Announcement

**alexandru.paul.popa** · 03-06-2023, 10:45 AM

And here is the log from B - that connects just fine

Mar 6 12:42:16 artiplanto-server-B charon: 14[IKE] CHILD_SA VPN-XAUTH-0{251} established with SPIs c5bd2e51_i 0336f444_o and TS 0.0.0.0/0 === 172.16.6.1/32
Mar 6 12:42:16 artiplanto-server-B charon: 14[IKE] CHILD_SA VPN-XAUTH-0{251} established with SPIs c5bd2e51_i 0336f444_o and TS 0.0.0.0/0 === 172.16.6.1/32
Mar 6 12:42:16 artiplanto-server-B charon: 14[ENC] parsed QUICK_MODE request 1921386700 [ HASH ]
Mar 6 12:42:16 artiplanto-server-B charon: 14[NET] received packet: from 67.69.76.190[4501] to 184.144.247.19[4500] (52 bytes)
Mar 6 12:42:16 artiplanto-server-B charon: 16[NET] sending packet: from 184.144.247.19[4500] to 67.69.76.190[4501] (172 bytes)
Mar 6 12:42:16 artiplanto-server-B charon: 16[ENC] generating QUICK_MODE response 1921386700 [ HASH SA No ID ID ]
Mar 6 12:42:16 artiplanto-server-B charon: 16[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 6 12:42:16 artiplanto-server-B charon: 16[IKE] expected IPComp proposal but peer did not send one, IPComp disabled
Mar 6 12:42:16 artiplanto-server-B charon: 16[ENC] parsed QUICK_MODE request 1921386700 [ HASH SA No ID ID ]
Mar 6 12:42:16 artiplanto-server-B charon: 16[NET] received packet: from 67.69.76.190[4501] to 184.144.247.19[4500] (364 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 08[NET] sending packet: from 184.144.247.19[4500] to 67.69.76.190[4501] (76 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 08[ENC] generating TRANSACTION response 3043392955 [ HASH CPRP(ADDR DNS) ]
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] assigning virtual IP 172.16.6.1 to peer 'pingu.iphone'
Mar 6 12:42:15 artiplanto-server-B charon: 08[CFG] reassigning offline lease to 'pingu.iphone'
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] peer requested virtual IP %any
Mar 6 12:42:15 artiplanto-server-B charon: 08[ENC] parsed TRANSACTION request 3043392955 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
Mar 6 12:42:15 artiplanto-server-B charon: 08[ENC] unknown attribute type (28683)
Mar 6 12:42:15 artiplanto-server-B charon: 08[NET] received packet: from 67.69.76.190[4501] to 184.144.247.19[4500] (164 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 07[IKE] maximum IKE_SA lifetime 28717s
Mar 6 12:42:15 artiplanto-server-B charon: 07[IKE] scheduling reauthentication in 28177s
Mar 6 12:42:15 artiplanto-server-B charon: 07[IKE] IKE_SA VPN-XAUTH-0[562] established between 184.144.247.19[184.144.244.149]...67.69.76.190[10.43.137.64]
Mar 6 12:42:15 artiplanto-server-B charon: 07[IKE] IKE_SA VPN-XAUTH-0[562] established between 184.144.247.19[184.144.244.149]...67.69.76.190[10.43.137.64]
Mar 6 12:42:15 artiplanto-server-B charon: 07[ENC] parsed TRANSACTION response 2841049563 [ HASH CPA(X_STATUS) ]
Mar 6 12:42:15 artiplanto-server-B charon: 07[NET] received packet: from 67.69.76.190[4501] to 184.144.247.19[4500] (68 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 11[NET] sending packet: from 184.144.247.19[4500] to 67.69.76.190[4501] (68 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 11[ENC] generating TRANSACTION request 2841049563 [ HASH CPS(X_STATUS) ]
Mar 6 12:42:15 artiplanto-server-B charon: 11[IKE] XAuth authentication of 'pingu.iphone' successful
Mar 6 12:42:15 artiplanto-server-B charon: 11[ENC] parsed TRANSACTION response 266639267 [ HASH CPRP(X_USER X_PWD) ]
Mar 6 12:42:15 artiplanto-server-B charon: 11[NET] received packet: from 67.69.76.190[4501] to 184.144.247.19[4500] (92 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 14[NET] sending packet: from 184.144.247.19[4500] to 67.69.76.190[4501] (68 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 14[ENC] generating TRANSACTION request 266639267 [ HASH CPRQ(X_USER X_PWD) ]
Mar 6 12:42:15 artiplanto-server-B charon: 14[NET] sending packet: from 184.144.247.19[4500] to 67.69.76.190[4501] (68 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 14[ENC] generating ID_PROT response 0 [ ID HASH ]
Mar 6 12:42:15 artiplanto-server-B charon: 14[CFG] selected peer config "VPN-XAUTH-0"
Mar 6 12:42:15 artiplanto-server-B charon: 14[CFG] looking for XAuthInitPSK peer configs matching 184.144.247.19...67.69.76.190[10.43.137.64]
Mar 6 12:42:15 artiplanto-server-B charon: 14[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Mar 6 12:42:15 artiplanto-server-B charon: 14[NET] received packet: from 67.69.76.190[4501] to 184.144.247.19[4500] (92 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 16[NET] sending packet: from 184.144.247.19[500] to 67.69.76.190[1526] (236 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 16[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 6 12:42:15 artiplanto-server-B charon: 16[IKE] remote host is behind NAT
Mar 6 12:42:15 artiplanto-server-B charon: 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 6 12:42:15 artiplanto-server-B charon: 16[NET] received packet: from 67.69.76.190[1526] to 184.144.247.19[500] (220 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 08[NET] sending packet: from 184.144.247.19[500] to 67.69.76.190[1526] (156 bytes)
Mar 6 12:42:15 artiplanto-server-B charon: 08[ENC] generating ID_PROT response 0 [ SA V V V V ]
Mar 6 12:42:15 artiplanto-server-B charon: 08[CFG] selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] 67.69.76.190 is initiating a Main Mode IKE_SA
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] 67.69.76.190 is initiating a Main Mode IKE_SA
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received DPD vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received FRAGMENTATION vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received Cisco Unity vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received XAuth vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Mar 6 12:42:15 artiplanto-server-B charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Mar 6 12:42:15 artiplanto-server-B charon: 08[NET] received packet: from 67.69.76.190[1526] to 184.144.247.19[500] (848 bytes)

