IPSec Authentication with IOS 5.0 or Shrew Soft VPN (XAuth)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSec Authentication with IOS 5.0 or Shrew Soft VPN (XAuth)

L0 Member

I can complete phase 1 but then the tunnel terminates without a message witch would help me to find the problem.

2011-11-09 13:20:51 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 77.73.243.180[500]-178.83.248.50[55010] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7 <====
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-11-09 13:20:51 [INFO]: received Vendor ID: RFC 3947
2011-11-09 13:20:51 [INFO]: received Vendor ID: FRAGMENTATION
2011-11-09 13:20:51 [INFO]: received Vendor ID: DPD
2011-11-09 13:20:51 [INFO]: received Vendor ID: CISCO-UNITY
2011-11-09 13:20:51 [INFO]: Selected NAT-T version: RFC 3947
2011-11-09 13:20:51 [INFO]: Adding remote and local NAT-D payloads.
2011-11-09 13:20:51 [INFO]: Hashing 178.83.248.50[55010] with algo #2
2011-11-09 13:20:51 [INFO]: Hashing 77.73.243.180[500] with algo #2
2011-11-09 13:20:51 [PROTO_ERR]: ignore information because ISAKMP-SA has not been established yet.
2011-11-09 13:20:51 [INFO]: Hashing 77.73.243.180[4500] with algo #2
2011-11-09 13:20:51 [INFO]: NAT-D payload #0 doesn't match
2011-11-09 13:20:51 [INFO]: Hashing 178.83.248.50[55060] with algo #2
2011-11-09 13:20:51 [INFO]: NAT-D payload #1 doesn't match
2011-11-09 13:20:51 [INFO]: NAT detected: ME PEER
2011-11-09 13:20:51 [INFO]: Sending Xauth request
2011-11-09 13:20:51 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
====> Established SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7 lifetime 3600 Sec <====
2011-11-09 13:21:51 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7i <====
2011-11-09 13:21:51 [INTERNAL_ERR]: ASSERT FAILED: (iph1->status == PHASE1ST_ESTABLISHED)
2011-11-09 13:21:51 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7i <====

The clients terminates after the Established SA with vpn error. What could be the problem?

19 REPLIES 19

This is the IKE Log from the working PA500 with Shrew Soft

====> Initiated SA: 193.192.245.3[500]-178.83.248.50[500] cookie:9a06606b703bfe15:1127f0f10e6ed595 <====
2011-12-19 09:07:36 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-12-19 09:07:36 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2011-12-19 09:07:36 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2011-12-19 09:07:36 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-19 09:07:36 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-19 09:07:36 [INFO]: received Vendor ID: RFC 3947
2011-12-19 09:07:36 [INFO]: received Vendor ID: FRAGMENTATION
2011-12-19 09:07:36 [INFO]: received Vendor ID: DPD
2011-12-19 09:07:36 [INFO]: received Vendor ID: CISCO-UNITY
2011-12-19 09:07:36 [INFO]: Selected NAT-T version: RFC 3947
2011-12-19 09:07:36 [INFO]: Adding remote and local NAT-D payloads.
2011-12-19 09:07:36 [INFO]: Hashing 178.83.248.50[500] with algo #2
2011-12-19 09:07:36 [INFO]: Hashing 193.192.245.3[500] with algo #2
2011-12-19 09:07:36 [INFO]: Hashing 193.192.245.3[4500] with algo #2
2011-12-19 09:07:36 [INFO]: NAT-D payload #0 doesn't match
2011-12-19 09:07:36 [INFO]: Hashing 178.83.248.50[4500] with algo #2
2011-12-19 09:07:36 [INFO]: NAT-D payload #1 doesn't match
2011-12-19 09:07:36 [INFO]: NAT detected: ME PEER
2011-12-19 09:07:36 [INFO]: Sending Xauth request

