Hi,
We have just renewed the IKE Server Certificate using an internal CA, but when we try to connect to VIA it does not work and the error code 7606 is shonw in the VIA log. The certificate was generated in our internal CA with RSA 1024bits, Server Authentication proposal and .pfx format. The client trusts on this CA.
We have tried the connection with an external users (which authenticates using a client certificate and an internal DB user) and with a corporative user (that authenticates using MSCHAPv2 with single sign on). We suspect that maybe the problem cames from the IKE process.
These are the logs from the controller, so as you could please help us. If you will need more information, please let me know it.
Thanks in advance,
hange_setup_p1: ID is IPv4
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> exchange_setup_p1: USING exchange type ID_PROT
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> New(2) ID_PROT Exchange ic 4fee410eb8103601 rc 70fa924d4412d082
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> IKE Fragmentation
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> arubaVIA_check_vendor_payload detected Aruba VIA
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> IKE Fragmentation
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> arubaVIA_check_VIAAuthProfile_vendor_payload: VIA Auth Profile : InternalDB_VIAAuthenticationProfile
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> message_recv enabling early NATT since peer initiates on 4500
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:850 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 83.58.111.242.
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2708 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2737 Proposal match failed in key length, configured=32, peer using=16
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2708 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2737 Proposal match failed in key length, configured=32, peer using=16
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2708 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2737 Proposal match failed in key length, configured=32, peer using=24
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2708 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2737 Proposal match failed in key length, configured=32, peer using=24
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:attribute_unacceptable:2708 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> group_get entered id:2
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> group_get ike_group:0x10000178
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> modp_init entered
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> group_get group:0x102cc284
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:1000 Ike Phase 1 received SA
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:83.58.111.242
Aug 23 06:18:31 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:55530
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP InnerIPController Port 500
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> nat_traversal.c:nat_t_exchange_check_nat_d_has_us:561 Did not find our matching NAT-D payload for Port:500 in their packet
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP InnerIPController Port 4500
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> nat_traversal.c:nat_t_exchange_check_nat_d_has_us:571 Did not find our matching NAT-D payload for Port:4500 in their packet
Aug 23 06:18:31 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1.c:ike_phase_1_recv_KE_NONCE:1254 Responder, enabling NAT-T.
Aug 23 06:18:32 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 83.58.111.242 Port 55530
Aug 23 06:18:32 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP InnerIPController Port 4500
Aug 23 06:18:32 isakmpd[1561]: <103060> <DBUG> |ike| 83.58.111.242:4500-> nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=InnerIPController:4500, dst=83.58.111.242:4500
Aug 23 06:18:32 isakmpd[1561]: <103063> <DBUG> |ike| 83.58.111.242:4500-> ike_phase_1_send_KE_NONCE 83.58.111.242
Aug 23 06:18:32 isakmpd[1561]: <103063> <DBUG> |ike| ike_phase_1_post_exchange_KE_NONCE IV len:16
Aug 23 06:18:32 isakmpd[1561]: <103063> <DBUG> |ike| ike_phase_1_post_exchange_KE_NONCE done 83.58.111.242 g_x_len:128 skeyid_len:20