VPN Troubleshooting Guide

Thing to Know 1. IPSec and L2TP connection cannot be created with the same name as they are treated as same the connection 2. IP address range in L2TP configuration and PPTP configuration cannot be same 3. L2TP connection will be live till the Key life specified in the Connection. On key expiry, Server will disconnect the

Connection immediately but Client will take few minutes to get disconnected 4. Preshared key Authentication type is not supported for L2TP connection in Windows 2000 5. Cyberoam VPN IPSec Client requires:

• Service pack(sp) 4 for Windows 2000 • Service pack(sp) 2 for Windows XP

6. If two Connections are created with different Authentication types i.e. Preshared key and Certificate then only one connection can be ‘Active’ at a time.

7. All the connection will become ‘Active’ on VPN server startup if ‘Active’ is specified for Action on restart. Only one connection can be active at a time so deactivate all the connections as you might receive ‘Unable to activate the connection’ error at the time of activating other connections.

8. Certificate Authority and Certificates are generated in tar.gz form. Unzip/extract using WINRaR before use. 9. Mail only that Certificate to the Remote peer whose Certificate ID is same as the one specified as Remote ID in

the Connection.

Question I am not able to establish the connection using Preshared key for authentication, what could be the problem? Answer You will not be able to establish the connection if you have used space as the last character in the preshared key. Change the preshared key and try to establish the again. Question Why I am receiving <<Connection already exists>> error while trying to create L2TP connection? Answer If you are not able to create L2TP connection due to above error, it means either IPSec or L2TP connection is already created with the same name. You will not be able to create L2TP and IPSec connections with the same name. Change the connection name and try again. Question Why I am receiving <<Connection already exists>> error while trying to create IPSec connection? Answer If you are not able to create IPSec connection due to above error, it means either IPSec or L2TP connection is already created with the same name. You will not be able to create L2TP and IPSec connections with the same name. Change the connection name and try again. Question What does the error << security layer encountered a problem >> mean? Answer If you are not able to establish connection due to above error, it means, both Cyberoam VPN client and L2TP client

VPN Troubleshooting Guide

VPN Troubleshooting Guide

are installed on the same machine. You will not be able to establish the connection, if both clients are installed on the same machine. Uninstall any one of the Client and try again. Question What does the number appended at the end of the Connection name indicate? Answer The number appended at the end of the Connection name indicates total number of Private Networks specified in the Connection at the local and remote VPN servers and total number of connections that can be established. For example, If for the connection rw_psk, 2 local private networks and 3 remote private networks are specified then 6 (2*3) will be appended to the connection name and will be displayed as rw_psk-6 in the VPN Log. Total 6 connections can be established and Log entry will be as "rw_psk_1-1", "rw_psk_1-2", "rw_psk_1-3", "rw_psk_1-4", "rw_psk_1-5", "rw_psk_1-6" Question What does ‘ISAKMP SA established’ message in the VPN Log mean? Answer ‘ISAKMP SA established’ means phase 1 connection is successfully established. Log will also display the parameters defined for the phase 1. Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: I did not send a certificate because I do not have one. Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} # auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024 # auth - authntication type # cipher - encryption algorithm used for phase 1 # prf - authentication algorithm # group - DH Group 1 = MODP768 2 = MODP1024 5 = MODP1536 14 = MODP2048 15 = MODP3072 16 = MODP4096 Question I am receiving ‘inbound IPsec SA installed, expecting QI2’ message in the log, what does it mean? Answer ‘inbound IPsec SA installed, expecting QI2’ means phase 1 connection is successfully established and one way tunnel i.e. incoming data tunnel is established.

VPN Troubleshooting Guide

Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Question I am receiving ‘IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}’ message in the log, what does it mean? Answer ‘IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}’ means tunnel is successfully established Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: Dead Peer Detection (RFC 3706): enabled Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled} # xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled # xfrm - encryption algo-authenticationalgo # NATD - NATraversal is detected or not # DPD - Dead Peer Detection is enabled or not Question Why I am not able to access any application even thought the tunnel is established? Answer This might happen if there is mismatch in the Connection Mode configured at the local and remote end. Tunnel will be established even if Connection Mode is configured as ‘Tunnel’ mode at the local end and as ‘Transport’ mode at the remote end but remote user will not be able to access any application. Specify same Connection Mode at both the ends and try again. Question From where do I know how many users are using PPTP connection to establish VPN tunnel? Answer You can get the list of users using PPTP connection to establish VPN tunnel from VPN Report. You can view report from Report > VPN > PPTP Connection Log Question From where do I view the PPTP logs? Answer You can view PPTP logs from Telnet Console. You can view date wise logs from option 8 VPN Management > option 6 PPTP VPN Logs

VPN Troubleshooting Guide

Question From where do I view the PPTP logs related to plugins? Answer To view the PPTP logs related to plugins, go to Telnet Console option 8 VPN Management > option 6 PPTP VPN Logs and view the debug level logs. Question How do I know which users are using PPTP connection? Answer PPTP Connection Log will give the details of all the users using PPTP connection. Log on to Cyberoam Reports and go to VPN > PPTP Connection Log to view the date wise connection details for all the users. Question From where do I get PPTP connection details? Answer PPTP Connection Log will give the details of all the PPTP connection. Log on to Cyberoam Reports and go to VPN > PPTP Connection Log to view the date wise connection details for all the users. Question How do I configure Windows 2000 client for PPTP connection? Answer Refer to How To - Configure Windows 2000 client for PPTP connection

VPN Troubleshooting Guide

VPN LOG - Error Messages

Error Messages Sample Log Recommendation << mismatch of preshared secrets >> Apr 29 10:29:27 1146286767 pluto[1628]:

"test_multiple_psk-1"[1] 188.7.7.131 #1: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: sending notification PAYLOAD_MALFORMED to 188.7.7.131:500

If you are not able to establish connection due to this error, it means you are using different preshared keys for multiple connections using same IP address for the remote end. You will be able to establish connection only if same preshared key is used for all the connections. Change the preshared key and try again.

<< policy does not allow OAKLEY_RSA_SIG authentication. >>

May 01 10:17:34 1146458854 pluto[7489]: "rw_psk_1-1"[1] 188.7.7.7 #1: policy does not allow OAKLEY_RSA_SIG authentication. Attribute OAKLEY_AUTHENTICATION_METHOD May 01 10:17:34 1146458854 pluto[7489]: "rw_psk_1-1"[1] 188.7.7.7 #1: no acceptable Oakley Transform May 01 10:17:34 1146458854 pluto[7489]: "rw_psk_1-1"[1] 188.7.7.7 #1: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500

If you are not able to establish connection due to this error, it means at the local end, preshared key authentication method is defined while at remote end digital certificate authentication method is defined i.e. mismatch in the authentication method. To establish the connection successfully, authentication method defined at both the ends must be same. Change the authentication method at either of the ends and try again.

<<policy does not allow OAKLEY_PRESHARED_KEY authentication. >>

May 01 10:29:50 1146459590 pluto[7489]: "rw_cert_1-1"[1] 188.7.7.7 #2: policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD May 01 10:29:50 1146459590 pluto[7489]: "rw_cert_1-1"[1] 188.7.7.7 #2: no acceptable Oakley Transform May 01 10:29:50 1146459590 pluto[7489]: "rw_cert_1-1"[1] 188.7.7.7 #2: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500

If you are not able to establish connection due to this error, it means at the local end, digital certificate authentication method is defined while at the remote end preshared key authentication method is defined i.e. mismatch in the authentication method. To establish the connection successfully, authentication method defined at both the ends must be same. Change the authentication method at either of the end and try again.

<< no GROUP_DESCRIPTION>> Apr 29 12:48:31 1146295111 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.7 #32: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION Apr 29 12:48:31 1146295111 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.7 #32: sending encrypted notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500 Apr 29 12:48:31 1146295111 pluto[1628]: | processing connection rw_cert_1-1[2] 188.7.7.7

If you are not able to establish connection due to this error, it means PFS specified in Phase 2 at local end does not match with the PFS specified at the remote end. To establish the connection successfully, same PFS is to be specified at both the ends. Change PFS at either of the ends and try to establish the connection again.

<< policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD >>

Apr 29 11:17:12 1146289632 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.131 #10: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute

If you are not able to establish connection due to this error, it means user authentication is disabled at the local end while it is enabled at the remote end. To establish connection, you need to either enable or disable authentication

VPN Troubleshooting Guide

OAKLEY_AUTHENTICATION_METHOD Apr 29 11:17:12 1146289632 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.131 #10: no acceptable Oakley Transform Apr 29 11:17:12 1146289632 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.131 #10: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.131:500

at both the ends. Change the authentication method at either of the ends and try to establish the connection again.

<< policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD>>

Apr 29 13:02:03 1146295923 pluto[491 Apr 29 13:02:03 1146295923 pluto[4919]: "rw_psk_1-1"[1] 188.7.7.7 #1: no acceptable Oakley Transform 9]: "rw_psk_1-1"[1] 188.7.7.7 #1: policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD Apr 29 13:02:03 1146295923 pluto[4919]: "rw_psk_1-1"[1] 188.7.7.7 #1: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500

If you are not able to establish connection due to this error, it means user authentication is enabled at the local end while it is disabled at the remote end. To establish connection, you need to either enable or disable authentication at both the ends. Change the authentication method at either of the ends and try to establish the connection again

<< probable authentication failure (mismatch of preshared secrets?): malformed payload in packet>>

Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: sending notification PAYLOAD_MALFORMED to 188.7.7.131:500

If you are not able to establish connection due to this error, it means preshared keys specified local end does not match with the one specified at the remote end. To establish the connection successfully, same preshared key is to be specified at both the ends. Change the preshared keys and try to establish the connection again.

<< Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag >>

Apr 28 12:38:20 1146208100 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #11: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag Apr 28 12:38:20 1146208100 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #11: no acceptable Oakley Transform Apr 28 12:38:20 1146208100 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #11: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.1:500

If you are not able to establish connection due to this error, it means Encryption Algorithm, Authentication Algorithm and/or DH Group (phase 1) specified at the local end does not match with the one specified at the remote end. To establish the connection successfully, same configuration is required at both the ends. Update the configuration and try to establish the connection again.

<< Signature check (on @client1.elitecore.com) failed (wrong key?); tried *AwEAAbc0R >>

Apr 29 11:19:48 1146289788 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.131 #14: Signature check (on @client1.elitecore.com) failed (wrong key?); tried *AwEAAbc0R Apr 29 11:19:48 1146289788 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.131 #14: sending encrypted notification INVALID_KEY_INFORMATION to 188.7.7.131:500

If you are not able to establish connection due to this error, it means wrong remote certificate is used for establishing connection. Change the certificate and try to establish the connection again.

<< certificate was revoked >> Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: certificate

If you are not able to establish connection due to this error, it means you are using revoked

VPN Troubleshooting Guide

was revoked on Apr 29 06:15:34 UTC 2006 Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: X.509 certificate rejected Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: no RSA public key known for '@client1.elitecore.com' Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: sending encrypted notification INVALID_KEY_INFORMATION to 188.7.7.131:500

certificate to establish connection. You will not be able to establish connection using the revoked certificate. Replace certificate and try to establish connection again.

<< cannot respond to IPsec SA request because no connection is known >>

Apr 29 12:22:02 1146293522 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.7 #28: cannot respond to IPsec SA request because no connection is known for 192.168.0.0/20===187.7.7.43[@server.elitecore.com]...188.7.7.7[@client1.elitecore.com] Apr 29 12:22:02 1146293522 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.7 #28: sending encrypted notification INVALID_ID_INFORMATION to 188.7.7.7:500 # 192.168.0.0/20===187.7.7.43[@server.elitecore.com]...188.7.7.7[@client1.elitecore.com] - network definition # 192.168.0.0/20===187.7.7.43[@server.elitecore.com]---187.7.7.254...%any[@client1.elitecore.com] # 192.168.0.0/20===187.7.7.43[server@elitecore.com,XS+S=C]:17/80---187.7.7.254...%any[client1@elitecore.com,XC+S=C]:17/0 192.168.0.0/20===187.7.7.43[server@elitecore.com,XS+S=C]:17/85---187.7.7.254...%any[client1@elitecore.com,XC+S=C]:17/0 192.168.0.0/20 - internal network - specified secure access 187.7.7.43 - server ip server@elitecore.com - Local ID XS+S=C - specifies user authentication as server 17/80 - specifies protocol = udp and port = 80 187.7.7.254 - gateway %any - dynamic ip of remote client1@elitecore.com - Remote ID XC+S=C - specifies user authentication as client 17/0 - specifies protocol = udp and port = any

If you are not able to establish connection due to this error, it means there is mismatch in the network parameters and/or Quick mode selectors specified at both the ends. Check and make sure that the following parameters specified at both the ends are same: Local Network details Remote Network details Quick Mode selectors Make sure, if subnet is specified at the local end then the same subnet and not the single host or range of hosts is specified at the remote end. Make sure, if single host is specified at the local end then same host is specified at the remote end also. Make the relevant changes and try to connect again.

<< peer is NATed >> May 01 17:10:44 1146483644 pluto[21903]: "rw_psk_1-1"[6] 187.7.7.254 #12: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

If you are not able to establish connection due to this error, it means connection request from remote end is being NATted between remote end and Cyberoam i.e. the host making the Connection request to the Cyberoam lies behind the NAT router, but NAT Traversal is not enabled from the Connection in the

VPN Troubleshooting Guide

Cyberoam. Enable ‘Allow NAT Traversal’ from Cyberoam Connection and try to connect again.

<< INVALID_KEY_INFORMATION >>

May 02 18:58:56 1146576536 pluto[22425]: | Notify Message Type: INVALID_KEY_INFORMATION May 02 18:58:56 1146576536 pluto[22425]: "ntn_rsa_1-1" #51: ignoring informational payload, type INVALID_KEY_INFORMATION May 02 18:58:56 1146576536 pluto[22425]: | info: May 02 18:58:56 1146576536 pluto[22425]: "ntn_rsa_1-1" #51: received and ignored informational message May 02 18:59:36 1146576576 pluto[22425]: | processing connection ntn_rsa_1-1 May 02 18:59:36 1146576576 pluto[22425]: "ntn_rsa_1-1" #51: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

If you are not able to establish connection due to this error, it means local ID and remote ID specified at the remote end do not match with the IDs specified at the local end. At the remote end: Local ID should be same as the remote ID specified at the local end Remote ID should be same as the local ID specified at the local end Update the IDs in the Connection and try to connect again. If certificate based authentication is defined in the Connection then Local and Remote IDs must be same as specified while creating the Certificate or as specified in ‘Subject Alternative Name’.

<< issuer cacert not found >>

May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: issuer cacert not found May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: X.509 certificate rejected May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: no RSA public key known for 'C=IN, ST=Gujarat, L=Ahmedabad, O=Elitecore Technologies Ltd., OU=Elitecore Technologies Ltd.VPN, CN=Elitecore Technologies Ltd.cert_for_intranet, E=abhilash@elitecore.com' May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: sending encrypted notification INVALID_KEY_INFORMATION to 188.7.7.43:500

If you are not able to establish connection due to this error, it means Certificate Authority is not uploaded at the local end. If Digital Certificate is used for authentication, then Certificate Authority (CA) who issued the Certificate is required to be uploaded. Upload CA and try to establish connection again. Note: If external CA is used for authentication then upload all the files received from the CA.

<<Cannot respond to IPsec SA request because no connection is known>>

May 12 18:30:01 1147438801 pluto[6156]: "ellitetest-1"[11] 220.236.29.176 #76: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===203.88.128.94...220.236.29.176[172.16.0.100]===172.16.0.100/32 May 12 18:30:01 1147438801 pluto[6156]: "ellitetest-1"[11] 220.236.29.176 #76: sending encrypted notification INVALID_ID_INFORMATION to 220.236.29.176:4500

If you are not able to establish connection due to this error, it means Connection request from Road Warrior is being NATted between Road warrior and Cyberoam i.e. the host making the Connection request to the Cyberoam lies behind the NAT router, but NAT Traversal is not enabled from Connection in the Cyberoam. Enable ‘Allow NAT Traversal’ from Cyberoam Connection and try to connect again.

<< peer requested 604800 seconds which exceeds our limit 86400 seconds. Attribute

May 13 00:09:39 1147459179 pluto[6156]: | af+type: OAKLEY_LIFE_DURATION (variable length)

If you are not able to establish connection due to this error, it means the key life specified in the policy at the remote end exceeds the

VPN Troubleshooting Guide

OAKLEY_LIFE_DURATION (variable length)>>

May 13 00:09:39 1147459179 pluto[6156]: | length/value: 4 May 13 00:09:39 1147459179 pluto[6156]: | long duration: 604800 May 13 00:09:39 1147459179 pluto[6156]: "Verso-2" #548: peer requested 604800 seconds which exceeds our limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length) May 13 00:09:39 1147459179 pluto[6156]: "Verso-2" #548: no acceptable Oakley Transform May 13 00:09:39 1147459179 pluto[6156]: "Verso-2" #548: sending notification NO_PROPOSAL_CHOSEN to 12.45.97.98:500

86400 seconds limit. This situation will arise only if the remote server is not Cyberoam. Check the log for ‘ISAKMP SA established’ message. If you have received this message means phase 1 connection is successfully established. Change key life specified in phase 2 at the remote server and try to connect again else change key life specified in phase 1 at the remote server and try to connect again.

<<X.509 certificate is not valid until <date> >>

checking validity of "C=IN, ST=Gujarat, L=Ahmedabad, O=eLitecore, OU=Cyberoam, CN=eLitec oretest_man, E=nirshah@elitecore.com": X.509 certificate is not valid until Sep 30 04:59:55 UTC 2006 (it is now=Sep 29 06:58:10 UTC 2006) Sep 29 12:28:10 1159513090 pluto[29265]: "test-1" #30: X.509 certificate rejected

If you are not able to establish connection due to this error, certificate used is not valid due to the date mismatch. This situation will arise only if there is mismatch in the remote certificate’s validity date and the system date of local server e.g. certificate is valid from 25th October to 1st November, you are trying to establish connection on 25th October from the local server but the local server’s system date is 26th October Change the local server’s system date from Telnet Console and try to connect again.

Document Version: 9410-1.0-08/01/2007