You are on page 1of 8

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

1. VPN 1.1. Error <we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION>
Problem Not able to establish connection and VPN service restarts Synopsis: Cause: Mismatch in PFS (Perfect Forward Secrey). PFS is configured at local end but not configured at remote
end or viceversa

Resolution: Configure same PFS for both the peers try again. Sample Log: May 09 01:43:46 1210277626 pluto[3186]: packet from 172.16.2.5:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 May 09 01:43:46 1210277626 pluto[3186]: packet from 172.16.2.5:500: received Vendor ID payload [RFC 3947] method set to=110 May 09 01:43:46 1210277626 pluto[3186]: packet from 172.16.2.5:500: ignoring Vendor ID payload [FRAGMENTATION 80000000] May 09 01:43:46 1210277626 pluto[3186]: packet from 172.16.2.5:500: received Vendor ID payload [Dead Peer Detection] May 09 01:43:46 1210277626 pluto[3186]: packet from 172.16.2.5:500: received Vendor ID payload [Cisco-Unity] May 09 01:43:46 1210277626 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: responding to Main Mode from unknown peer 172.16.2.5 May 09 01:43:47 1210277627 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 May 09 01:43:47 1210277627 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: STATE_MAIN_R1: sent MR1, expecting MI2 May 09 01:43:47 1210277627 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected May 09 01:43:47 1210277627 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: STATE_MAIN_R2: sent MR2, expecting MI3 May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: Main mode peer ID is ID_IPV4_ADDR: '172.16.2.5' May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: I did not send a certificate because I do not have one. May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: Dead Peer Detection (RFC 3706): enabled May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT May 09 01:43:48 1210277628 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #1: received and ignored informational message May 09 01:43:51 1210277631 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #2: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION May 09 01:43:52 1210277632 pluto[3186]: "rw_psk-1"[1] 172.16.2.5 #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 172.16.2.5:500

1.2. Error << security layer encountered a problem >>


Problem Not able to establish connection. Synopsis: Cause: Cyberoam VPN client and L2TP client both are installed on the same machine. Resolution: You will not be able to establish the connection, if both clients are installed on the same machine.
Uninstall any one of the Client and try again.

1 of 8

08/11/12 7:53 PM

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

Sample Log: Not Applicable

1.3. Error <<Connection already exists>>


Problem Not able to create connection. Synopsis: Cause: IPSec or L2TP connection is already created with the same name. Resolution: You will not be able to create L2TP and IPSec connections with the same name. Change the connection
name and try again.

Sample Log: Not Applicable

1.4. Error << issuer cacert not found >>


Problem Not able to establish connection. Synopsis: Cause: Certificate Authority (CA) is not uploaded at the local end.
If Digital Certificate is used for authentication, then CA who issued the Certificate is required to be uploaded.

Resolution: Upload CA and try to establish connection again.


Note: If external CA is used for authentication then upload all the files received from the CA.

Sample Log: May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: issuer cacert not found
May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: X.509 certificate rejected May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: no RSA public key known for 'C=IN, ST=Gujarat, L=Ahmedabad, O=Elitecore Technologies Ltd., OU=Elitecore Technologies Ltd.VPN, CN=Elitecore Technologies Ltd.cert_for_intranet, E=abhilash@elitecore.com' May 12 13:04:00 1147419240 pluto[5259]: "old_254_cert-1"[1] 188.7.7.43 #1: sending encrypted notification INVALID_KEY_INFORMATION to 188.7.7.43:500

1.5. Error << certificate was revoked >>


Problem Not able to establish connection. Synopsis: Cause: Revoked certificate is specified in the Connection. Resolution: You will not be able to establish connection using the revoked certificate.
Replace certificate in the Connection and try to establish connection again.

Sample Log: Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: certificate was revoked on
Apr 29 06:15:34 UTC 2006 Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: X.509 certificate rejected Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: no RSA public key known for '@client1.elitecore.com' Apr 29 11:49:54 1146291594 pluto[1628]: "rw_cert_1-1"[6] 188.7.7.131 #21: sending encrypted notification INVALID_KEY_INFORMATION to 188.7.7.131:500

1.6. Error <<X.509 certificate is not valid until <date> >>

2 of 8

08/11/12 7:53 PM

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

Problem Not able to establish connection. Synopsis: Cause: Certificate used is not valid due to the date mismatch. This situation will arise only if there is mismatch
in the remote certificates validity date and the system date of local server. For example, Certificate is valid from 25th October to 1st November You are trying to establish connection on 25th October from the local server but the local servers system date is 24th October

