1 2 3 Previous Next 22 Replies Latest reply on Mar 13, 2015 4:59 PM by sliedl

    VPN set-up for password authentication

    kal800

      Hi,

       

      Cannot make it run using password authentication.

       

      Here is the configuration that worked:

       

      1. Created 3 certs - one for remote, one for local and user authentication certificate

      2. VPN definition:

           Type: IKE 1

           Mode: Dynamic IP restricted client

           Burb: internal

           Enc: Tunnel

           Local: Use Localhost IP

           Remote Authentication - Remote certificate

           Local Authentication - Local Certificate

           Enable NAT Traversal

           Mode Aggressive

       

      And that's it - on the other side, I used VPN Tracker 8 with cerificates imported. And it worked.

       

      Now, I tried to setup that VPN password based and hit the wall.

       

      I tried different configurations - IKE1/Aggressive, IKE2/Main, IKE2/XAUTH. Always, I'm getting error that the connection was dropped due to policy.

       

      In remote tab, I have password and remote identity - ID Kal, DN "sname" and mail address, In local tab I have grayed out password and IP Address "localhost"

       

      I try both VPN Tracker and recommended shrew on Windows. With certs it works, with password it does not....

       

      Please help - any advise really apreciated!

       

      Kal

       

      I checked the audit:

       

      exchange mode (AGGRESSIVE MODE) not supported by policy, packet dropped

        • 1. Re: VPN set-up for password authentication
          sliedl

          The one error you pasted simply means you had Main Mode selected on the firewall side and Aggressive Mode selected on the client for that attempt.  Provided you make those match for the next attempt and it doesn't work, is there a different error in the audit?  You also need to troubleshoot from the client side.  If you ever see 'Retransmitting...' in a VPN-audit you know that the client has an error and has stopped responding to the firewall (therefore you must troubleshoot on the client side).

          If you can, I suggest calling in to Support to troubleshoot this with a remote session.

          • 2. Re: VPN set-up for password authentication
            kal800

            Thanks a lot, but I'm afraid it is not that case. Unfortunately, I cannot raise the ticket yet - we have a pair of aftermarket devices with 7.0.1.02 SecureOS, and currently we are evaluating if they will suit our needs, if so, we will obtain support for sure, but till that moment, we have to rely on community help

             

            So, I gathered some logs, first policy summary:

             

            ipsec add name=ike_1_password type=password encapsulation=tunnel active=0 \

                authalgorithm=sha1,md5 burb=internal encryptalgorithm=cast128,3des,des \

                fw-id=FQDN:sky.com fwauthmethod=password fwgw=localhost ids=Kal \

                ippoolid=All options=NO_STRICT_ID_MATCHING,NAT_T,INITIAL_CONTACT \

                p1auth=sha1,md5 p1crypt=aes256,aes128,3des,des p1exchange=AGGRESSIVE_MODE \

                p1life-kb=0 p1life-sec=3600 p1oakly=5,2,1 p1soft=85 p2life-kb=0 \

                p2life-sec=700 p2soft=85 password='*' pfs=0 position=3 remotegw=dynamic \

                srcnet='' version=1

             

            and log from client side:

             

            18:11:55  VPN Connection Requested

            18:11:55  Action on error is now stop

            18:11:55  This is VPN Tracker 8.1 cc3538137be2

            18:11:55  Preparing Connection

            18:11:58  Next step: Removing reachability check for VPN gateway

            18:11:58  Local network identifier is NETWORK-SIGNATURE://Modem.RemoteAddress=*99#

            18:11:58  Checking for network collisions

            18:11:58  Next step: Welcoming connectiond on socket 8

            18:11:58  Next step: Updating connectiond process info

            18:11:58  Configuring

            18:11:58  call pfkey_send_register for AH (349)

            18:11:58  call pfkey_send_register for ESP (349)

            18:11:58  call pfkey_send_register for IPCOMP (349)

            18:11:58  Next step: Sending connectiond config

            18:11:58  Saving cached local endpoint 164.126.135.53

            18:11:59  Phase 1 Started

            18:11:59  Next step: Processing connectiond connection request

            18:11:59  Next step: Starting Phase 1

            18:11:59  Next step: Starting connectiond timeout

            18:11:59  initiate new phase 1 negotiation: 164.126.135.53[51209]<=>46.186.89.252[500] (1049)

