L2TP/IPsec problem - IKE SA deleted by peer before establishment completed

From: yossi mor (yossim_at_aks.com)
Date: 11/24/03 

Date: 24 Nov 2003 01:10:58 -0800

Hi forum

I am trying to set up L2TP/IPsec configuration using XP client
(Wireless) against Cisco concentrator VPN 3005 with ACS radius server
at the localnet to authenticate users during the L2TP session.

Both L2TP and IPsec authentication sessions are PKI based (i.e. for
the IPsec session i used IPsec offline requrest certificate and for
the L2TP session i have used smartcard logon certificate)

When trying to initiate the connection the IPsec session complete
successfully but the L2TP session is terminated.

I have collected logging information from the concentrator and from
the XP client (Oakly.log and event viewer) as follows:

Cisco Concentrator ->

17 11/19/2003 09:34:42.070 SEV=5 IKE/79 RPT=6 166.154.128.144
Group [Technical Service Support]
Validation of certificate successful
(CN=rcorley, SN=53107FF200000000001F)

19 11/19/2003 09:34:42.130 SEV=4 IKE/119 RPT=24 166.154.128.144
Group [Technical Service Support]
PHASE 1 COMPLETED

20 11/19/2003 09:34:43.430 SEV=5 IKE/25 RPT=24 166.154.128.144
Group [Technical Service Support]
Received remote Proxy Host data in ID Payload:
Address 166.154.128.144, Protocol 17, Port 1701

23 11/19/2003 09:34:43.430 SEV=5 IKE/24 RPT=6 166.154.128.144
Group [Technical Service Support]
Received local Proxy Host data in ID Payload:
Address 63.205.195.240, Protocol 17, Port 0

26 11/19/2003 09:34:43.430 SEV=4 IKE/1 RPT=9 166.154.128.144
Group [Technical Service Support]
Received invalid phase 2 L2TP/IPSec Responder ID payload ?????????
  Expected ID: Type 1, Proto 17, Port 1701, Addr 172.29.195.240
  Received ID: Type 1, Proto 17, Port 0, Addr 63.205.195.240

XP client ->

3a. Event Viewer

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 19/11/2003
Time: 18:58:00
User: S-1-5-20
Computer: TSS0021949C400
Description:
IKE security association negotiation failed.
 Mode:
Key Exchange Mode (Main Mode)

 Filter:
Source IP Address 166.154.129.215
Source IP Address Mask 255.255.255.255
Destination IP Address 63.205.195.240
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr
IKE Peer Addr

 Failure Point:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject E=rcorley@calottery.com, C=US, S=California, L=Sacramento,
O=California Lottery, OU=Technical Service Support, CN=rcorley
My SHA Thumbprint a8a040cda0456523359fec1c5d0c957ce2430b4e
Peer IP Address: 63.205.195.240

 Failure Reason:
Me

3b. IKE.log

 11-19: 10:26:03:950:3bc MM established. SA: 001050A0
11-19: 10:26:03:950:3bc GetSpi: src = 63.205.195.240.0000, dst =
166.154.225.108.1701, proto = 17, context = 00000000, srcMask =
255.255.255.255, destMask = 255.255.255.255, TunnelFilter 0
11-19: 10:26:03:950:3bc Setting SPI 4020134052
11-19: 10:26:03:950:3bc constructing ISAKMP Header
11-19: 10:26:03:950:3bc constructing HASH (null)
11-19: 10:26:03:950:3bc constructing SA (IPSEC)
11-19: 10:26:03:950:3bc constructing NONCE (IPSEC)
11-19: 10:26:03:950:3bc constructing ID (proxy)
11-19: 10:26:03:950:3bc constructing ID (proxy)
11-19: 10:26:03:950:3bc constructing HASH (QM)
11-19: 10:26:03:950:3bc
11-19: 10:26:03:950:3bc Sending: SA = 0x001050A0 to
63.205.195.240:Type 2
11-19: 10:26:03:950:3bc ISAKMP Header: (V1.0), len = 1108
11-19: 10:26:03:950:3bc I-COOKIE a455a29f2a8b2252
11-19: 10:26:03:950:3bc R-COOKIE 3e9750d249d2b182
11-19: 10:26:03:950:3bc exchange: Oakley Quick Mode
11-19: 10:26:03:950:3bc flags: 1 ( encrypted )
11-19: 10:26:03:950:3bc next payload: HASH
11-19: 10:26:03:950:3bc message ID: 4627c38e
11-19: 10:26:04:921:3bc
11-19: 10:26:04:921:3bc Receive: (get) SA = 0x001050a0 from
63.205.195.240
11-19: 10:26:04:921:3bc ISAKMP Header: (V1.0), len = 1668
11-19: 10:26:04:921:3bc I-COOKIE a455a29f2a8b2252
11-19: 10:26:04:921:3bc R-COOKIE 3e9750d249d2b182
11-19: 10:26:04:921:3bc exchange: Oakley Main Mode
11-19: 10:26:04:921:3bc flags: 1 ( encrypted )
11-19: 10:26:04:921:3bc next payload: ID
11-19: 10:26:04:921:3bc message ID: 00000000
11-19: 10:26:04:921:3bc invalid payload received
11-19: 10:26:04:921:3bc GetPacket failed 3613
11-19: 10:26:04:921:3bc
11-19: 10:26:04:921:3bc Receive: (get) SA = 0x001050a0 from
63.205.195.240
11-19: 10:26:04:921:3bc ISAKMP Header: (V1.0), len = 76
11-19: 10:26:04:921:3bc I-COOKIE a455a29f2a8b2252
11-19: 10:26:04:921:3bc R-COOKIE 3e9750d249d2b182
11-19: 10:26:04:921:3bc exchange: ISAKMP Informational Exchange
11-19: 10:26:04:921:3bc flags: 1 ( encrypted )
11-19: 10:26:04:921:3bc next payload: HASH
11-19: 10:26:04:921:3bc message ID: 958662fd
11-19: 10:26:04:921:3bc processing HASH (Notify/Delete)
11-19: 10:26:04:921:3bc processing payload DELETE
11-19: 10:26:04:921:3bc SA Dead. sa:001050A0 status:35ef
11-19: 10:26:04:921:3bc CE Dead. sa:001050A0 ce:000CB6D8 status:35ef
11-19: 10:26:04:921:3bc Data Protection Mode (Quick Mode)

11-19: 10:26:04:921:3bc Source IP Address 166.154.225.108

Source IP Address Mask 255.255.255.255

Destination IP Address 63.205.195.240

Destination IP Address Mask 255.255.255.255

Protocol 17
Source Port 1701
Destination Port 0
IKE Local Addr 166.154.225.108
IKE Peer Addr 63.205.195.240

11-19: 10:26:04:921:3bc Certificate based Identity.
Peer Subject C=US, CN=Lottery
Peer SHA Thumbprint 6c5d272f2efaf714964242d4d97221b5f29b3077
Peer Issuing Certificate Authority E=dhulbert@calottery.com, C=US,
S=California, L=Sacramento, O=California Lottery, OU=Technical Service
Support, CN=LotCA1
Root Certificate Authority E=dhulbert@calottery.com, C=US,
S=California, L=Sacramento, O=California Lottery, OU=Technical Service
Support, CN=LotCA1

My Subject E=rcorley@calottery.com, C=US, S=California, L=Sacramento,
O=California Lottery, OU=Technical Service Support, CN=rcorley
My SHA Thumbprint a8a040cda0456523359fec1c5d0c957ce2430b4e
Peer IP Address: 63.205.195.240
11-19: 10:26:04:921:3bc Me
11-19: 10:26:04:921:3bc IKE SA deleted by peer before establishment
completed

DO you have an idea what is missed configured during the IKE SA which
cause it to fail ?

Thanks

YOssi Mor

Relevant Pages

  • Re: VPN using L2TP
    ... > IKE security association established. ... > Peer Identity: ... > Certificate based Identity. ... > Destination Port 0 ...
    (microsoft.public.windows.server.sbs)
  • VPN using L2TP
    ... IKE security association established. ... Peer Identity: ... Certificate based Identity. ... Destination Port 0 ...
    (microsoft.public.windows.server.sbs)
  • Re: Win2K3sp1 Server: IPSec tunnel drops out for some reason, pls help
    ... IKE security association negotiation failed. ... Destination IP Address Mask 255.255.255.0 ... IKE Source Port 4500 ... Peer Private Addr ...
    (microsoft.public.windows.server.networking)
  • Re: L2TP + NAT-T
    ... please verify that the winxp client has the ipsec nat-t upgrade available ... > IKE security association negotiation failed. ... > Destination Port 0 ... > Peer Private Addr ...
    (microsoft.public.win2000.ras_routing)
  • Anyone seen this in there daily logs
    ... Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 ... Destination Port 0 IKE Local Addr xx.xxx.xx.xxx IKE Peer Addr ... IKE Source Port 500 IKE Destination Port 500 Peer Private ...
    (microsoft.public.windows.server.sbs)