21 Replies Latest reply on May 1, 2017 4:33 AM by mick

    Netvanta VPN using Shrewsoft client

    unclegary New Member

      Shrewsoft 2.2 VPN client with Netvanta 2300.

      Fails on phase 1 IKE for mobile peer. 

      Have juggled every possible client and router configuration.

      Nothing will affect the Phase 1 failure.

        • Re: Netvanta VPN using Shrewsoft client
          mick Visitor

          That should do it if you're just venting, but if you expect people to try to help you then you'll need to post the configuration files for your Shrew client and the router, obfuscating passwords and public IP addresses as necessary.

          --

          Regards,

          Mick

            • Re: Netvanta VPN using Shrewsoft client
              unclegary New Member

              OK, understand.

              • Re: Netvanta VPN using Shrewsoft client
                unclegary New Member

                Debug of client authentication and client configuration produces a series of:

                 

                IKE In Vendor ID Process failed

                Received Vendor ID not recognized with IKE

                 

                Ending with   Could not find a matching remote ID

                 

                 

                What Vendor ID is it referring to ?

                 

                G

                  • Re: Netvanta VPN using Shrewsoft client
                    jayh Hall_of_Fame

                    unclegary wrote:

                     

                    Debug of client authentication and client configuration produces a series of:

                     

                    IKE In Vendor ID Process failed

                    Received Vendor ID not recognized with IKE

                     

                     

                    What Vendor ID is it referring to ?

                    That's a hex value of a list of vendors stored locally. Not recognizing the Vendor ID shouldn't cause IKE to fail, it's primarily informational, so that a Cisco box knows it's talking to another Cisco, etc.

                     

                     

                     

                     

                    Ending with Could not find a matching remote ID

                     

                     

                     

                    This is typically the IP address of the remote system on a site-to-site VPN but can be a hostname or string for remote access. Make sure that the client is sending what the server expects. 

                      • Re: Netvanta VPN using Shrewsoft client
                        unclegary New Member

                        OK, this is a mobile peer.

                        I’ll keep looking….tnx !

                          • Re: Netvanta VPN using Shrewsoft client
                            mick Visitor

                            Unclegary, I don't know how you have configured both ends, but try using their respective public IP addresses as their peer ID in the first instance, to see if this error goes away and you can move to the next phase.

                            --

                            Regards,

                            Mick

                              • Re: Netvanta VPN using Shrewsoft client
                                jayh Hall_of_Fame

                                Great idea for troubleshooting phase 1 but won't scale as he wants to use the client for remote access and its public IP will change.

                                  • Re: Netvanta VPN using Shrewsoft client
                                    mick Visitor

                                    Yes, it is likely the mobile peer will have a dynamically allocated IP address and also by its nature of being mobile will be connecting from different locations at times.  The reason I suggested to try setting initially both  peer IDs  as the respective public IP addresses, was in case unclegary is using a pre-shared key with Main Mode VPN tunnel.  This combination will not work with other forms of peer ID (e.g. FQDN, user@FQDN), because the mobile peer initiating the connection will need to select the correct PSK to calculate the hash for the router, before it has received and processed the router's ID.  When using public key certificates for peer authentication with Main Mode VPN this problem goes away, but without seeing the configuration files of both peers we can only guess this much.  :-)

                                    • Re: Netvanta VPN using Shrewsoft client
                                      unclegary New Member

                                      Ignoring the “ Vendor ID “ info, looks like “  could not find a matching remote ID “  might be important ?

                                       

                                      Policy 106 belongs to my VPN mobile client.

                                       

                                       

                                      Lawrence#

                                      Crypto IKE Policy 106

                                        Respond to aggressive mode

                                        Will not initiate

                                        Local ID Address: 199.XXXXXXXXXXXXXXXXXX

                                        NAT Traversal V1 Allowed

                                        Peers:

                                          Any Peer

                                        Client Authentication Server List:

                                          LoginUseLocalUsers

                                        Client Config Pool

                                          VPN Client

                                        Attributes:

                                          1

                                            Encryption: AES-256-CBC

                                            Hash: MD5

                                            Authentication: Pre-share

                                            Group: 1

                                            Lifetime: 28800 seconds

                                      106: IkeCheckIdData failed

                                       

                                       

                                      106: IkeCheckIdData failed

                                       

                                       

                                      2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION Could not find a matching remote ID

                                      2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed

                                      2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION IkeProcessData: IkeIdleProcess failed

                                      2017.04.24 12:01:59 CRYPTO_IKE.NEGOTIATION IkeDeleteIsakmpSA :: Deleting any DPDRequests queued in isakmpsa

                                      2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeSelectIsakmpProposal: pIsakmpSA->usEncKeyLen = 32

                                      2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IKEInVendorIDProcess :: Received Vendor ID not registered with IKE

                                      2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeInVIDProcess :: IKEInVendorIDProcess failed

                                       

                                       

                                       

                                       

                                      Could not find a matching remote ID

                                      2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed

                                      2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeProcessData: IkeIdleProcess failed

                                      2017.04.24 12:02:05 CRYPTO_IKE.NEGOTIATION IkeDeleteIsakmpSA :: Deleting any DPDRequests queued in isakmpsa

                                      2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION DPDP1NodeTrafficBased :: Sending Notify Payload for Phase 1

                                      2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION DPDSendNotifyPayload :: Sending Notify REQUEST for Phase 1

                                      2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION InitialiseCipherContext :: Not DES and Not 3DES

                                      2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION InitialiseCipherContext :: Not DES and Not 3DES

                                      2017.04.24 12:02:09 CRYPTO_IKE.NEGOTIATION IkeInNotifyProcess: NOTIFY TYPE: R U THERE (36136)

                                       

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION <POLICY: 106> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID,VID,VID,VID,VID,VID

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     DOI: 1

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Situation: 1

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       Proposal No.: 1

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         Transform Number: 1

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  Unknown/Other (7)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Key Length (14)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:   (256)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 1 (1)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  Unknown/Other (65001)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  Seconds (1)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 4

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:   (86400)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   KE PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   NONCE PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   ID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     IANA No. for identifn: 2 -> ID_FQDN

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Protocol Id: 0

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Port: 0

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Id Data:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       63 6C 69 65 6E 74 2E 68  client.h

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       6F 6D 65 6E 65 74 77 6F  omenetwo

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION       72 6B 2E 6C 6F 63 61 6C  rk.local

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 8

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     09 00 26 89 DF D6 B7 12  ..&.....

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     44 85 15 2D 18 B6 BB CD  D..-....

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     0B E8 A8 46 95 79 DD CC  ...F.y..

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     16 F6 CA 16 E4 A4 06 6D  .......m

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     83 82 1A 0F 0A EA A8 62  .......b

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E  ....>.in

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F  .c...B{.

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     7D 94 19 A6 53 10 CA 6F  }...S..o

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     2C 17 9D 92 15 52 9D 56  ,....R.V

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     4A 13 1C 81 07 03 58 45  J.....XE

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     5C 57 28 F2 0E 95 45 2F  \W(...E/

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     F1 4B 94 B7 BF F1 FE F0  .K......

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     27 73 B8 C4 9F ED ED 26  's.....&

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 20

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     16 6F 93 2D 55 EB 64 D8  .o.-U.d.

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     E4 DF 4F D3 7E 23 13 F0  ..O.~#..

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     D0 FD 84 51              ...Q

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     84 04 AD F9 CD A0 57 60  ......W`

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     B2 CA 29 2E 4B FF 53 7B  ..).K.S{

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     12 F5 F2 8C 45 71 68 A9  ....Eqh.

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     70 2D 9F E2 74 CC 01 00  p-..t...

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IkeSelectIsakmpProposal: pIsakmpSA->usEncKeyLen = 32

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IKEInVendorIDProcess :: Received Vendor ID not registered with IKE

                                      2

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION Could not find a matching remote ID

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IkeProcessData: IkeIdleProcess failed

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION SENDING NOTIFY MSG:

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION INVALID_ID_INFORMATION

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION <POLICY: 106> PAYLOADS: NOTIFY

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION   NOTIFY PAYLOAD

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     DOI: 0

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Protocol Id: 1

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Size of SPI: 16

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Type of notify message: 18

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Notify Type: Invalid ID Info (18)

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION     Length of Notification Data: 0

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION 106: Sent informational exchange message

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION

                                      2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION IkeDeleteIsakmpSA :: Deleting any DPDRequests queued in isakmpsa

                                      2017.04.24 12:14:53 CRYPTO_IKE.NEGOTIATION peer 192.168.1.73: Received  first message of aggressive mode

                                      • Re: Netvanta VPN using Shrewsoft client
                                        unclegary New Member

                                        The mobile VPN client is set to authenticate to “   Local Userlist  “

                                        However, I noticed I can enter any bogus credentials in the client XAUTH login and it will attempt to authenticate.

                                        It is definitely not using the correct client information.

                                          • Re: Netvanta VPN using Shrewsoft client
                                            jayh Hall_of_Fame

                                            The remote is identifying as "client.homenetwork.local". Is this configured as a valid VPN ID?

                                            • Re: Netvanta VPN using Shrewsoft client
                                              mick Visitor

                                              Hi unclegary,

                                               

                                              You haven't shared your configuration files, so I'm answering on the basis of the Netvanta log you posted above.  There are number of client attributes which may not have been configured correctly.  Starting from the top:

                                               

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  Unknown/Other (7)

                                               

                                              This should not be 'Unknown/Other', but should be AES according to the settings in Crypto IKE Policy 106.  Have you configured your Shrew to use only AES-256 for IKE encryption?

                                               

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Key Length (14)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:   (256)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 1 (1)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Length: 2

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION             Value:  Unknown/Other (65001)

                                               

                                              This ought to be showing a value of 'Pre-shared Key' rather than 'Unknown/Other'.  Have you configured the Shrew client to use the same Pre-shared Key value as you have configured in the Netvanta?

                                               

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION Could not find a matching remote ID

                                              2017.04.24 12:14:48 CRYPTO_IKE.NEGOTIATION 106: IkeCheckIdData failed

                                               

                                              The Remote peer ID (the mobile client ID) sent by the client is not configured the same in the Netvanta.

                                               

                                              From what you have shared so far, the problem appears to be that the client and router configuration are not mirroring each other.  Have a quick look here for an example that works, or post your configurations at each end and we'll take a look to see if anything is amiss.

                                               

                                              PS.  As jayh has mentioned the Vendor ID error is more of a warning and not related to your problem.  This Vendor ID is used as a shorthand code to inform each peer if NAT-T, DPD, fragmentation, etc. are attributes available at the other end.

                                              --

                                              Regards,

                                              Mick