Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-9712

Establishing Remote access VPN is failing due to mismatch of preshared secrets post Disable/Enable VPN.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.9.0
    • Fix Version/s: None
    • Component/s: Virtual Router
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Labels:

      Description

      • On a Isolated Network enable VPN , and configure few VPN users.
      • Deploy a windows 2012R2 VM in the shared network . Create a new VPN connection by providing the NAt ip , select L2tp in the confguration and provide the psk provided by cloudstack.
      • Try logging with the vpn users created above.

      Observations :

      • User fails to login with the following error message at client : " Error 789 : The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer ".
      • Each time VPN is DIsabled/Enabled , new key is stored in ipsec.any.secrets.
        root@r-5-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
        : PSK "O3rEXqxgMXRvNkPRXaqtkg43"
        : PSK "ZwEcGeHKnE9z2zpPht9eh77T"
        : PSK "7CUjMgwO8sbMJXjyHhRg2NDp"

      Note : when the older psk are deleted and only the current key is retained in the file , remote vpn is established sucessfully.
      =============================================auth.log==============================================

      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received Vendor ID payload [RFC 3947] method set to=109
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [FRAGMENTATION]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [Vid-Initial-Contact]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [IKE CGA version 1]
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: responding to Main Mode from unknown peer 10.147.52.62
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: STATE_MAIN_R1: sent MR1, expecting MI2
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: STATE_MAIN_R2: sent MR2, expecting MI3
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:30 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:30 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:30 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:31 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:31 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:31 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:32 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:32 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:32 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:35 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:35 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:35 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:42 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:42 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:42 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      =================================================================================================

        Attachments

        1. management-server.rar
          2.77 MB
          DeepthiMachiraju

          Issue Links

            Activity

              People

              • Assignee:
                weizhou Wei Zhou
                Reporter:
                deepthimachiraju DeepthiMachiraju
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: