<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Arial, sans-serif" size="2">
<div>Hello,</div>
<div> </div>
<div>I'm setting up an IKEv2 tunnel between a Juniper Gateway and Strongswan with IKEv2</div>
<div>Simple configuration: static IP addresses on both side , pre-shared secret, tunnel mode (see strongSwan IPsec configuration file below).</div>
<div>The initiator (Strongswan) sends the first message and gets an answer, but then Strongswan does not answer anymore (see wireshark trace below). </div>
<div>I noticed in the answer of the Responder there is a Certificate Request, even though pre-shared secrets are used, could it be the reason why it is not responding?</div>
<div> </div>
<div>Best regards,</div>
<div>Laurence</div>
<div> </div>
<div>--------------</div>
<div> </div>
<div>Wireshark trace:</div>
<div>No. Time Source Destination Protocol Info</div>
<div> 1 0.000000 192.168.30.51 192.168.30.254 ISAKMP IKE_SA_INIT</div>
<div> </div>
<div>Frame 1 (386 bytes on wire, 386 bytes captured)</div>
<div>Ethernet II, Src: Belkin_d0:77:2c (00:17:3f:d0:77:2c), Dst: 80:71:1f:b7:b1:85 (80:71:1f:b7:b1:85)</div>
<div>Internet Protocol, Src: 192.168.30.51 (192.168.30.51), Dst: 192.168.30.254 (192.168.30.254)</div>
<div>User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)</div>
<div> Source port: isakmp (500)</div>
<div> Destination port: isakmp (500)</div>
<div> Length: 352</div>
<div> Checksum: 0x2d58 [correct]</div>
<div>Internet Security Association and Key Management Protocol</div>
<div> Initiator cookie: 593AD8AC6A5DB624</div>
<div> Responder cookie: 0000000000000000</div>
<div> Next payload: Security Association (33)</div>
<div> Version: 2.0</div>
<div> Exchange type: IKE_SA_INIT (34)</div>
<div> Flags: 0x08</div>
<div> Message ID: 0x00000000</div>
<div> Length: 344</div>
<div> Security Association payload</div>
<div> Next payload: Key Exchange (34)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 88</div>
<div> Proposal payload # 1</div>
<div> Next payload: Proposal (2)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 44</div>
<div> Proposal number: 1</div>
<div> Protocol ID: ISAKMP (1)</div>
<div> SPI Size: 0</div>
<div> Proposal transforms: 4</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 12</div>
<div> Transform type: Encryption Algorithm (ENCR) (1)</div>
<div> Transform ID: ENCR_AES_CBC (12)</div>
<div> Key Length (in bits) (14): Key-Length (128)</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Integrity Algorithm (INTEG) (3)</div>
<div> Transform ID: AUTH_HMAC_SHA1_96 (2)</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Pseudo-random Function (PRF) (2)</div>
<div> Transform ID: PRF_HMAC_SHA1 (2)</div>
<div> Transform payload</div>
<div> Next payload: NONE (0)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Diffie-Hellman Group (D-H) (4)</div>
<div> Transform ID: Group 2 - 1024 Bit MODP (2)</div>
<div> Proposal payload # 2</div>
<div> Next payload: NONE (0)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 40</div>
<div> Proposal number: 2</div>
<div> Protocol ID: ISAKMP (1)</div>
<div> SPI Size: 0</div>
<div> Proposal transforms: 4</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Encryption Algorithm (ENCR) (1)</div>
<div> Transform ID: ENCR_3DES (3)</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Integrity Algorithm (INTEG) (3)</div>
<div> Transform ID: AUTH_HMAC_SHA1_96 (2)</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Pseudo-random Function (PRF) (2)</div>
<div> Transform ID: PRF_HMAC_SHA1 (2)</div>
<div> Transform payload</div>
<div> Next payload: NONE (0)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Diffie-Hellman Group (D-H) (4)</div>
<div> Transform ID: Group 2 - 1024 Bit MODP (2)</div>
<div> Key Exchange payload</div>
<div> Next payload: Nonce (40)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 136</div>
<div> DH Group #: 2</div>
<div> Key Exchange Data (128 bytes / 1024 bits)</div>
<div> Nonce payload</div>
<div> Next payload: Notification (41)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 36</div>
<div> Nonce Data</div>
<div> Notification payload</div>
<div> Next payload: Notification (41)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 28</div>
