******parse ISAKMP Oakley attribute: 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | af+type: OAKLEY_LIFE_DURATION (variable length) 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | length/value: 4 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: | preparse_isakmp_policy: peer requests PSK authentication 

2013:09:24-12:01:12 RRAS-01-2 pluto[14173]: packet from 71.194.220.141:3605: initial Main Mode message received on 192.168.168.61:500 but no connection has been authorized with policy=PSK


I get the above error whenever I try connecting with L2tp over IPsec. can someone please help me with this? Its the last thing I don't have working but most important option we need.

Thank you in advance.

I enabled Nat tranversing under IPsec and I now get the below errors

2013:09:24-12:21:57 RRAS-01-2 pluto[17788]: "L_for jimf"[2] 71.194.220.141:6939 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x816c4274 (perhaps this is a duplicated packet) 

2013:09:24-12:21:57 RRAS-01-2 pluto[17788]: "L_for jimf"[2] 71.194.220.141:6939 #1: sending encrypted notification INVALID_MESSAGE_ID to 71.194.220.141:6939


This thread was automatically locked due to age.
  • 0
    Hi, Jim, and welcome to the User BB!

    When collecting a log from an IPsec connection attempt, always do so with debug disabled.

    If you're certain that you have the correct PSK, my only other guess would be that the UTM is behind a NATting router.  If that's not it, please show the log lines (probably about 50) from a single connection attempt.

    Cheers - Bob
    PS Also, when posting a question, always state the exact version: 9.105-9?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Yes I am behind a nating Sonicwall its a pro 4060 we are using for testing. with debugging off I get the below.

    Yes version  9.105-9

    2013:09:24-12:49:23 RRAS-01-1 pluto[6832]: Changing to directory '/etc/ipsec.d/crls' 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: packet from 71.194.220.141:13337: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: packet from 71.194.220.141:13337: ignoring Vendor ID payload [FRAGMENTATION] 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: packet from 71.194.220.141:13337: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: packet from 71.194.220.141:13337: ignoring Vendor ID payload [Vid-Initial-Contact] 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: "L_for jimf"[1] 71.194.220.141:13337 #1: responding to Main Mode from unknown peer 71.194.220.141:13337 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: "L_for jimf"[1] 71.194.220.141:13337 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: "L_for jimf"[1] 71.194.220.141:13337 #1: Peer ID is ID_FQDN: 'winxp-test' 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: "L_for jimf"[2] 71.194.220.141:13337 #1: deleting connection "L_for jimf"[1] instance with peer 71.194.220.141 {isakmp=#0/ipsec=#0} 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: | NAT-T: new mapping 71.194.220.141:13337/14223) 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: "L_for jimf"[2] 71.194.220.141:14223 #1: sent MR3, ISAKMP SA established 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: "L_for jimf"[2] 71.194.220.141:14223 #1: cannot respond to IPsec SA request because no connection is known for 50.73.123.197/32===192.168.168.61:4500[192.168.168.61]:17/1701...71.194.220.141:14223[winxp-test]:17/%any 

    2013:09:24-12:50:04 RRAS-01-2 pluto[22223]: "L_for jimf"[2] 71.194.220.141:14223 #1: sending encrypted notification INVALID_ID_INFORMATION to 71.194.220.141:14223 
  • 0
    I don't know of any L2TP/IPsec clients that can deal with a VPN server behind a NATting router.  If you can't put a public IP on the External interface, you must use PPTP or the SSL VPN.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thanks for your help after setting up a DMZ port IPsec worked 

    Thanks!

    Now new issues with Radius authentication
  • 0
    Jimf81, did you set public ip on UTM interface?
  • 0
    @ser_user:  You did notice that you're replying to somebody 1.5 years after he asked a question, right?  lol
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Unfiltered HTML