Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-9712

Establishing Remote access VPN is failing due to mismatch of preshared secrets post Disable/Enable VPN.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 4.9.0
    • None
    • Virtual Router
    • Security Level: Public (Anyone can view this level - this is the default.)

    Description

      • On a Isolated Network enable VPN , and configure few VPN users.
      • Deploy a windows 2012R2 VM in the shared network . Create a new VPN connection by providing the NAt ip , select L2tp in the confguration and provide the psk provided by cloudstack.
      • Try logging with the vpn users created above.

      Observations :

      • User fails to login with the following error message at client : " Error 789 : The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer ".
      • Each time VPN is DIsabled/Enabled , new key is stored in ipsec.any.secrets.
        root@r-5-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
        : PSK "O3rEXqxgMXRvNkPRXaqtkg43"
        : PSK "ZwEcGeHKnE9z2zpPht9eh77T"
        : PSK "7CUjMgwO8sbMJXjyHhRg2NDp"

      Note : when the older psk are deleted and only the current key is retained in the file , remote vpn is established sucessfully.
      =============================================auth.log==============================================

      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received Vendor ID payload [RFC 3947] method set to=109
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [FRAGMENTATION]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [Vid-Initial-Contact]
      Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID payload [IKE CGA version 1]
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: responding to Main Mode from unknown peer 10.147.52.62
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: STATE_MAIN_R1: sent MR1, expecting MI2
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: STATE_MAIN_R2: sent MR2, expecting MI3
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:30 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:30 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:30 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:31 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:31 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:31 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:32 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:32 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:32 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:35 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:35 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:35 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type of ISAKMP Identification Payload has an unknown value: 255
      Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
      Dec 28 10:49:42 r-5-VM pluto[2828]: | payload malformed after IV
      Dec 28 10:49:42 r-5-VM pluto[2828]: | 87 74 c8 93 55 12 88 96 81 35 42 4c 4f 0d 4c 9e
      Dec 28 10:49:42 r-5-VM pluto[2828]: | 3e 71 6f 48
      Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification PAYLOAD_MALFORMED to 10.147.52.62:500
      =================================================================================================

      Attachments

        1. management-server.rar
          2.77 MB
          DeepthiMachiraju

        Issue Links

          links to

          Web Link GitHub Pull Request #1890

          Activity

            People

              weizhou Wei Zhou
              deepthimachiraju DeepthiMachiraju
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: