Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Centos7 <=> Windows 10 - problem with connection #288

Closed
Taurus89 opened this issue Dec 6, 2017 · 1 comment

Comments

@Taurus89
Copy link

@Taurus89 Taurus89 commented Dec 6, 2017

Hello,

I have problem with establish connections between AWS EC2 centos7 and Windows 10, using built-in vpn client.

On centos server, I have only this log, but I can not detect problem....

On AWS, security group allow all traffic to my IP.

This is my first VPN ever...

==> /var/log/secure <==
Dec 6 15:29:22 localhost pluto[7564]: packet from 1.2.3.4:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Dec 6 15:29:22 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: responding to Main Mode from unknown peer 1.2.3.4 on port 500
Dec 6 15:29:22 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: WARNING: connection l2tp-psk PSK length of 7 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Dec 6 15:29:22 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Dec 6 15:29:22 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: WARNING: connection l2tp-psk PSK length of 7 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Dec 6 15:29:22 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Dec 6 15:29:22 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: WARNING: connection l2tp-psk PSK length of 7 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Dec 6 15:29:22 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: Peer ID is ID_IPV4_ADDR: '192.168.1.224'
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[3] 1.2.3.4 #8: switched from "l2tp-psk"[3] 1.2.3.4 to "l2tp-psk"
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: deleting connection "l2tp-psk"[3] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: Peer ID is ID_IPV4_ADDR: '192.168.1.224'
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: the peer proposed: 54.227.33.35/32:17/1701 -> 192.168.1.224/32:17/0
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #9: responding to Quick Mode proposal {msgid:01000000}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #9: us: 172.31.18.73[54.227.33.35]:17/1701
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #9: them: 1.2.3.4[192.168.1.224]:17/1701
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0xf1d342d0 <0x4c1781d5 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #9: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #9: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xf1d342d0 <0x4c1781d5 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: the peer proposed: 54.227.33.35/32:17/1701 -> 192.168.1.224/32:17/1701
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #10: responding to Quick Mode proposal {msgid:02000000}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #10: us: 172.31.18.73[54.227.33.35]:17/1701
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #10: them: 1.2.3.4[192.168.1.224]:17/1701
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #10: keeping refhim=0 during rekey
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x69e7a488 <0x2bf05d7d xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #10: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x69e7a488 <0x2bf05d7d xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received Delete SA(0xf1d342d0) payload: deleting IPSEC State #9
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: deleting other state #9 (STATE_QUICK_R2) and sending notification
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: ESP traffic information: in=0B out=0B
Dec 6 15:29:23 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received and ignored empty informational notification payload
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: the peer proposed: 54.227.33.35/32:17/1701 -> 192.168.1.224/32:17/1701
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #11: responding to Quick Mode proposal {msgid:03000000}
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #11: us: 172.31.18.73[54.227.33.35]:17/1701
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #11: them: 1.2.3.4[192.168.1.224]:17/1701
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #11: keeping refhim=0 during rekey
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x27e980c8 <0xed40ee25 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #11: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #11: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x27e980c8 <0xed40ee25 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received Delete SA(0x69e7a488) payload: deleting IPSEC State #10
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: deleting other state #10 (STATE_QUICK_R2) and sending notification
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: ESP traffic information: in=0B out=0B
Dec 6 15:29:26 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received and ignored empty informational notification payload
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: the peer proposed: 54.227.33.35/32:17/1701 -> 192.168.1.224/32:17/1701
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #12: responding to Quick Mode proposal {msgid:04000000}
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #12: us: 172.31.18.73[54.227.33.35]:17/1701
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #12: them: 1.2.3.4[192.168.1.224]:17/1701
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #12: keeping refhim=0 during rekey
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x6d3045ee <0xb1468b48 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #12: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x6d3045ee <0xb1468b48 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received Delete SA(0x27e980c8) payload: deleting IPSEC State #11
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: deleting other state #11 (STATE_QUICK_R2) and sending notification
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: ESP traffic information: in=0B out=0B
Dec 6 15:29:30 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received and ignored empty informational notification payload
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: the peer proposed: 54.227.33.35/32:17/1701 -> 192.168.1.224/32:17/1701
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #13: responding to Quick Mode proposal {msgid:05000000}
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #13: us: 172.31.18.73[54.227.33.35]:17/1701
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #13: them: 1.2.3.4[192.168.1.224]:17/1701
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #13: keeping refhim=0 during rekey
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #13: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x12255fa6 <0x54a4717a xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #13: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #13: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x12255fa6 <0x54a4717a xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received Delete SA(0x6d3045ee) payload: deleting IPSEC State #12
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: deleting other state #12 (STATE_QUICK_R2) and sending notification
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: ESP traffic information: in=0B out=0B
Dec 6 15:29:38 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received and ignored empty informational notification payload
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: the peer proposed: 54.227.33.35/32:17/1701 -> 192.168.1.224/32:17/1701
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #14: responding to Quick Mode proposal {msgid:06000000}
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #14: us: 172.31.18.73[54.227.33.35]:17/1701
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #14: them: 1.2.3.4[192.168.1.224]:17/1701
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #14: keeping refhim=0 during rekey
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #14: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x60a395a4 <0xd191e300 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #14: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #14: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x60a395a4 <0xd191e300 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.224 NATD=1.2.3.4:4500 DPD=active}
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received Delete SA(0x12255fa6) payload: deleting IPSEC State #13
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: deleting other state #13 (STATE_QUICK_R2) and sending notification
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: ESP traffic information: in=0B out=0B
Dec 6 15:29:48 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received and ignored empty informational notification payload
Dec 6 15:29:58 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: received Delete SA(0x60a395a4) payload: deleting IPSEC State #14
Dec 6 15:29:58 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: deleting other state #14 (STATE_QUICK_R2) and sending notification
Dec 6 15:29:58 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4 #8: ESP traffic information: in=0B out=0B
Dec 6 15:29:58 localhost pluto[7564]: "l2tp-psk" #8: deleting state (STATE_MAIN_R3) and sending notification
Dec 6 15:29:58 localhost pluto[7564]: "l2tp-psk"[4] 1.2.3.4: deleting connection "l2tp-psk"[4] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Dec 6 15:29:58 localhost pluto[7564]: packet from 1.2.3.4:4500: received and ignored empty informational notification payload

@hwdsl2

This comment has been minimized.

Copy link
Owner

@hwdsl2 hwdsl2 commented Dec 7, 2017

@Taurus89 Hello! For the Windows built-in VPN client a registry change is required if the client and/or server is behind NAT. Your logs show received Delete SA ... right after STATE_QUICK_R2: IPsec SA established ..., which clearly indicates that you've not made that required registry change. Please follow the steps in [1]. Then reboot your Windows PC.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows-error-809

@hwdsl2 hwdsl2 closed this Dec 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.