This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User can't connect via IPSec VPN, ClientLog: no RSA private key found

Hello, 

I've got the following Problem. A Sophos UTM 9.711-5 syncs users from AD. These users accounts then get activated for an IPSec remote access. Normally that works just fine, user is created in AD, synced with UTM, gets clearance for user portal and get inserted into the existing IPSec configuration along with preexisting users.

Somehow that does not work for one single user. Whenever the connection is being build up the message "Child SA (Security Association) could not be established.

The client log says, the RSA private key could not be found

2022-05-18 07:34:02AM 16[CFG] loaded certificate 'C=XXX, L=XXX, O=XXX, CN=XXX'
2022-05-18 07:34:02AM 07[CFG] loaded RSA private key
2022-05-18 07:34:03AM 15[CFG] added vici connection: REF_IpsRoaIpsecVpn
2022-05-18 07:34:03AM 15[CFG] vici initiate CHILD_SA 'REF_IpsRoaIpsecVpn-tunnel-1'
2022-05-18 07:34:03AM 07[IKE] <REF_IpsRoaIpsecVpn|1> initiating Main Mode IKE_SA REF_IpsRoaIpsecVpn[1] to XXX
2022-05-18 07:34:03AM 07[ENC] <REF_IpsRoaIpsecVpn|1> generating ID_PROT request 0 [ SA V V V V V ]
2022-05-18 07:34:03AM 07[NET] <REF_IpsRoaIpsecVpn|1> sending packet: from XXX[56450] to XXX[500] (184 bytes)
2022-05-18 07:34:03AM 12[NET] <REF_IpsRoaIpsecVpn|1> received packet: from XXX[500] to XXX[56450] (180 bytes)
2022-05-18 07:34:03AM 12[ENC] <REF_IpsRoaIpsecVpn|1> parsed ID_PROT response 0 [ SA V V V V V ]
2022-05-18 07:34:03AM 12[IKE] <REF_IpsRoaIpsecVpn|1> received strongSwan vendor ID
2022-05-18 07:34:03AM 12[IKE] <REF_IpsRoaIpsecVpn|1> received Cisco Unity vendor ID
2022-05-18 07:34:03AM 12[IKE] <REF_IpsRoaIpsecVpn|1> received XAuth vendor ID
2022-05-18 07:34:03AM 12[IKE] <REF_IpsRoaIpsecVpn|1> received DPD vendor ID
2022-05-18 07:34:03AM 12[IKE] <REF_IpsRoaIpsecVpn|1> received NAT-T (RFC 3947) vendor ID
2022-05-18 07:34:03AM 12[CFG] <REF_IpsRoaIpsecVpn|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
2022-05-18 07:34:03AM 12[ENC] <REF_IpsRoaIpsecVpn|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2022-05-18 07:34:03AM 12[NET] <REF_IpsRoaIpsecVpn|1> sending packet: from XXX[56450] to XXX[500] (372 bytes)
2022-05-18 07:34:03AM 07[NET] <REF_IpsRoaIpsecVpn|1> received packet: from XXX[500] to XXX[56450] (356 bytes)
2022-05-18 07:34:03AM 07[ENC] <REF_IpsRoaIpsecVpn|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2022-05-18 07:34:03AM 07[IKE] <REF_IpsRoaIpsecVpn|1> faking NAT situation to enforce UDP encapsulation
2022-05-18 07:34:03AM 07[IKE] <REF_IpsRoaIpsecVpn|1> sending cert request for "C=XXX, L=XXX, O=XXX, CN=XXX, E=XXX"

2022-05-18 07:34:03AM 07[IKE] <REF_IpsRoaIpsecVpn|1> no RSA private key found for 'XXX (local IP)'
2022-05-18 07:34:03AM 07[ENC] <REF_IpsRoaIpsecVpn|1> generating INFORMATIONAL_V1 request 1728489938 [ HASH N(AUTH_FAILED) ]

2022-05-18 07:34:03AM 07[NET] <REF_IpsRoaIpsecVpn|1> sending packet: from XXX[56451] to XXX[4500] (92 bytes)
2022-05-18 07:34:03AM 04[CFG] vici terminate IKE_SA 'REF_IpsRoaIpsecVpn'
2022-05-18 07:34:04AM 03[CFG] unloaded private key with id 09d22beca69dfe1d4e5519aad339a63...

The server log puts out the following...

2022:05:18-08:23:18 gateway pluto[21392]: packet from XXX:59631: length of ISAKMP Message is smaller than minimum
2022:05:18-08:23:18 gateway pluto[21392]: packet from XXX:59631: sending notification PAYLOAD_MALFORMED to XXX:59631
2022:05:18-08:23:18 gateway pluto[21392]: packet from XXX:56450: received Vendor ID payload [XAUTH]
2022:05:18-08:23:18 gateway pluto[21392]: packet from XXX:56450: received Vendor ID payload [Dead Peer Detection]
2022:05:18-08:23:18 gateway pluto[21392]: packet from XXX:56450: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2022:05:18-08:23:18 gateway pluto[21392]: packet from XXX:56450: received Vendor ID payload [RFC 3947]
2022:05:18-08:23:18 gateway pluto[21392]: packet from XXX:56450: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2022:05:18-08:23:18 gateway pluto[21392]: "D_REF_IpsRoaIpsecVpn_AaaUseUsername-3"[5] XXX:56450 #123: responding to Main Mode from unknown peer XXX:56450
2022:05:18-08:23:18 gateway pluto[21392]: "D_REF_IpsRoaIpsecVpn_AaaUseUsername-3"[5] XXX:56450 #123: peer requested 90288 seconds which exceeds our limit 86400 seconds
2022:05:18-08:23:18 gateway pluto[21392]: "D_REF_IpsRoaIpsecVpn_AaaUseUsername-3"[5] XXX:56450 #123: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
2022:05:18-08:23:18 gateway pluto[21392]: "D_REF_IpsRoaIpsecVpn_AaaUseUsername-3"[5] XXX:56450 #123: NAT-Traversal: Result using RFC 3947: peer is NATed
2022:05:18-08:23:18 gateway pluto[21392]: "D_REF_IpsRoaIpsecVpn_AaaUseUsername-3"[5] XXX:56450 #123: next payload type of ISAKMP Hash Payload has an unknown value: 142
2022:05:18-08:23:18 gateway pluto[21392]: "D_REF_IpsRoaIpsecVpn_AaaUseUsername-3"[5] XXX:56450 #123: malformed payload in packet

Honestly I know what the error messages mean but I've not idea why they pop up or what causes them. Everything is done the exact same way as with every other user. I tried connecting from different Sophos Connect versions, different networks, different firewall settings, I deleted the user an recreated it, always the same outcome.

Any Advice, Hint or Solution would be more then welcome. Thank you very much.



This thread was automatically locked due to age.
  • Problem solved. 

    The User didn't have an e-mail entry in the AD, adding that later on in the UTM didn't have an effect on the certificate. So the user was deleted from the UTM, the e-mail address added in the AD and afterwards synced again with the UTM. Et voilà IPSec Tunnel works like a charm. -.-