====> Established SA: 193.192.245.3[4500]-178.83.248.50[4500] cookie:9a06606b703bfe15:1127f0f10e6ed595 lifetime 3600 Sec <====
2011-12-19 09:07:36 [PROTO_NOTIFY]: notification message 24578:INITIAL-CONTACT, doi=1 proto_id=1 spi=9a06606b703bfe15 1127f0f10e6ed595 (size=16).
2011-12-19 09:07:37 [INFO]: login succeeded for user "stg"
2011-12-19 09:07:37 [INFO]: GP gateway SSLVPN domain  user stg from 178.83.248.50 login rtn 1 lifetime 3600
2011-12-19 09:07:37 [PROTO_WARN]: Ignored attribute INTERNAL_ADDRESS_EXPIRY
2011-12-19 09:07:44 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 193.192.245.3[4500]-178.83.248.50[4500] message id:0xDF847760 <====
2011-12-19 09:07:44 [INFO]: use own lifetime: my:3300 peer:3600
2011-12-19 09:07:44 [INFO]: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
2011-12-19 09:07:44 [INFO]: GP gateway SSLVPN user stg lifetime extend 3300 sec (phase 2) rtn 0
2011-12-19 09:07:44 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====
====> Established SA: 193.192.245.3[4500]-178.83.248.50[4500] message id:0xDF847760, SPI:0xEF5D98E6/0xD41568B9 <====
2011-12-19 09:07:44 [INFO]: pfkey update: ESP/Tunnel 178.83.248.50[4500]->193.192.245.3[4500] spi=4015888614(0xef5d98e6); client ip 192.168.91.2
2011-12-19 09:07:44 [INFO]: SADB_UPDATE ul_proto=255 src=178.83.248.50[4500] dst=193.192.245.3[4500] satype=ESP samode=tunl spi=0xEF5D98E6 authtype=SHA1 enctype=AES256 lifetime soft time=3300 bytes=0 hard time=3300 bytes=0
2011-12-19 09:07:44 [INFO]: SADB_ADD ul_proto=255 src=193.192.245.3[4500] dst=178.83.248.50[4500] satype=ESP samode=tunl spi=0xD41568B9 authtype=SHA1 enctype=AES256 lifetime soft time=3300 bytes=0 hard time=3300 bytes=0
2011-12-19 09:07:44 [INFO]: IPsec-SA established: ESP/Tunnel 178.83.248.50[4500]->193.192.245.3[4500] spi=4015888614(0xef5d98e6)
2011-12-19 09:07:44 [PROTO_NOTIFY]: ====> IPSEC KEY INSTALLATION SUCCEEDED <====
====> Installed SA: 193.192.245.3[4500]-178.83.248.50[4500] SPI:0xEF5D98E6/0xD41568B9 lifetime 3300 Sec lifesize unlimited <====
2011-12-19 09:07:44 [INFO]: keymirror add start ++++++++++++++++
2011-12-19 09:07:44 [INFO]: keymirror add for gw c0a85b02, tn 11, selfSPI EF5D98E6, retcode 0.
2011-12-19 09:07:44 [INFO]: KA list add: 193.192.245.3[4500]->178.83.248.50[4500]

And this is the IKE Log from the NOT working PA2050 with Shrew Soft


====> Initiated SA: 77.73.243.83[500]-178.83.248.50[500] cookie:0a278884227829f8:e228b72ddb2ccc2f <====
2011-12-19 09:05:37 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-12-19 09:05:37 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2011-12-19 09:05:37 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2011-12-19 09:05:37 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-19 09:05:37 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-19 09:05:37 [INFO]: received Vendor ID: RFC 3947
2011-12-19 09:05:37 [INFO]: received Vendor ID: FRAGMENTATION
2011-12-19 09:05:37 [INFO]: received Vendor ID: DPD
2011-12-19 09:05:37 [INFO]: received Vendor ID: CISCO-UNITY
2011-12-19 09:05:37 [INFO]: Selected NAT-T version: RFC 3947
2011-12-19 09:05:37 [INFO]: Adding remote and local NAT-D payloads.
2011-12-19 09:05:37 [INFO]: Hashing 178.83.248.50[500] with algo #2
2011-12-19 09:05:37 [INFO]: Hashing 77.73.243.83[500] with algo #2
2011-12-19 09:06:30 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION FAILED AS RESPONDER, AGGRESSIVE MODE <====

