Wireless Access

Reply
Frequent Contributor II

VIA fails to establish secure session

Hi

 

I just upgraded a Aruba 3200 to 6.1.3.1, because the customer wants to use VIA 2.x with MSchapv2.

 

The client connects to the controller as it should, downloads the profile. Authentication is done thru the Aruba and to a RADIUS checking the AD username/password.

When i try to connect the client, it fails to establish a secure session.

 

Last night i was able to get the connection going, but with the internal database as auth server.

Now I'm not able to get a secure connection to either internaldb or RADIUS.

 

When connecting to RADIUS i get this error message

 

Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500->  exchange=IKE_AUTH msgid=1 len=284
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500->  spi={554d0d4da179c5e3 1aaa1073464d39ba} np=E{IDi}
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> #RECV 288 bytes from 212.89.48.14(22234) at 159.171.108.70 (4283.428)
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> IKE_EXAMPLE_IKE_msgRecv: ip:d459300e  port:22234  server:0   len:288  numSkts:18
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> ike2.c (755):errorCode = ERR_IKE_GETSA_FAIL
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message IKEv2 pkt status:-8944
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message ver:2 serverInst:0 pktsize:288

 

I'm not sure what the problem is, but as i can see there is a problem with the IKE exchange.

 

Does anybode have a clue to resolve this? Is there anything in the connection profile i'm missing?

 

Roar Fossen

Guru Elite

Re: VIA fails to establish secure session

Has this ever worked?

Did you set an IKE preshared key on the controller? (yes, it is necessary)

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: VIA fails to establish secure session

I had it working for a test last night, but as i have taken over this installation i'm not sure if the IKE preshared key was ever set.

 

I recon that you are referring to the IKE shared secret found under Configuration -> Advanced services -> VPN services.

 

If that's the one, do i have to enter somewhere in the VIA connection profile?

 

Roar Fossen

Guru Elite

Re: VIA fails to establish secure session

You do not have to enter it in the VIA profile.  You just have to set one.

 

In addition, Please see the file here:  http://community.arubanetworks.com/aruba/attachments/aruba/108/947/1/VIA-configuration-detail.pdf 

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: VIA fails to establish secure session

Thanx for the link, but as i want to use the VIA 2.x client with MSChapv2, i'm using the ArubaVIA2.0_UserGuide.pdf.

 

I have now set a IKE shared secret, but the problems persists. The client has the same problem.

Now with this error:

 

Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message ver:2 serverInst:0 pktsize:288
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> IKE_EXAMPLE_IKE_msgRecv: ip:d459300e  port:17539  server:0   len:288  numSkts:18
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500->
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> #RECV 288 bytes from 212.89.48.14(17539) at 159.171.108.70 (10506.102)
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500->  spi={363967d10b552a74 f1925aa9522a43de} np=E{IDi}
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500->  exchange=IKE_AUTH msgid=1 len=284
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> ike2.c (755): errorCode = ERR_IKE_GETSA_FAIL
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message IKEv2 pkt status:-8944

 

So i suspect that the shared secret was already set as the connection was ok last night.

When i had it running i used the internaldb as auth, but then switched to RADIUS. RADIUS was not working until i opened for PAP between RADIUS and Aruba. I was then able to authenticate my AD user thru the ViA client as i log in.

But when i try to connect the secure session fails, and it beats me why.

 

Roar Fossen

Guru Elite

Re: VIA fails to establish secure session

Any message on the radius server?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: VIA fails to establish secure session

The RADIUS is working as it should. I authenticate with AD username/password as i log on the client for the first time.

The client then downloads the profile, but as i try to connect and establish the VPN tunnel, it fails with the error message i posted in my last post.

 

Roar Fossen

Guru Elite

Re: VIA fails to establish secure session

Mosher,

 

I just looked at the document you used, and there is more configuration needed to do MSCHAPv2 on via that has not been included in that document.  I will try to get some of that information for you shortly.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: VIA fails to establish secure session

Hmm, sounds interesting, but at the same time confused.

One of the major benefits of using VIA v2.x and AOS 6.1.3 is the availability of MSCAHPv2, and the document is missing some info?

 

If you could provide the info it will be much appreciated

 

Roar Fossen

 

Guru Elite

Re: VIA fails to establish secure session

What is missing, is that you need to create a server certificate for the controller (using the same CA as the radius server), upload it to the controller and then reference it in the screenshot below in the VPN panel.  That server certificate must be trusted by the client.  You can try this ahead of time until we get the documentation added, or you can open a TAC case so that they can help.  

 

From the doc you mentioned, I do not think it is in there.cert_config.jpeg



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: