site to site ipsec vpn (ie with oracle oci)

evlo

Regular Contributor
Hi, i was wondering if anyone was able to connect asus wrt merlin ipsec with oracle oci site to site. I tried, I think every vendor for customer premises equipement that is available and nothing


Errors I get

for ASA Policy-Based VPN 8.5+ (single tunnel, static)
\"1132390500\" #1263: set ikev1 invalid key info error"


for ASA Route-Based VPN 9.7.1 or later
" \"1132390500\" #1266: malformed payload in packet"
" \"1132390500\" #1266: set ikev1 invalid key info error"


for IOS version 15.4M or later
" \"1545056614\" #1263: malformed payload in packet"
" \"1545056614\" #1263: 13003-byte length of ISAKMP Hash Payload is larger than can fit"

for FortiGate 6.0.4 or later
malformed payload in packet
set ikev1 invalid key info error


for "other"
on oci side:
" \"1132390500\": initiating connection which received a Delete/Notify but must remain up per local policy"
" \"1545056614\" #1265: malformed payload in packet"
on asus side:
Jun 17 18:17:13 07[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode
Jun 17 18:17:13 07[ENC] generating INFORMATIONAL_V1 request 2901099300 [ HASH N(AUTH_FAILED) ]


SRX Series - JunOS 11.0 or later
oci:
" \"1132390500\" #1273: malformed payload in packet"
" \"1132390500\" #1273: set ikev1 invalid key info error"
asus:
Jun 17 18:25:49 06[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode
Jun 17 18:25:49 06[ENC] generating INFORMATIONAL_V1 request 84190352 [ HASH N(AUTH_FAILED) ]

others i tried (i will only mention if there is something different in logs, otherwise i will just write down result):


MX Series - JunOS 15.1 or later
IKE SA not established

IX Series 10.1.16
IKE SA not established

FITELnet-F220/F221 Firmware 01.00(00)[0]00.00.0 [2019/07/05 15:00]
IKE SA not established

Checkpoint R80.20
IKE SA not established

Libreswan 3.18 or later
IKE SA not established - mismatch of shared secrets
asus:
Jun 17 18:35:50 05[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode
Jun 17 18:35:50 05[ENC] generating INFORMATIONAL_V1 request 1945435021 [ HASH N(AUTH_FAILED) ]

Yamaha RTX RTX830 Firmware Rev.15.02.03
IKE SA not established - mismatch of shared secrets

Yamaha RTX RTX1210 Firmware Rev.14.01.28
IKE SA not established - mismatch of shared secrets


Firebox with Fireware v12
IKE SA not established - mismatch of shared secrets


PAN-OS 8.0.0
IKE SA not established

I can sometimes see in asus "Connection Status" in ipsec vpn tab one client connecting, but it never connects

full log in asus
Code:
Jun 17 18:46:11 07[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Jun 17 18:46:11 07[IKE] received DPD vendor ID
Jun 17 18:46:11 07[IKE] received NAT-T (RFC 3947) vendor ID
Jun 17 18:46:11 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jun 17 18:46:11 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 17 18:46:11 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 17 18:46:11 07[IKE] 193.122.7.196 is initiating a Main Mode IKE_SA
Jun 17 18:46:11 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 17 18:46:11 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Jun 17 18:46:11 07[NET] sending packet: from [500] to [500] (156 bytes)
Jun 17 18:46:11 06[NET] received packet: from [500] to [500] (244 bytes)
Jun 17 18:46:11 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 17 18:46:11 06[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 17 18:46:11 06[NET] sending packet: from [500] to [500] (244 bytes)
Jun 17 18:46:11 08[NET] received packet: from [500] to [500] (76 bytes)
Jun 17 18:46:11 08[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 17 18:46:11 08[CFG] looking for pre-shared key peer configs matching ...[]
Jun 17 18:46:11 08[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode
Jun 17 18:46:11 08[ENC] generating INFORMATIONAL_V1 request 4236074460 [ HASH N(AUTH_FAILED) ]
Jun 17 18:46:11 08[NET] sending packet: from [500] to [500] (92 bytes)


is there maybe some way to run libreswan or openswan or maybe strongSwan - maybe trough entware?
if so? Did anyone succeeded with such setup?
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top