"no connection has been authorized with policy=PSK" every 20 seconds, but VPN works

thix · June 19, 2016, 7:35pm

Hi, everybody.

I’m new to VyOS and to the forum.

I have na IPsec VPN stablished between my host and a costumer, they are both behind a firewall.

The VPN works ok, but I keep receiving the menssages below every 20 seconds.

Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [4f4576795c6b677a57715c73]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: received Vendor ID payload [Dead Peer Detection]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: received Vendor ID payload [RFC 3947]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: initial Main Mode message received on 172.17.105.3:500 but no connection has been authorized with policy=PSK

I think that I’m missing something very basic here.

Another important point is that if the remote side restarts the VPN, I must restart my side as well. I have DPD configured, but think that the above impacts the correct dropout detection.

[EDIT] - 2016-06-22

My configuration:

authentication {
id [my external IP]
mode pre-shared-secret
pre-shared-secret [my PSK]
}
connection-type initiate
default-esp-group ESP1_PARTNER1
description PROD_PARTNER1
ike-group IKE1_PARTNER1
local-address 172.17.105.3
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP1_PARTNER1
local {
prefix 172.17.105.3/32
}
remote {
prefix 10.1.1.0/24
}
}

vyatta@PARTNER1-VPN01# sh vpn ipsec ike-group IKE1_PARTNER1
dead-peer-detection {
action restart
}
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}

vyatta@PARTNER1-VPN01# sh vpn ipsec esp-group ESP1_PARTNER1
compression disable
lifetime 86400
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}

Can anyone point me a direction?

Thanks in advance and apologize for the bad english.

16again · June 21, 2016, 3:01pm

Reconnect issue: Since both sides are behind NAT, make sure to forward UDP ports 500 and 4500 on both sides.

Is the a.a.a.a address the remote IP your VPN should connect to?

thix · June 22, 2016, 2:17pm

16again, thanks for the response.

Yes, the IP is correct. I replaced the IP with “a.a.a.a”, but the log show the correct address.

Any ideas?

kysmet4e · July 8, 2016, 7:32pm

That’s strange. Let me know if you managed to solve this!

vmichquinis · January 11, 2020, 1:02pm

Define in your ike-group the proposal 1 dh-group ‘2’

set vpn ipsec ike-group ESP1_PARTNER1 proposal 1 dh-group ‘2’

rituka · September 20, 2021, 3:43pm

Hi , Anyone able to resolve this>

I am getting the same issue. The VPN flapping after every 50 seconds.

Sep 20 18:54:20-Malaysia pluto[4971]: “peer-x.x.x.x-tunnel-vti”: deleting connection

Sep 20 18:54:20-Malaysia pluto[4971]: “peer-x.x.x.x-tunnel-vti” #48: deleting state (STATE_QUICK_R2)

Sep 20 18:54:20-Malaysia pluto[4971]: “peer-x.x.x.x-tunnel-vti” #48: down-client output: Cannot find device “vti2”

Sep 20 18:54:20-Malaysia pluto[4971]: “peer-x.x.x.x-tunnel-vti” #47: deleting state (STATE_MAIN_R3)

Sep 20 18:54:41-Malaysia pluto[4971]: packet from x.x.x.x:500: received Vendor ID payload [strongSwan]

Sep 20 18:54:41-Malaysia pluto[4971]: packet from x.x.x.x:500: ignoring Vendor ID payload [Cisco-Unity]

Sep 20 18:54:41-Malaysia pluto[4971]: packet from x.x.x.x:500: received Vendor ID payload [XAUTH]

Sep 20 18:54:41-Malaysia pluto[4971]: packet from x.x.x.x:500: received Vendor ID payload [Dead Peer Detection]

Sep 20 18:54:41-Malaysia pluto[4971]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]

Sep 20 18:54:41-Malaysia pluto[4971]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

Sep 20 18:54:41-Malaysia pluto[4971]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

Sep 20 18:54:41 Malaysia pluto[4971]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

Sep 20 18:54:41Malaysia pluto[4971]: packet from.x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Sep 20 18:54:41 Malaysia pluto[4971]: packet from x…x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK

Nikolay · September 21, 2021, 1:53am

Are UDP 500, and 4500 ports open?
Can you share the config on both sides?

Viacheslav · September 21, 2021, 8:16pm

1.1.8 is EOL.
Try the VyOS 1.3-rc6

rituka · October 6, 2021, 7:20am

Thanks guys for the reply. It was actually the issue with the device. Kernel panic.
I changed the device and everything works just fine.