cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9712) Establishing Remote access VPN is failing due to mismatch of preshared secrets post Disable/Enable VPN.
Date Thu, 12 Jan 2017 06:53:52 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15820305#comment-15820305
] 

ASF GitHub Bot commented on CLOUDSTACK-9712:
--------------------------------------------

GitHub user ustcweizhou reopened a pull request:

    https://github.com/apache/cloudstack/pull/1890

    CLOUDSTACK-9712: FIX issue on preshared key if we disable/enable remote access vpn

    Way to reproduce the issue
    (1) enable remote access vpn
    root@r-8349-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
    : PSK "mVSx5KDXCPYX7X5DGb2W8yNW"
    
    (2) disable/enable vpn
    root@r-8349-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
    : PSK "mVSx5KDXCPYX7X5DGb2W8yNW"
    : PSK "HeV3dHZpZXt4chhfvhx8D83C"
    
    Expected configuration:
    root@r-8349-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
    : PSK "HeV3dHZpZXt4chhfvhx8D83C"

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ustcweizhou/cloudstack vpn-preshared-key-issue

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1890.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1890
    
----
commit 16c2cd0244e65238fa1aa7fe85fe2636a2298a7c
Author: Wei Zhou <w.zhou@global.leaseweb.com>
Date:   2017-01-05T11:14:13Z

    FIX issue on preshared key if we disable/enable remote access vpn
    
    Way to reproduce the issue
    (1) enable remote access vpn
    root@r-8349-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
    : PSK "mVSx5KDXCPYX7X5DGb2W8yNW"
    
    (2) disable/enable vpn
    root@r-8349-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
    : PSK "mVSx5KDXCPYX7X5DGb2W8yNW"
    : PSK "HeV3dHZpZXt4chhfvhx8D83C"
    
    Expected configuration:
    root@r-8349-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
    : PSK "HeV3dHZpZXt4chhfvhx8D83C"

----


> Establishing Remote access VPN  is failing due to mismatch of preshared secrets post
Disable/Enable VPN.
> --------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9712
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9712
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.9.0
>            Reporter: DeepthiMachiraju
>            Priority: Critical
>         Attachments: management-server.rar
>
>
> - On a Isolated Network enable VPN , and configure few VPN users.
> - Deploy a windows 2012R2 VM in the shared network . Create a new VPN connection by providing
the NAt ip , select L2tp in the confguration and provide the psk provided by cloudstack.
> - Try logging with the vpn users created above.
> Observations : 
> - User fails to login with the following error message at client : " Error 789 : The
L2TP connection attempt failed because the security layer encountered a processing error during
initial negotiations with the remote computer ".
> - Each time VPN is DIsabled/Enabled , new key is stored in ipsec.any.secrets.
> root@r-5-VM:~# cat /etc/ipsec.d/ipsec.any.secrets
> : PSK "O3rEXqxgMXRvNkPRXaqtkg43"
> : PSK "ZwEcGeHKnE9z2zpPht9eh77T"
> : PSK "7CUjMgwO8sbMJXjyHhRg2NDp"
> Note : when the older psk are deleted and only the current key is retained in the file
 , remote vpn is established sucessfully.
> =============================================auth.log==============================================
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID
payload [MS NT5 ISAKMPOAKLEY 00000009]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received Vendor ID
payload [RFC 3947] method set to=109
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID
payload [FRAGMENTATION]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID
payload [MS-Negotiation Discovery Capable]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID
payload [Vid-Initial-Contact]
> Dec 28 10:49:30 r-5-VM pluto[2828]: packet from 10.147.52.62:500: ignoring Vendor ID
payload [IKE CGA version 1]
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: responding to Main
Mode from unknown peer 10.147.52.62
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: OAKLEY_GROUP 20 not
supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: OAKLEY_GROUP 19 not
supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets
entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets
entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: STATE_MAIN_R1: sent
MR1, expecting MI2
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets
entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: multiple ipsec.secrets
entries with distinct secrets match endpoints: first secret used
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: STATE_MAIN_R2: sent
MR2, expecting MI3
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type
of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
> Dec 28 10:49:30 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:30 r-5-VM pluto[2828]: |   87 74 c8 93  55 12 88 96  81 35 42 4c  4f 0d
4c 9e
> Dec 28 10:49:30 r-5-VM pluto[2828]: |   3e 71 6f 48
> Dec 28 10:49:30 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification
PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type
of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
> Dec 28 10:49:31 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:31 r-5-VM pluto[2828]: |   87 74 c8 93  55 12 88 96  81 35 42 4c  4f 0d
4c 9e
> Dec 28 10:49:31 r-5-VM pluto[2828]: |   3e 71 6f 48
> Dec 28 10:49:31 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification
PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type
of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
> Dec 28 10:49:32 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:32 r-5-VM pluto[2828]: |   87 74 c8 93  55 12 88 96  81 35 42 4c  4f 0d
4c 9e
> Dec 28 10:49:32 r-5-VM pluto[2828]: |   3e 71 6f 48
> Dec 28 10:49:32 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification
PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type
of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
> Dec 28 10:49:35 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:35 r-5-VM pluto[2828]: |   87 74 c8 93  55 12 88 96  81 35 42 4c  4f 0d
4c 9e
> Dec 28 10:49:35 r-5-VM pluto[2828]: |   3e 71 6f 48
> Dec 28 10:49:35 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification
PAYLOAD_MALFORMED to 10.147.52.62:500
> Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: next payload type
of ISAKMP Identification Payload has an unknown value: 255
> Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: probable authentication
failure (mismatch of preshared secrets?): malformed payload in packet
> Dec 28 10:49:42 r-5-VM pluto[2828]: | payload malformed after IV
> Dec 28 10:49:42 r-5-VM pluto[2828]: |   87 74 c8 93  55 12 88 96  81 35 42 4c  4f 0d
4c 9e
> Dec 28 10:49:42 r-5-VM pluto[2828]: |   3e 71 6f 48
> Dec 28 10:49:42 r-5-VM pluto[2828]: "L2TP-PSK"[3] 10.147.52.62 #18: sending notification
PAYLOAD_MALFORMED to 10.147.52.62:500
> =================================================================================================



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message