<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Hello,</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">I m currently using strongSwan to authenticate a Windows 7 client to access my Linux Server. I use the Win7 "Windows Firewall with Advanced Security" with the "Connection Security rules" features for the IPSEC connection (Allow me to automaticaly authenticate the Win7 laptop when it try to access the linux server without user action). This Win7 client seems to only support IKEv1.</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">To have the minimum of network and server impact I authenticate the win7 using transport mode and null encryption.</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
I was previously in strongswan version 4.x.x and I have updated strongSwan with the version 5.0.1.</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Since the update I m not able anymore to connect my Win7 in transport mode to the Linux server with strongswan 5.0.x.</div>
<div><font color="#222222" face="arial, sans-serif">The main mode phase is ok but the quick mode never finish and I have no error message. I added in attachement file a pcap file from the win 7 side.</font></div></blockquote>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">My WIN7 configuration return by "netsh advfirewall consec>show rule name=WIN7_transport_103":</div></blockquote><div><br></div><div>
Rules Name: <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">WIN7_transport_103</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">---------------------------------------------------------------------------------------------------------------</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Enabled: Yes</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Profiles: Domain,proviate,puvlic</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Type: Static</span></div><div><font color="#222222" face="arial, sans-serif">Mode: Transport</font></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Endpoint1: <a href="http://192.168.1.2/32">192.168.1.2/32</a></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Endpoint2: <a href="http://192.168.1.103/32">192.168.1.103/32</a></span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Protocol: Any</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Action: RequireInRequireOut</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Auth1: ComputerPSK</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Auth1PSK: toto</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">MainModeSecMethods: DHGroup2-3DES-MD5,DHGroup2-AES128-MD5</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">QuickModeSecMethods: ESP:MD5-None+60min+100000kb,......</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">OK.</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px"><br></span></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
My strongSwan configuration is the following:</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">xxxxxxxxxxxxxxxxxxxx</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
root@corellia:/etc# more ipsec.conf</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># ipsec.conf - strongSwan IPsec configuration file</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># basic configuration</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">config setup</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="white-space:pre-wrap"> </span>charondebug="ike 2, net 2" </div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> uniqueids = yes</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
conn %default</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> auth=esp</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
mobike=no</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
conn WIN7_Transport</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> authby=psk</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
esp=null-md5!</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> ike=aes128-md5-modp1024,3des-md5-modp1024</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
keyexchange=ikev1</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> type=transport</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
left=192.168.1.103</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> right=192.168.1.2 </div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
auto=start</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
#include /var/lib/strongswan/ipsec.conf.inc</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">xxxxxxxxxxxxxxxxxxxx</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
I have the following ipsec status:</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">xxxxxxxxxxxxxxxxxxxx</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
root@corellia:/etc# ipsec statusall</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Status of IKE charon daemon (strongSwan 5.0.1, Linux 2.6.32-45-generic, i686):</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> uptime: 14 minutes, since Mar 22 17:49:35 2013</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
malloc: sbrk 135168, mmap 0, used 104336, free 30832</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 16</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Listening IP addresses:</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
172.16.1.254</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> 192.168.1.103</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
Connections:</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> EFB: 192.168.1.103...192.168.1.2 IKEv1</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
EFB: local: [192.168.1.103] uses pre-shared key authentication</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> EFB: remote: [192.168.1.2] uses pre-shared key authentication</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> EFB: child: dynamic === dynamic TRANSPORT</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
Security Associations (1 up, 0 connecting):</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> EFB[8]: ESTABLISHED 3 seconds ago, 192.168.1.103[192.168.1.103]...192.168.1.2[192.168.1.2]</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> EFB[8]: IKEv1 SPIs: c911ffdc4c6bf201_i 1b1a18a730dff768_r*, pre-shared key reauthentication in 2 hours</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> EFB[8]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
EFB[8]: Tasks passive: QUICK_MODE </div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">xxxxxxxxxxxxxxxxxxxx</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
- I made some additionnal test and it work in tunnel mode with a similar configuration (except the type).</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
- I updated my StrongSwan with the 5.0.2 release and with this version nothing work... (tunnel or transport).</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">I don't know if it is a bug in the IKEv1 implementation in the 5.0.x release or an issue in my config and now I have no more idea and way forward to get something that work.</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
thanks in advance for your help or idea to resolve my issue.</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
Regards,</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
Mickael</div>
</blockquote></div><br>