**jcoffin** · 03-06-2023, 11:33 AM

Please upgrade to 16.6.2.

**alexandru.paul.popa** · 03-06-2023, 11:50 AM

I am not getting any pending updates...could i share with you via pm the UID so you can push the 16.6.2

**alexandru.paul.popa** · 03-07-2023, 10:22 AM

it turns out I was 16.6.2 and I still have the same issue, anyone has any ideea?

**dmor** · 04-19-2023, 11:27 AM

We are having this same problem.

**dmor** · 04-19-2023, 12:02 PM

I am wondering if Arista devs [accidentally] removed (did not build/compile) the EAP authentication method "EAP_MSCHAPV2" from StrongSwan (IPSec server daemon) when they built NGFW 16.6.

Here is relevant logging from a successful VPN connection attempt on a 16.5 system running build 16.5.2.20220810T133847.795eba8fc3-1buster:

Here are the similar logs from a failing connection to a 16.6 firewall running build 16.6.2.20230109T075831.1bb35db54e-1bullseye:

**dmor** · 04-19-2023, 12:36 PM

On the client side we are seeing the following logged:

and:

Doing some research it sounds like this could be username/password issue (i.e. firewall not correctly referencing the Local Directory for IKEv2 connections, or certificate issue. Everything says my certificate is good (and firewall CA is trusted), but until we determine the root cause, we'll keep that as a suspect too.

**dmor** · 04-19-2023, 01:00 PM

I have also tried to force Windows VPN client to use stronger ciphers as mentioned here: https://www.stevenjordan.net/2016/09...v2-win-10.html

But to no avail.

Have also generated a new server certificate on the firewall, verified its CN matches the firewall hostname & public DNS record, then assigned to IPsec & saved. Did not seem to make a difference.
Then generated a new CA on the firewall. Imported that cert into my PC client OS trusted CAs. Then generated a new server cert on the firewall again & assigned to IPsec.
Still not working.

**dmor** · 04-19-2023, 01:05 PM

I found this, which I presume matches the 16.6 changelog regarding IPsec:

https://github.com/untangle/ngfw_src/commit/bec3f56651d77c5d814846092b79b662f7139083

Any other changes?

**dmor** · 04-19-2023, 01:11 PM

Perhaps it is this same issue?

https://github.com/untangle/ngfw_src/pull/480

**dmor** · 04-19-2023, 01:15 PM

Yes it appears libcharon-extauth-plugins is what provides mschapv2 EAP method:

Debian -- Details of package libcharon-extauth-plugins in sid

https://packages.debian.org/sid/libcharon-extauth-plugins

So if this didn't get baked into 16.6, it would seem this is the root cause.

Arista please help. I have opened ticket 249749 with your support.

**dmor** · 04-21-2023, 10:34 AM

I can confirm this issue is in fact due to the libcharon-extauth-plugins being missed in NGFW's custom dpkg dependency list. Their support has confirmed they have an internal ticket on this and it will be fixed in the next release. Their recommended workaround for now is to switch to L2TP.

Announcement

cannot connect after 16.6.1

cannot connect after 16.6.1

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment