Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Peer attempted PSK authentication but we want rsasig in I2 Auth Payload #818

Closed
khunalex opened this issue Jun 20, 2020 · 2 comments
Closed

Peer attempted PSK authentication but we want rsasig in I2 Auth Payload #818

khunalex opened this issue Jun 20, 2020 · 2 comments

Comments

@khunalex
Copy link

khunalex commented Jun 20, 2020
edited
Loading

Hello.
Im getting this error

Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx: local IKE proposals (IKE SA responder matching remote proposals):
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx:   1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx:   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx:   3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx:   4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx:   5:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx:   6:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP1024
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: proposal 1:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048[first-match]
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr,N}
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.168.0.111'
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: Peer attempted PSK authentication but we want rsasig in I2 Auth Payload
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: responding to IKE_AUTH message (ID 1) from 79.150.xxx.xxx:4500 with encrypted notification AUTHENTICATION_FAILED
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: encountered fatal error in state STATE_PARENT_R1
Jun 21 22:18:18 localhost pluto[8417]: "ikev2-cp"[11] 79.150.xxx.xxx #15: deleting state (STATE_PARENT_R1) aged 0.088s and NOT sending notification
Jun 21 22:18:18 localhost pluto[8417]:  #15: deleting connection "ikev2-cp"[11] 79.150.xxx.xxx instance with peer 79.150.xxx.xxx {isakmp=#0/ipsec=#0}

in the server side, only when I try to connect from an linux client (odroid c2 ubuntu xenial).
VPN Server is a raspberry pi4. I got other clients connecting to this server without issues (win10, android 9, android 4, strongwan android VPN client in an android 9 tvbox.

In both ipsec.conf (server and client) I set auth=secret. But according to the error message its like the server has set somewhere authby=rsasig, but I just has the default installation by the scripts.

This is the ipsec.conf in the server:

version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=@pi4.xxxxxxx.com
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ikev2=never
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  sha2-truncbug=yes

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  cisco-unity=yes
  also=shared

And this the ipsec.conf in the client side.

version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.69.0/24,%v4:!192.168.70.0/24
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=@wopr.xxxxxxxx.com
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ikev2=never
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  esp=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  #phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  sha2-truncbug=yes

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.70.10-192.168.70.250
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  cisco-unity=yes
  also=shared

conn myvpn
  keyexchange=ike
  left=%defaultroute
  auto=add
  #rightauth=rsasig
  #leftauth=secret
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=pi4.xxxxxxxxxx.com
  rightid=@pi4.xxxxxxxx.com
  ike=aes128-sha1-modp2048
  esp=aes128-sha1-modp2048
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1

include /etc/ipsec.d/*.conf

I would appreciate any help.
Thank you so much.
@khunalex khunalex changed the title unable to connect from linux client and android 9 tvbox unable to connect from linux client Jun 21, 2020
@khunalex khunalex changed the title unable to connect from linux client Peer attempted PSK authentication but we want rsasig in I2 Auth Payload Jun 21, 2020
@hwdsl2
Copy link
Owner

hwdsl2 commented Jun 22, 2020

@khunalex Hello! Your logs indicate that the VPN server has IKEv2 configured (connection ikev2-cp). Did you try to set up IKEv2 [1] on the server before?

To disable, find and comment out the ikev2-cp section in /etc/ipsec.conf, or find the file /etc/ipsec.d/ikev2.conf and rename it to /etc/ipsec.d/ikev2.conf.disabled. Restart the IPsec service with sudo service ipsec restart.

For Linux VPN client configuration, please refer to [2].

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md
[2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux

@hwdsl2 hwdsl2 closed this as completed Jun 22, 2020
@khunalex
Copy link
Author

Hi. Thank you for your answer.
Yes I had followed this guide:
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md
to connect from android tvbox and strongswan app.

Once I disabled ikev2.conf the error I get in the client side is:

Jun 22 22:42:51 wopr pluto[7330]: "myvpn" #1: initiating IKEv2 IKE SA
Jun 22 22:42:51 wopr pluto[7330]: "myvpn": local IKE proposals (IKE SA initiator selecting KE):
Jun 22 22:42:51 wopr pluto[7330]: "myvpn":   1:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048
Jun 22 22:42:51 wopr pluto[7330]: "myvpn":   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048
181 "myvpn" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Jun 22 22:42:51 wopr pluto[7330]: "myvpn" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "myvpn" #1: STATE_PARENT_I1: received unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
Jun 22 22:42:51 wopr pluto[7330]: "myvpn" #1: STATE_PARENT_I1: received unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
010 "myvpn" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response
Jun 22 22:42:52 wopr pluto[7330]: "myvpn" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response
002 "myvpn" #1: STATE_PARENT_I1: received unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
Jun 22 22:42:52 wopr pluto[7330]: "myvpn" #1: STATE_PARENT_I1: received unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
010 "myvpn" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response
Jun 22 22:42:52 wopr pluto[7330]: "myvpn" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response

and in the server side

Jun 22 22:42:51 localhost pluto[4330]: packet from 79.150.xxx.xxx:500: initial parent SA message received on 192.168.1.100:500 but no suitable connection found with IKEv2 policy
Jun 22 22:42:51 localhost pluto[4330]: packet from 79.150.xxx.xxx:500: responding to IKE_SA_INIT (34) message (Message ID 0) from 79.150.xxx.xxx:500 with unencrypted notification NO_PROPOSAL_CHOSEN

Its like still try to use ikev2....

i even commented the line:
#include /etc/ipsec.d/*.conf

@khunalex khunalex mentioned this issue Jun 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hwdsl2 @khunalex