<div dir="ltr"><p>Dear All,</p><p>I am facing a problem with strongSwan-5.0.2. I am using strongSwan to terminate incoming IPSec tunnels and forward the traffic flowing inside the tunnel to other servers. strongSwan runs in a centos-6.3 linux box that sits behind a linux firewall. The IPSec clients are Cisco ASA firewall and Cisco ISR router. Occassionally I use strongSwan in a linux client to test the setup. I am using PSK authentication (shared secret).</p>
<p>I see the below error is thrown by charon daemon when the cisco devices initiate the tunnel using IKEv1. I can see the charon daemon is not able to decrypt the encrypted payload to extract the ID. </p><p>Jun 13 10:43:33 09[ENC] encrypted => 96 bytes @ 0x7f8930005030<br>
Jun 13 10:43:33 09[ENC] 0: 60 8C DB 8A 8A 6E 49 5F 7F 45 62 4E B3 09 13 8F `....nI_.EbN....<br>Jun 13 10:43:33 09[ENC] 16: B4 B2 7B E3 1A 97 CC 92 A9 0B F4 AF AA 2A 9E 8A ..{..........*..<br>Jun 13 10:43:33 09[ENC] 32: 75 67 08 53 A9 51 1D 4E 08 A9 63 85 FF F5 AB 1A ug.S.Q.N..c.....<br>
Jun 13 10:43:33 09[ENC] 48: 9B 0E F4 E0 17 43 0C FF 6E 00 99 B8 CC 5A 0D 30 .....C..n....Z.0<br>Jun 13 10:43:33 09[ENC] 64: CA 11 D7 B2 C3 19 2D 93 CF 25 93 0A 78 36 51 21 ......-..%..x6Q!<br>Jun 13 10:43:33 09[ENC] 80: 2B 5C E2 C2 CA 22 8B 43 BD 46 4A FA 5A 75 52 90 +\...".C.FJ.ZuR.<br>
Jun 13 10:43:33 09[ENC] plain => 96 bytes @ 0x7f8930005030<br>Jun 13 10:43:33 09[ENC] 0: 38 A4 9B D6 8C 89 3C A8 E4 52 95 A8 42 69 68 21 8.....<..R..Bih!<br>Jun 13 10:43:33 09[ENC] 16: E6 CB 40 50 3D 48 EC 9F E0 1B 7B 80 53 C5 4D 85 ..@P=H....{.S.M.<br>
Jun 13 10:43:33 09[ENC] 32: B0 71 DA 15 08 C7 50 1E 69 B3 A2 40 B9 27 5D 13 .q....P.i..@.'].<br>Jun 13 10:43:33 09[ENC] 48: 70 4D 5F E2 21 DB 1A 1F FF 10 B7 11 15 E8 D7 BA pM_.!...........<br>Jun 13 10:43:33 09[ENC] 64: A2 A1 69 CF DF D5 1E C4 EA C1 4C 73 20 E7 38 02 ..i.......Ls .8.<br>
Jun 13 10:43:33 09[ENC] 80: 01 25 F3 D8 00 AE 2C 57 82 D1 82 EC E2 4D 3F A8 .%....,W.....M?.<br>Jun 13 10:43:33 09[ENC] invalid ID_V1 payload length, decryption failed?<br>Jun 13 10:43:33 09[ENC] could not decrypt payloads<br>
Jun 13 10:43:33 09[IKE] message parsing failed</p><p><br>The same setup used to work before when I was using strongSwan-4.5.3. To make sure my client configurations are correct I downgraded strongSwan to 4.5.3 on the VPN concentrator and it worked. When I upgraded strongSwan to 5.0.2 it is not working. Can you please throw some light on this issue?</p>
<p>The relevant section of the server side ipsec.conf is below.</p><div>conn PSK_IKEv1<br> keyexchange=ikev1<br> authby=secret<br> auth=esp<br> esp=aes128-sha1,3des-sha1,null-sha1<br> leftupdown=/usr/local/etc/mark_updown<br>
left=%defaultroute<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftid=@<a href="http://my.vpn.net">my.vpn.net</a><br> right=%any<br> rightid=%any<br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
type=tunnel<br> auto=add</div><div> </div><div>I have also ensured that the client is sending the password correctly (ie., the one that I have set in ipsec.secrets).</div><p>regards,<br>dk</p></div>