This is the IKE Log from the PA500 with IPAD 5.0

2011-12-19 09:14:29 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 193.192.245.3[500]-178.83.248.50[500] cookie:3a51fa6944affee1:303b0958686db0bb <====
2011-12-19 09:14:29 [INFO]: received Vendor ID: RFC 3947
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-19 09:14:29 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-12-19 09:14:29 [INFO]: received Vendor ID: CISCO-UNITY
2011-12-19 09:14:29 [INFO]: received Vendor ID: DPD
2011-12-19 09:14:29 [INFO]: Selected NAT-T version: RFC 3947
2011-12-19 09:14:29 [INFO]: Adding remote and local NAT-D payloads.
2011-12-19 09:14:29 [INFO]: Hashing 178.83.248.50[500] with algo #2
2011-12-19 09:14:29 [INFO]: Hashing 193.192.245.3[500] with algo #2
2011-12-19 09:14:31 [INFO]: Hashing 193.192.245.3[4500] with algo #2
2011-12-19 09:14:31 [INFO]: NAT-D payload #0 verified
2011-12-19 09:14:31 [INFO]: Hashing 178.83.248.50[55042] with algo #2
2011-12-19 09:14:31 [INFO]: NAT-D payload #1 doesn't match
2011-12-19 09:14:31 [INFO]: NAT detected: PEER
2011-12-19 09:14:31 [INFO]: reveived INITIAL-CONTACT notification.
2011-12-19 09:14:31 [INFO]: Sending Xauth request
2011-12-19 09:14:31 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
====> Established SA: 193.192.245.3[4500]-178.83.248.50[55042] cookie:3a51fa6944affee1:303b0958686db0bb lifetime 3600 Sec <====
2011-12-19 09:14:40 [INFO]: login succeeded for user "stg"
2011-12-19 09:14:40 [INFO]: GP gateway SSLVPN domain  user stg from 178.83.248.50 login rtn 1 lifetime 3600
2011-12-19 09:14:40 [PROTO_WARN]: Ignored attribute INTERNAL_ADDRESS_EXPIRY
2011-12-19 09:14:40 [PROTO_WARN]: Ignored attribute UNITY_BROWSER_PROXY
2011-12-19 09:14:42 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 193.192.245.3[4500]-178.83.248.50[55042] message id:0x2FDD1E6B <====
2011-12-19 09:14:42 [INFO]: use own lifetime: my:3300 peer:3600
2011-12-19 09:14:42 [INFO]: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
2011-12-19 09:14:42 [INFO]: GP gateway SSLVPN user stg lifetime extend 3300 sec (phase 2) rtn 0
2011-12-19 09:14:42 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====
====> Established SA: 193.192.245.3[4500]-178.83.248.50[55042] message id:0x2FDD1E6B, SPI:0xE2127A38/0x01EB041A <====
2011-12-19 09:14:42 [INFO]: pfkey update: ESP/Tunnel 178.83.248.50[55042]->193.192.245.3[4500] spi=3792861752(0xe2127a38); client ip 192.168.91.3
2011-12-19 09:14:42 [INFO]: SADB_UPDATE ul_proto=255 src=178.83.248.50[55042] dst=193.192.245.3[4500] satype=ESP samode=tunl spi=0xE2127A38 authtype=SHA1 enctype=AES256 lifetime soft time=3300 bytes=0 hard time=3300 bytes=0
2011-12-19 09:14:42 [INFO]: SADB_ADD ul_proto=255 src=193.192.245.3[4500] dst=178.83.248.50[55042] satype=ESP samode=tunl spi=0x01EB041A authtype=SHA1 enctype=AES256 lifetime soft time=3300 bytes=0 hard time=3300 bytes=0
2011-12-19 09:14:42 [INFO]: IPsec-SA established: ESP/Tunnel 178.83.248.50[55042]->193.192.245.3[4500] spi=3792861752(0xe2127a38)
2011-12-19 09:14:42 [PROTO_NOTIFY]: ====> IPSEC KEY INSTALLATION SUCCEEDED <====
====> Installed SA: 193.192.245.3[4500]-178.83.248.50[55042] SPI:0xE2127A38/0x01EB041A lifetime 3300 Sec lifesize unlimited <====
2011-12-19 09:14:42 [INFO]: keymirror add start ++++++++++++++++
2011-12-19 09:14:42 [INFO]: keymirror add for gw c0a85b03, tn 11, selfSPI E2127A38, retcode 0.
2011-12-19 09:14:42 [INFO]: KA list add: 193.192.245.3[4500]->178.83.248.50[55042]

And this is the IKE Log from the NOT working PA2050 with IPAD 5.0

2011-12-19 09:11:31 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 77.73.243.83[500]-178.83.248.50[55040] cookie:33a456a8dd879424:c513281a28ad709e <====
2011-12-19 09:11:31 [INFO]: received Vendor ID: RFC 3947
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-19 09:11:31 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-12-19 09:11:31 [INFO]: received Vendor ID: CISCO-UNITY
2011-12-19 09:11:31 [INFO]: received Vendor ID: DPD
2011-12-19 09:11:31 [INFO]: Selected NAT-T version: RFC 3947
2011-12-19 09:11:31 [INFO]: Adding remote and local NAT-D payloads.
2011-12-19 09:11:31 [INFO]: Hashing 178.83.248.50[55040] with algo #2
2011-12-19 09:11:31 [INFO]: Hashing 77.73.243.83[500] with algo #2
2011-12-19 09:11:33 [INFO]: Hashing 77.73.243.83[4500] with algo #2
2011-12-19 09:11:33 [INFO]: NAT-D payload #0 verified
2011-12-19 09:11:33 [INFO]: Hashing 178.83.248.50[55042] with algo #2
2011-12-19 09:11:33 [INFO]: NAT-D payload #1 doesn't match
2011-12-19 09:11:33 [INFO]: NAT detected: PEER
2011-12-19 09:11:33 [INFO]: reveived INITIAL-CONTACT notification.
2011-12-19 09:11:33 [INFO]: Sending Xauth request
2011-12-19 09:11:33 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
====> Established SA: 77.73.243.83[4500]-178.83.248.50[55042] cookie:33a456a8dd879424:c513281a28ad709e lifetime 3600 Sec <====
2011-12-19 09:12:33 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 77.73.243.83[4500]-178.83.248.50[55042] cookie:33a456a8dd879424:c513281a28ad709ei <====
2011-12-19 09:12:33 [INTERNAL_ERR]: ASSERT FAILED: (iph1->status == PHASE1ST_ESTABLISHED)
2011-12-19 09:12:33 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 77.73.243.83[4500]-178.83.248.50[55042] cookie:33a456a8dd879424:c513281a28ad709ei <====

unbelievable!!!

The New PANIOS 4.1.2 Fixed my Problems finaly!

Hello gsteiner.

Which settings in PaloAlto firewall and ShrewSoft VPN clients configurations are allowing to connect them? When I tried, I didn't managed even to get any trace of activity in ikemgr.log when trying to connect from ShrewSoft VPN Client (linux and Windows) to my PA4020. I enabled Enable X-Auth Support, set up gateway with Group Name and Group Password and tried different settings in ShrewSoft VPN client, no success at all.

In ShrewSoft

General HostName and IP.  Port 500

Client Settings default.

Name Resolution default.

Authentication

Mutual PSK + XAuth

Local Identification Type

Key Identifier

Key ID String

steria

Remote Identity

any

Credentials

Pre Shared Key

"the one you did set in the globalprotect" (GroupPassword)

Phase 1 and two default.

Hope that helped

Don't forget the firewall rules! Application is ciscovpn, ike, ipsec, ssl and web-browsing.

Hi gsteiner.

Thanks for your configuration.

Maybe you could help me. I've got a problem related to Access Route configuration in GlobalProtect Gateway in my PaloAlto (2050 and 4.1.6 version).

This problem happens to me with vpnc, Shrew and Cisco VPN clients.

I can connect to my VPN gateway correctly, but:

- If I've got only one access route configured in the PaloAlto (10.0.0.0/8), I obtain the correct routes and everything works fine:

root@vangogh:/usr/local/lib# netstat -nr

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

X.X.X.X   192.168.1.1     255.255.255.255 UGH       0 0          0 wlan0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0

10.0.0.0        172.16.20.11      255.0.0.0       UG        0 0          0 tap0

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0

- If I've got more than one access route configured in the PaloAlto (10.0.0.0/8 and 172.16.0.0/12), I don't obtain the correct routes:

root@vangogh:/usr/local/lib# netstat -nr

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

X.X.X.X   192.168.1.1     255.255.255.255 UGH       0 0          0 wlan0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0

0.0.0.0         172.16.20.11    0.0.0.0         UG        0 0          0 tap0

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0

Anyone has seen this error before? Could you help me, please?

Thank you very much.

  • 8613 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!