"no connection has been authorized with policy=PSK" every 20 seconds, but VPN works


#1

Hi, everybody.

I’m new to VyOS and to the forum.

I have na IPsec VPN stablished between my host and a costumer, they are both behind a firewall.

The VPN works ok, but I keep receiving the menssages below every 20 seconds.

Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [4f4576795c6b677a57715c73]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: received Vendor ID payload [Dead Peer Detection]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: received Vendor ID payload [RFC 3947]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 19 16:21:37 vyatta pluto[5871]: packet from a.a.a.a:500: initial Main Mode message received on 172.17.105.3:500 but no connection has been authorized with policy=PSK

I think that I’m missing something very basic here.

Another important point is that if the remote side restarts the VPN, I must restart my side as well. I have DPD configured, but think that the above impacts the correct dropout detection.

[EDIT] - 2016-06-22

My configuration:

authentication {
id [my external IP]
mode pre-shared-secret
pre-shared-secret [my PSK]
}
connection-type initiate
default-esp-group ESP1_PARTNER1
description PROD_PARTNER1
ike-group IKE1_PARTNER1
local-address 172.17.105.3
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP1_PARTNER1
local {
prefix 172.17.105.3/32
}
remote {
prefix 10.1.1.0/24
}
}

vyatta@PARTNER1-VPN01# sh vpn ipsec ike-group IKE1_PARTNER1
dead-peer-detection {
action restart
}
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}

vyatta@PARTNER1-VPN01# sh vpn ipsec esp-group ESP1_PARTNER1
compression disable
lifetime 86400
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}

Can anyone point me a direction?

Thanks in advance and apologize for the bad english.


#2

Reconnect issue: Since both sides are behind NAT, make sure to forward UDP ports 500 and 4500 on both sides.

Is the a.a.a.a address the remote IP your VPN should connect to?


#3

16again, thanks for the response.

Yes, the IP is correct. I replaced the IP with “a.a.a.a”, but the log show the correct address.

Any ideas?


#4

That’s strange. Let me know if you managed to solve this! :slight_smile: