[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

Noel Kuntze noel at familie-kuntze.de
Mon Jul 20 14:19:12 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tomek,

I can tell from "Exchange Mode: Main" that it uses IKEv1.
Append an @ to the IDs  on the strongSwan side
to force charon to send the ID as type FQDN,
which the other side expects (you set ID type to FQDN).
Use AES-128 instead of 3DES. You should also
use SHA1, not MD5. Furthermore, you enabled PFS in
the configuration on the TP link, but not in strongSwan.
Append the correct dh group to your ESP cipher settings.

Look at the logs in the webinterface to find out what the TP link
side doesn't like.

Mit freundlichen Grüßen/Regards,
Noel Kuntze
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 20.07.2015 um 13:58 schrieb tomek_byd at tlen.pl:
> Hello!
> 
> After the change from IKEv1 to IKEv2 I have errors as shown below. In
> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
> don't know what is even set in TP-Link. A sample panel is visible on
> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
> What is best to change 3DES?
> 
> root at SomeWRT:~# ipsec up somename
> no files found matching '/etc/strongswan.d/*.conf'
> initiating Main Mode IKE_SA somename[1] to A.A.A.A
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
> establishing connection 'somename' failed
> 
> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>>
> Hello Tomek,
> 
> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 19.07.2015 um 13:34 schrieb tomek_byd:
>>>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
>>>>
>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>>>>
>>>> TL-ER6120 configuration:
>>>> IKE Proposal: MD5, 3DES, DH2
>>>> IKE Policy:
>>>>   Exchange Mode: main,
>>>>   Local ID Type: FQDN,
>>>>   Local ID: A.A.A.A
>>>>   Remote ID Type: FQDN
>>>>   Remote ID: B.B.B.B
>>>>   Pre-shared Key: XXXXXX
>>>>   SA Lifetime: 28800
>>>>   DPD: Disable
>>>> IPsec Proposal: ESP, MD5, 3DES
>>>> IPsec Policy:
>>>>   Mode: LAN-to-LAN
>>>>   Local Subnet: 192.168.1.0/24
>>>>   Remote Subnet: 192.168.2.0/24
>>>>   WAN: WAN1
>>>>   Remote Gateway: B.B.B.B
>>>>   Policy Mode: IKE
>>>>   PFS: DH2
>>>>   SA Lifetime: 28800
>>>>
>>>> OpenWRT configuration:
>>>> /etc/ipsec.conf:
>>>> config setup
>>>>     # strictcrlpolicy = no
>>>>     # uniqueids = no
>>>> conn somename
>>>>     ikelifetime=60m
>>>>     keylife=20m
>>>>     rekeymargin=3m
>>>>     keyingtries=1
>>>>     keyexchange=ikev2
>>>>     type=tunnel
>>>>     authby=secret
>>>>     ike=3des-md5-modp1024!
>>>>     esp=3des-md5!
>>>>     rekey=no
>>>>     left=B.B.B.B
>>>>     leftid=B.B.B.B
>>>>     leftsubnet=192.168.2.0/24
>>>>     leftauth=psk
>>>>     right=A.A.A.A
>>>>     rightid=A.A.A.A
>>>>     rightsubnet=192.168.1.0/24
>>>>     rightauth=psk
>>>>     dpdaction=none
>>>>     auto=add
>>>>     mobike=no
>>>> /etc/ipsec.secrets
>>>> A.A.A.A : PSK "XXXXXX"
>>>> B.B.B.B : PSK "XXXXXX"
>>>>
>>>> Output:
>>>> root at SomeWRT:~# ipsec up somename
>>>> no files found matching '/etc/strongswan.d/*.conf'
>>>> initiating IKE_SA somename[1] to A.A.A.A
>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
>>>> local host is behind NAT, sending keep alives
>>>> remote host is behind NAT
>>>> authentication of 'B.B.B.B' (myself) with pre-shared key
>>>> establishing CHILD_SA somename
>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
>>>> IDr payload missing
>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
>>>> establishing connection 'somename' failed
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
> 
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVrOc2AAoJEDg5KY9j7GZYoaEP/3B0Ktku7nDagsjQiIbCeyaR
kSSfegu/IrgbinSsXPzMbCFJUlyesRAM+qIUM4t21bWnHGPJh+ydrBc8b+5ybCxq
lPhpTioEnASpOIDSH2Vc5tpPMJnXusslep5JU+KwcifnKAbhnZVtKpBAFNeAbPU0
G9cu16a1sXcx9zxqhNUvrLqKJqrNsAy9oKTZ9aoPrTNCtUdLAHvHGALWXTgdNR60
E87/G3Eo1GtDAMziiFs5ePsoI774H+uXITB3LmP4mo3t5lc1vC7bIa91FRTji5ol
xTieBrsjUfs8dsWfa8Q5PzcXAPwxPuo3FCEXQ86ZEf8alEdyHAAwXfqo38UYUi6p
Ll09XECjseBkQ7HjBy6Qf2mHO9A2poFsDkXIGJgt5Gfv/ZbH+6j7UH2YmghWNmgm
5YZpgO03Q4eVkVu4m1iWKW2H9PV9ZTQL7k5gpVA8NfoEZ6lWjd3lOE+8FnNqECPm
ZdDZl4I+6NHXsuN6qYTw30q2E/doC22bQiInd/br5wwjcKi5JRTjsP4pfehbLeLm
3utkQ7JeewAunpG0NIfBsOiaElHxxA83DbfJo8q/vjrKQkKzT51YgTzRgQcWCdV2
h+MfWSpLY3tW3KscrwDmBqz4x9HDSb9TVi3Pq1BBTcYaqYs5d17eufOhjBCnsZrx
m4tmqqmn4CVLTlXGWLyP
=0xLZ
-----END PGP SIGNATURE-----

More information about the Users mailing list