Problem IPSEC phase 2

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem IPSEC phase 2

Christiano Liberato
Hi,

I've been trying for days to close a tunnel with a client and I can not.
Logs always appear:

message_recv: cleartext phase 2 message
dropped message from ipcliente port 500 due to notification type
INVALID_FLAGS
transport_send_messages: giving up on exchange peer-ipcliente, no response
from peer ipcliente:500

I've been looking for a lot on the internet and so far no solution. Just
ask to restart the tunnel on both sides.
On my side, I use openbsd 6.1.
Has anyone seen this error?

Thanks!!
Reply | Threaded
Open this post in threaded view
|

Re: Problem IPSEC phase 2

Christiano Liberato
More information:

The customer uses Mcafee Stonesoft.
Phase 1
main auth hmac-md5 enc 3des group modp1024 lifetime 86400

Phase 2
quick auth hmac-md5 enc 3des group modp1024 lifetime 3600

psk xxxx

Errors in the messages

Sep 20 17:25:09 gw isakmpd[14702]: message_recv: cleartext phase 2 message
Sep 20 17:25:09 gw isakmpd[14702]: dropped message from ip_client port 500
due to notification type INVALID_FLAGS
Sep 20 17:25:16 gw isakmpd[14702]: message_recv: invalid cookie(s)
385f90768ec871e1 928fe1b941afcfe4
Sep 20 17:25:16 gw isakmpd[14702]: dropped message from ip_client port 500
due to notification type INVALID_COOKIE
Sep 20 17:25:25 gw isakmpd[14702]: message_recv: invalid cookie(s)
385f90768ec871e1 059208ff39accc6d
Sep 20 17:25:25 gw isakmpd[14702]: dropped message from ip_client port 500
due to notification type INVALID_COOKIE
Sep 20 17:25:36 gw isakmpd[14702]: transport_send_messages: giving up on
exchange peer-ip_client, no response from peer ip_client:500

2017-09-18 11:30 GMT-03:00 Christiano Liberato <[hidden email]
>:

> Hi,
>
> I've been trying for days to close a tunnel with a client and I can not.
> Logs always appear:
>
> message_recv: cleartext phase 2 message
> dropped message from ipcliente port 500 due to notification type
> INVALID_FLAGS
> transport_send_messages: giving up on exchange peer-ipcliente, no response
> from peer ipcliente:500
>
> I've been looking for a lot on the internet and so far no solution. Just
> ask to restart the tunnel on both sides.
> On my side, I use openbsd 6.1.
> Has anyone seen this error?
>
> Thanks!!
>
Reply | Threaded
Open this post in threaded view
|

Re: Problem IPSEC phase 2

Christiano Liberato
Hi,

In the link below, are the client screens, with the settings.
http://189.6.44.103:8080/


Does anyone on the list use this McAfee Stonesoft?

Thanks!!

2017-09-20 17:27 GMT-03:00 Christiano Liberato <[hidden email]
>:

> More information:
>
> The customer uses Mcafee Stonesoft.
> Phase 1
> main auth hmac-md5 enc 3des group modp1024 lifetime 86400
>
> Phase 2
> quick auth hmac-md5 enc 3des group modp1024 lifetime 3600
>
> psk xxxx
>
> Errors in the messages
>
> Sep 20 17:25:09 gw isakmpd[14702]: message_recv: cleartext phase 2 message
> Sep 20 17:25:09 gw isakmpd[14702]: dropped message from ip_client port 500
> due to notification type INVALID_FLAGS
> Sep 20 17:25:16 gw isakmpd[14702]: message_recv: invalid cookie(s)
> 385f90768ec871e1 928fe1b941afcfe4
> Sep 20 17:25:16 gw isakmpd[14702]: dropped message from ip_client port 500
> due to notification type INVALID_COOKIE
> Sep 20 17:25:25 gw isakmpd[14702]: message_recv: invalid cookie(s)
> 385f90768ec871e1 059208ff39accc6d
> Sep 20 17:25:25 gw isakmpd[14702]: dropped message from ip_client port 500
> due to notification type INVALID_COOKIE
> Sep 20 17:25:36 gw isakmpd[14702]: transport_send_messages: giving up on
> exchange peer-ip_client, no response from peer ip_client:500
>
> 2017-09-18 11:30 GMT-03:00 Christiano Liberato <
> [hidden email]>:
>
>> Hi,
>>
>> I've been trying for days to close a tunnel with a client and I can not.
>> Logs always appear:
>>
>> message_recv: cleartext phase 2 message
>> dropped message from ipcliente port 500 due to notification type
>> INVALID_FLAGS
>> transport_send_messages: giving up on exchange peer-ipcliente, no
>> response from peer ipcliente:500
>>
>> I've been looking for a lot on the internet and so far no solution. Just
>> ask to restart the tunnel on both sides.
>> On my side, I use openbsd 6.1.
>> Has anyone seen this error?
>>
>> Thanks!!
>>
>
>