Resolution: Change the local servers system date from Telnet Console and try to connect again. Sample Log: checking validity of "C=IN, ST=Gujarat, L=Ahmedabad, O=eLitecore, OU=Cyberoam, CN=eLitec
oretest_man, E=nirshah@elitecore.com": X.509 certificate is not valid until Sep 30 04:59:55 UTC 2006 (it is now=Sep 29 06:58:10 UTC 2006) Sep 29 12:28:10 1159513090 pluto[29265]: "test-1" #30: X.509 certificate rejected

1.7. Error << cannot respond to IPsec SA request because no connection is known >>
Problem Not able to establish connection. Synopsis: Cause: Network parameters and/or Quick mode selectors mismatch.

Resolution: Check and make sure that the following parameters specified at local and remote ends are same:
Local Network details Remote Network details Quick Mode selectors Make sure, if subnet is specified at the local end then the same subnet and not the single host or range of hosts is specified at the remote end. Make sure, if single host is specified at the local end then same host is specified at the remote end also. Make the relevant changes and try to connect again.

Sample Log: Apr 29 12:22:02 1146293522 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.7 #28: cannot respond to IPsec SA
request because no connection is known for 192.168.0.0/20===187.7.7.43[@server.elitecore.com]...188.7.7.7[@client1.elitecore.com] Apr 29 12:22:02 1146293522 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.7 #28: sending encrypted notification INVALID_ID_INFORMATION to 188.7.7.7:500 # 192.168.0.0/20===187.7.7.43[@server.elitecore.com]...188.7.7.7[@client1.elitecore.com] - network definition # 192.168.0.0/20===187.7.7.43[@server.elitecore.com]---187.7.7.254...%any[@client1.elitecore.com] # 192.168.0.0/20===187.7.7.43[server@elitecore.com,XS+S=C]:17 /80---187.7.7.254...%any[client1@elitecore.com,XC+S=C]:17/0 192.168.0.0/20===187.7.7.43[server@elitecore.com,XS+S=C]:17 /85---187.7.7.254...%any[client1@elitecore.com,XC+S=C]:17/0 192.168.0.0/20 - internal network - specified secure access 187.7.7.43 - server ip server@elitecore.com - Local ID XS+S=C - specifies user authentication as server 17/80 - specifies protocol = udp and port = 80 187.7.7.254 - gateway %any - dynamic ip of remote client1@elitecore.com - Remote ID XC+S=C - specifies user authentication as client 17/0 - specifies protocol = udp and port = any

3 of 8

08/11/12 7:53 PM

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

1.8. Error <<Cannot respond to IPsec SA request because no connection is known>>


Problem Not able to establish connection. Synopsis: Cause: Connection request from Road Warrior is being NATted between Road warrior and Cyberoam i.e. the
host making the Connection request to the Cyberoam lies behind the NAT router, but NAT Traversal is not enabled from Connection in the Cyberoam.

Resolution: Enable Allow NAT Traversal from Cyberoam Connection and try to connect again. Sample Log: May 12 18:30:01 1147438801 pluto[6156]: "ellitetest-1"[11] 220.236.29.176 #76: cannot respond to
IPsec SA request because no connection is known for 192.168.1.0/24===203.88.128.94...220.236.29.176[172.16.0.100]===172.16.0.100/32 May 12 18:30:01 1147438801 pluto[6156]: "ellitetest-1"[11] 220.236.29.176 #76: sending encrypted notification INVALID_ID_INFORMATION to 220.236.29.176:4500

1.9. Error << peer requested 604800 seconds which exceeds our limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)>>
Problem Not able to establish connection. Synopsis: Cause: Key life specified in the policy at the remote end exceeds 86400 seconds limit. This situation will arise
only if the remote server is not Cyberoam.

Resolution: Check the log for ISAKMP SA established message. If you have received this message means phase
1 connection is successfully established. Change key life specified in phase 2 at the remote server and try to connect again else change key life specified in phase 1 at the remote server and try to connect again.