<div> Protocol ID: RESERVED (0)</div>
<div> SPI Size: 0</div>
<div> Message type: NAT_DETECTION_SOURCE_IP (16388)</div>
<div> Notification Data</div>
<div> Notification payload</div>
<div> Next payload: NONE (0)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 28</div>
<div> Protocol ID: RESERVED (0)</div>
<div> SPI Size: 0</div>
<div> Message type: NAT_DETECTION_DESTINATION_IP (16389)</div>
<div> Notification Data</div>
<div> </div>
<div>No. Time Source Destination Protocol Info</div>
<div> 2 0.001877 192.168.30.254 192.168.30.51 ISAKMP IKE_SA_INIT</div>
<div> </div>
<div>Frame 2 (295 bytes on wire, 295 bytes captured)</div>
<div>Ethernet II, Src: 80:71:1f:b7:b1:85 (80:71:1f:b7:b1:85), Dst: Belkin_d0:77:2c (00:17:3f:d0:77:2c)</div>
<div>Internet Protocol, Src: 192.168.30.254 (192.168.30.254), Dst: 192.168.30.51 (192.168.30.51)</div>
<div>User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)</div>
<div> Source port: isakmp (500)</div>
<div> Destination port: isakmp (500)</div>
<div> Length: 261</div>
<div> Checksum: 0xa6ee [correct]</div>
<div>Internet Security Association and Key Management Protocol</div>
<div> Initiator cookie: 593AD8AC6A5DB624</div>
<div> Responder cookie: 66094DB1161AFEE6</div>
<div> Next payload: Security Association (33)</div>
<div> Version: 2.0</div>
<div> Exchange type: IKE_SA_INIT (34)</div>
<div> Flags: 0x20</div>
<div> Message ID: 0x00000000</div>
<div> Length: 253</div>
<div> Security Association payload</div>
<div> Next payload: Key Exchange (34)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 48</div>
<div> Proposal payload # 1</div>
<div> Next payload: NONE (0)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 44</div>
<div> Proposal number: 1</div>
<div> Protocol ID: ISAKMP (1)</div>
<div> SPI Size: 0</div>
<div> Proposal transforms: 4</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 12</div>
<div> Transform type: Encryption Algorithm (ENCR) (1)</div>
<div> Transform ID: ENCR_AES_CBC (12)</div>
<div> RESERVED TO IANA (7424): <too big (128 bytes)></div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Pseudo-random Function (PRF) (2)</div>
<div> Transform ID: PRF_HMAC_SHA1 (2)</div>
<div> Transform payload</div>
<div> Next payload: Transform (3)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Integrity Algorithm (INTEG) (3)</div>
<div> Transform ID: AUTH_HMAC_SHA1_96 (2)</div>
<div> Transform payload</div>
<div> Next payload: NONE (0)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 8</div>
<div> Transform type: Diffie-Hellman Group (D-H) (4)</div>
<div> Transform ID: Group 2 - 1024 Bit MODP (2)</div>
<div> Key Exchange payload</div>
<div> Next payload: Nonce (40)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 136</div>
<div> DH Group #: 2</div>
<div> Key Exchange Data (128 bytes / 1024 bits)</div>
<div> Nonce payload</div>
<div> Next payload: Certificate Request (38)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 36</div>
<div> Nonce Data</div>
<div> Certificate Request payload</div>
<div> Next payload: NONE (0)</div>
<div> 0... .... = Not critical</div>
<div> Payload length: 5</div>
<div> Certificate type: 4 - X.509 Certificate - Signature</div>
<div> </div>
<div>------------------</div>
<div># ipsec.conf - strongSwan IPsec configuration file</div>
<div> </div>
<div># basic configuration</div>
<div> </div>
<div>config setup</div>
<div> plutostart=no</div>
<div> charondebug="ike 4, knl 4, cfg 4"</div>
<div> </div>
<div>conn %default</div>
<div> dpdaction=restart</div>
<div> dpddelay=10s</div>
<div> auth=esp</div>
<div> forceencaps=no</div>
<div> installpolicy=yes</div>
<div> esp=aes128-sha1-modp1024,3des-sha1-modp1024!</div>
<div> ike=aes128-sha-modp1024,3des-sha-modp1024!</div>
<div> ikelifetime=28800s</div>
<div> keylife=28880s</div>
<div> rekeymargin=5760s</div>
<div> keyingtries=1</div>
<div> leftauth=psk</div>
<div> rightauth=psk</div>
<div> keyexchange=ikev2</div>
<div> mobike=no</div>
<div> reauth=no</div>
<div> </div>
<div>conn net-net</div>
<div> left=192.168.30.51</div>
<div> leftsourceip=192.168.30.20</div>
<div> right=192.168.30.254</div>
<div> auto=start</div>
<div> type=tunnel</div>
<div> rightsubnet=192.168.1.2/24</div>
<div> </div>
<div> </div>
</font>
</body>
</html>