            18:11:59  begin Aggressive mode. (1054)

            18:11:59  === Phase 1 aggressive exchange / initiator / send 1 (106)

            18:11:59  new cookie: 0f769bd8787c561b (2159)

            18:11:59  local ID: Kal (KEY_ID) (3823)

            18:11:59  created transform #1 len=36 (2836)

            18:11:59  type=Life Type, flag=0x8000, lorv=seconds (1) (2203)

            18:11:59  type=Life Duration, flag=0x8000, lorv=28800 (28800) (2203)

            18:11:59  type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC (7) (2203)

            18:11:59  type=Key Length, flag=0x8000, lorv=256 (256) (2203)

            18:11:59  type=Authentication Method, flag=0x8000, lorv=pre-shared key (1) (2203)

            18:11:59  type=Hash Algorithm, flag=0x8000, lorv=SHA (2) (2203)

            18:11:59  type=Group Description, flag=0x8000, lorv=1024-bit MODP group (2) (2203)

            18:11:59  created transform #2 len=36 (2836)

            18:11:59  type=Life Type, flag=0x8000, lorv=seconds (1) (2203)

            18:11:59  type=Life Duration, flag=0x8000, lorv=28800 (28800) (2203)

            18:11:59  type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC (7) (2203)

            18:11:59  type=Key Length, flag=0x8000, lorv=192 (192) (2203)

            18:11:59  type=Authentication Method, flag=0x8000, lorv=pre-shared key (1) (2203)

            18:11:59  type=Hash Algorithm, flag=0x8000, lorv=SHA (2) (2203)

            18:11:59  type=Group Description, flag=0x8000, lorv=1024-bit MODP group (2) (2203)

            18:11:59  created transform #3 len=36 (2836)

            18:11:59  type=Life Type, flag=0x8000, lorv=seconds (1) (2203)

            18:11:59  type=Life Duration, flag=0x8000, lorv=28800 (28800) (2203)

            18:11:59  type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC (7) (2203)

            18:11:59  type=Key Length, flag=0x8000, lorv=128 (128) (2203)

            18:11:59  type=Authentication Method, flag=0x8000, lorv=pre-shared key (1) (2203)

            18:11:59  type=Hash Algorithm, flag=0x8000, lorv=SHA (2) (2203)

            18:11:59  type=Group Description, flag=0x8000, lorv=1024-bit MODP group (2) (2203)

            18:11:59  created transform #4 len=32 (2836)

            18:11:59  type=Life Type, flag=0x8000, lorv=seconds (1) (2203)

            18:11:59  type=Life Duration, flag=0x8000, lorv=28800 (28800) (2203)

            18:11:59  type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC (5) (2203)

            18:11:59  type=Authentication Method, flag=0x8000, lorv=pre-shared key (1) (2203)

            18:11:59  type=Hash Algorithm, flag=0x8000, lorv=SHA (2) (2203)

            18:11:59  type=Group Description, flag=0x8000, lorv=1024-bit MODP group (2) (2203)

            18:11:59  created transform #5 len=32 (2836)

            18:11:59  type=Life Type, flag=0x8000, lorv=seconds (1) (2203)

            18:11:59  type=Life Duration, flag=0x8000, lorv=28800 (28800) (2203)

            18:11:59  type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC (1) (2203)

            18:11:59  type=Authentication Method, flag=0x8000, lorv=pre-shared key (1) (2203)

            18:11:59  type=Hash Algorithm, flag=0x8000, lorv=SHA (2) (2203)

            18:11:59  type=Group Description, flag=0x8000, lorv=1024-bit MODP group (2) (2203)

            18:11:59  created proposal #1 len=180 (2857)

            18:11:59  add payload of len 188, next type sa (2289)

            18:11:59  add payload of len 128, next type ke (2289)

            18:11:59  add payload of len 16, next type nonce (2289)

            18:11:59  add payload of len 7, next type id (2289)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-00 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-01 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-02 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-02\n (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-03 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-04 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-05 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-06 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-07 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: draft-ietf-ipsec-nat-t-ike-08 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: RFC 3947 (2311)

            18:11:59  add payload of len 16, next type vid (2289)

            18:11:59  added vendor id is: Dead Peer Detection (2311)

            18:11:59  send phase1 packet from 164.126.135.53[51209] to 46.186.89.252[500] (0f769bd8787c561b:0000000000000000) (1584)

            18:12:04  resend phase1 packet from 164.126.135.53[51209] to 46.186.89.252[500] (0f769bd8787c561b:0000000000000000) (1584)

            18:12:09  resend phase1 packet from 164.126.135.53[51209] to 46.186.89.252[500] (0f769bd8787c561b:0000000000000000) (1584)

            18:12:14  resend phase1 packet from 164.126.135.53[51209] to 46.186.89.252[500] (0f769bd8787c561b:0000000000000000) (1584)

            18:12:19  resend phase1 packet from 164.126.135.53[51209] to 46.186.89.252[500] (0f769bd8787c561b:0000000000000000) (1584)

            18:12:24  resend phase1 packet from 164.126.135.53[51209] to 46.186.89.252[500] (0f769bd8787c561b:0000000000000000) (1584)

            18:12:29  phase1 negotiation with 46.186.89.252[500] failed (0f769bd8787c561b:0000000000000000) (1553)

            18:12:29  VPN Gateway Not Responding (Phase 1)


            and audit log:


            Feb 26 12:11:14 2015 EST  f_isakmp_daemon a_vpn t_debug p_minor

            pid: 5616 ruid: 0 euid: 0 pgid: 5616 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: sky_fw_1.sky

            information: ##### - in udp_read

             

            Feb 26 12:11:14 2015 EST  f_isakmp_daemon a_vpn t_debug p_minor

            pid: 5616 ruid: 0 euid: 0 pgid: 5616 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: sky_fw_1.sky

            information: ##### - in exchange_error

             

            Feb 26 12:11:14 2015 EST  f_isakmp_daemon a_vpn t_debug p_minor

            pid: 5616 ruid: 0 euid: 0 pgid: 5616 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: sky_fw_1.sky

            information: ##### - in process_error_queue

             

            Feb 26 12:11:14 2015 EST  f_isakmp_daemon a_vpn t_error p_major

            pid: 5616 ruid: 0 euid: 0 pgid: 5616 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: sky_fw_1.sky cky_i: 0f769bd8787c561b

            cky_r: 0000000000000000 local_gw: 46.186.89.252 remote_gw: 164.126.135.53

            information: [detailed info]

              [error]

                AGGRESSIVE_MODE exchange processing failed

              [error]

                Received exchange type (AGGRESSIVE_MODE) not supported by policy, packet dropped

             

             

            When I switch to MAIN on the client side, I got:

             

            Feb 26 12:12:17 2015 EST  f_isakmp_daemon a_vpn t_error p_major

            pid: 5616 ruid: 0 euid: 0 pgid: 5616 logid: 0 cmd: 'ikmpd'

            domain: ikpd edomain: ikpd hostname: sky_fw_1.sky cky_i: 38c722f334e76116

            cky_r: 0000000000000000 local_gw: 46.186.89.252 remote_gw: 164.126.135.53

            information: [detailed info]

              [error]

                MAIN_MODE exchange processing failed

              [error]

                Received exchange type (MAIN_MODE) not supported by policy, packet dropped

            • 3. Re: VPN set-up for password authentication
              kal800

              Hi, Absolutely no chance to get any support on above?

               

              Regards

               

              Kal

              • 4. Re: VPN set-up for password authentication
                sliedl

                This VPN is not enabled.

                • 5. Re: VPN set-up for password authentication
                  sliedl

                  Was the VPN-definition not being enabled the issue?  I can't think of any other way for the firewall to say neither Aggressive nor Main Mode is supported since you obviously have to choose one or the other in a VPN-definition.  It appears from the audit that ISAKMP is listening but does not have any configurations to compare these Phase 1 packets against.  I don't see any vpn_name fields in the audits that were pasted, so that tells me these packets are not matching any VPN-definitions at all.

                  • 6. Re: VPN set-up for password authentication
                    kal800

                    Actually not.

                     

                    I've just pasted wrong VPN definition, but the one that was enabled that moment was identical - I cloned the rule with different name - hoping that would help...

                     

                    But there is more - today, I've reinstalled that device - run fresh SecureOS image from the pendrive, and did not restore any configuration. What I did after an initial setup (to keep simple - 2 burbs - one internal with one PC connected and one external to the internet):

                     

                    1. Set up DNS

                    2. Checked connectivity - ping external address both from firewall and internal PC using host name

                    3. Defined rule enabling VPN (isamk from Any burb to Any)

                    4. Defined VPN rule with PSK

                    5. Defined VPN connection (from the scratch)

                     

                    Checked and... EXACTLY THE SAME!!! Logs from the client shows that VPN gateway is not responding and Audit on Firewall showing

                     

                        Received exchange type (AGGRESSIVE_MODE) not supported by policy, packet dropped

                     

                    It seems clearly to me, that my firewall with 7.0.1.02 software has a bug. Browsing that forum, I found exactly the same case two years ago, but no solution as well...

                     

                    EDIT - When I save the policy, I see the warning, that IKA 1 with password authentication is not secure, but it was only the warning. I cannot set up IKA 2 with password in aggressive mode, that's why it is the only option...

                     

                    Kal

                    • 7. Re: VPN set-up for password authentication
                      sliedl

                      I do not see any bugs in our bug-database about this type of issue.  If you'd like to upgrade this firewall to the latest version-7 code release (70103H10) you can download and install these two files:

                      ftp://downloads.securecomputing.com/packages/firewall/7.0.1/70103
                      ftp://downloads.securecomputing.com/packages/firewall/7.0.1/70103H10

                       

                      This is how I'd do it on the firewall command-line:
                      $> cd /var/spool
                      (The /var/spool partition is large and mostly-unused, so it's where I download patches to when I'm patching a firewall.)
                      $> ftp ftp://downloads.securecomputing.com/packages/firewall/7.0.1/70103 .
                      $> ftp ftp://downloads.securecomputing.com/packages/firewall/7.0.1/70103H10 .
                      (Notice the [space][period] at the end, which means "Download this file and place it here in this current-directory with the same name.")

                       

                      -- Load the packages
                      $> cf pack load source=file directory=/var/spool packages=70103,70103H10
                      -- Install the packages
                      $> cf pack install pack=70103,70103H10

                       

                      Once the firewall reboots, try the VPN connection again.

                       

                      BEFORE that, please paste the 'cf ipsec query' output you have right now.  Also, run this command and paste the output here: 'cf cert q id'.

                      • 8. Re: VPN set-up for password authentication
                        kal800

                        ipsec add name=vpn type=password encapsulation=tunnel active=1 \

                            authalgorithm=sha1,md5 burb=internal \

                            encryptalgorithm=aes256,aes128,cast128,3des,des fw-id=FQDN:skyfw1.sky.pl \

                            fwauthmethod=password fwgw=localhost ids=kkalukin \

                            options=NAT_T,INITIAL_CONTACT p1auth=sha1,md5 \

                            p1crypt=aes256,aes128,3des,des p1exchange=AGGRESSIVE_MODE p1life-kb=0 \

                            p1life-sec=3600 p1oakly=5,2,1 p1soft=85 p2life-kb=0 p2life-sec=700 \

                            p2soft=85 password='*' pfs=0 position=1 remotegw=client \

                            srcnet=192.168.0.0/24 version=1

                         

                        cert add id name=kkalukin dn=kkalukin@sky.pl

                        • 9. Re: VPN set-up for password authentication
                          sliedl

                          The format of your 'id' is incorrect.  Run this command to modify it:

                          $> cf cert modify id name=kkalukin dn=cn=kkalukin@sky.pl

                          (You're adding 'cn=' to the id; you can do this in the GUI also, add the cn= part to the front of that string.)

                           

                          Restart isakmp:

                          $> cf daemond restart agent=isakmp

                           

                          Now try the VPN again.

                          1 2 3 Previous Next