Sample Log: May 13 00:09:39 1147459179 pluto[6156]: | af+type: OAKLEY_LIFE_DURATION (variable length)
May 13 00:09:39 1147459179 pluto[6156]: | May 13 00:09:39 1147459179 pluto[6156]: | length/value: 4 long duration: 604800

May 13 00:09:39 1147459179 pluto[6156]: "Verso-2" #548: peer requested 604800 seconds which exceeds our limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length) May 13 00:09:39 1147459179 pluto[6156]: "Verso-2" #548: no acceptable Oakley Transform May 13 00:09:39 1147459179 pluto[6156]: "Verso-2" #548: sending notification NO_PROPOSAL_CHOSEN to 12.45.97.98:500

1.10. Error << Signature check (on @client1.elitecore.com) failed (wrong key?); tried *AwEAAbc0R >>
Problem Not able to establish connection. Synopsis: Cause: Wrong remote certificate is specified in the Connection Resolution: Specify correct certificate in the Connection and try to establish the connection again. Sample Log: Apr 29 11:19:48 1146289788 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.131 #14: Signature check (on
@client1.elitecore.com) failed (wrong key?); tried *AwEAAbc0R Apr 29 11:19:48 1146289788 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.131 #14: sending encrypted notification INVALID_KEY_INFORMATION to 188.7.7.131:500

1.11. Error << peer is NATed >>

4 of 8

08/11/12 7:53 PM

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

Problem Not able to establish connection. Synopsis: Cause: Connection request from remote end is being NATted between remote end and Cyberoam i.e. the host
making the Connection request to the Cyberoam lies behind the NAT router and NAT Traversal is not enabled in the Cyberoam.

Resolution: Enable Allow NAT Traversal from Cyberoam Connection and try to connect again. Sample Log: May 01 17:10:44 1146483644 pluto[21903]: "rw_psk_1-1"[6] 187.7.7.254 #12: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

1.12. Error << INVALID_KEY_INFORMATION >>


Problem Not able to establish connection. Synopsis: Cause: Local ID and Remote ID mismatch
For example, Local ID and Remote ID specified at remote end does not match with the IDs specified at the local end.

Resolution: To establish connection, at the remote end:


Local ID should be same as the remote ID specified at the local end Remote ID should be same as the local ID specified at the local end Update the IDs in the Connection and try to connect again. If certificate based authentication is configured in the Connection then Local and Remote IDs must be same as specified while creating the Certificate or as specified in Subject Alternative Name.

Sample Log: May 02 18:58:56 1146576536 pluto[22425]: | Notify Message Type: INVALID_KEY_INFORMATION
May 02 18:58:56 1146576536 pluto[22425]: "ntn_rsa_1-1" #51: ignoring informational payload, type INVALID_KEY_INFORMATION May 02 18:58:56 1146576536 pluto[22425]: | info: May 02 18:58:56 1146576536 pluto[22425]: "ntn_rsa_1-1" #51: received and ignored informational message May 02 18:59:36 1146576576 pluto[22425]: | processing connection ntn_rsa_1-1 May 02 18:59:36 1146576576 pluto[22425]: "ntn_rsa_1-1" #51: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

1.13. Error << probable authentication failure (mismatch of preshared secrets?): malformed payload in packet>>
Problem Not able to establish connection. Synopsis: Cause: Preshared key mismatch.
For example Preshared key specified at local end does not match with the one specified at the remote end

Resolution: To establish the connection successfully, same preshared key is to be specified at both the ends.
Change the preshared keys and try to establish the connection again.

5 of 8

08/11/12 7:53 PM

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

Sample Log: Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: next payload type of
ISAKMP Identification Payload has an unknown value: 215 Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: sending notification PAYLOAD_MALFORMED to 188.7.7.131:500

1.14. Error << policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD >>
Problem Not able to establish connection. Synopsis: Cause: User authentication configuration mismatch.
For example, User authentication is disabled at the local end while it is enabled at the remote end.

Resolution: To establish connection, you need to either enable or disable authentication at both the ends.
Change the User authentication configuration at either of the ends and try to establish the connection again.

Sample Log: Apr 29 11:17:12 1146289632 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.131 #10: policy does not allow
Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD Apr 29 11:17:12 1146289632 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.131 #10: no acceptable Oakley Transform Apr 29 11:17:12 1146289632 pluto[1628]: "rw_cert_1-1"[1] 188.7.7.131 #10: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.131:500

1.15. Error << Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag >>
Problem Not able to establish connection. Synopsis: Cause: Phase 1 parameters configuration mismatch.
Encryption Algorithm, Authentication Algorithm and/or DH Group (phase 1) specified at the local end does not match with the one specified at the remote end

Resolution: To establish the connection successfully, same configuration is required at both the ends.
Update the configuration and try to establish the connection again.

Sample Log: Apr 28 12:38:20 1146208100 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #11: Oakley Transform
[OAKLEY_3DES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag Apr 28 12:38:20 1146208100 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #11: no acceptable Oakley Transform Apr 28 12:38:20 1146208100 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #11: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.1:500

1.16. Error << policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD>> error

6 of 8

08/11/12 7:53 PM

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

Problem Not able to establish connection. Synopsis: Cause: User authentication configuration mismatch.
For example, User authentication is enabled at the local end while it is disabled at the remote end

Resolution: To establish connection, you need to either enable or disable authentication at both the ends.
Change the authentication method at either of the ends and try to establish the connection again

Sample Log: Apr 29 13:02:03 1146295923 pluto[491


Apr 29 13:02:03 1146295923 pluto[4919]: "rw_psk_1-1"[1] 188.7.7.7 #1: no acceptable Oakley Transform9]: "rw_psk_1-1"[1] 188.7.7.7 #1: policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD Apr 29 13:02:03 1146295923 pluto[4919]: "rw_psk_1-1"[1] 188.7.7.7 #1: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500

1.17. Error << no GROUP_DESCRIPTION>> error


Problem Not able to establish connection. Synopsis: Cause: PFS (Perfect Forward Secrecy) mismatch.
For example, PFS configured in Phase 2 at local end and remote end isdifferent

Resolution: To establish the connection successfully, same PFS is to be specified at both the ends.
Change PFS at either of the ends and try to establish the connection again.

Sample Log: Apr 29 12:48:31 1146295111 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.7 #32: we require PFS but Quick I1
SA specifies no GROUP_DESCRIPTION Apr 29 12:48:31 1146295111 pluto[1628]: "rw_cert_1-1"[2] 188.7.7.7 #32: sending encrypted notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500 Apr 29 12:48:31 1146295111 pluto[1628]: | processing connection rw_cert_1-1[2] 188.7.7.7

1.18. Error <<policy does not allow OAKLEY_PRESHARED_KEY authentication. >> error
Problem Not able to establish connection Synopsis: Cause: Authentication method mismatch.
For example, Authentication method configured at local end is Digital certificate while at remote end it is configured as Preshared key

Resolution: To establish the connection successfully, authentication method defined at both the ends must be same.
Change the authentication method at either of the end and try again.

Sample Log: May 01 10:29:50 1146459590 pluto[7489]: "rw_cert_1-1"[1] 188.7.7.7 #2: policy does not allow
OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD May 01 10:29:50 1146459590 pluto[7489]: "rw_cert_1-1"[1] 188.7.7.7 #2: no acceptable Oakley Transform May 01 10:29:50 1146459590 pluto[7489]: "rw_cert_1-1"[1] 188.7.7.7 #2: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500

1.19. Error << policy does not allow OAKLEY_RSA_SIG authentication. >> error

7 of 8

08/11/12 7:53 PM

Cyberoam Knowledge Base

http://kb.cyberoam.com/print.asp?id=305&Lang=1&SID=

Problem Not able to establish connection Synopsis: Cause: Authentication method mismatch.
For example Authentication method configured at local end is Preshared key while at remote end it is configured as Digital certificate

Resolution: To establish the connection successfully, authentication method defined at both the ends must be same.
Change the authentication method at either of the ends and try again.

Sample Log: May 01 10:17:34 1146458854 pluto[7489]: "rw_psk_1-1"[1] 188.7.7.7 #1: policy does not allow
OAKLEY_RSA_SIG authentication. Attribute OAKLEY_AUTHENTICATION_METHOD May 01 10:17:34 1146458854 pluto[7489]: "rw_psk_1-1"[1] 188.7.7.7 #1: no acceptable Oakley Transform May 01 10:17:34 1146458854 pluto[7489]: "rw_psk_1-1"[1] 188.7.7.7 #1: sending notification NO_PROPOSAL_CHOSEN to 188.7.7.7:500

1.20. Error << mismatch of preshared secrets >>


Problem Synopsis:
Not able to establish connection

Cause:
Preshared key mismatch. Preshared key defined at local end and remote end are different.

Resolution:
You will be able to establish connection only if same preshared key defined at local end and remote end is same. Change the preshared key and try again.

Sample Log:
Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 29 10:29:27 1146286767 pluto[1628]: "test_multiple_psk-1"[1] 188.7.7.131 #1: sending notification PAYLOAD_MALFORMED to 188.7.7.131:500

8 of 8

08/11/12 7:53 PM