<div dir="ltr"><div>Thank you Martin.</div><div>It helped IPsec is now established but only IKE Phase 1 is up. Logs are saying, that everything established successfully, but no Phase2 is up.</div><div><br></div><div><font face="monospace,monospace"><em>root@enb-17:/etc# ipsec restart<br>Stopping strongSwan IPsec...<br>Starting strongSwan 5.2.1 IPsec [starter]...<br>root@enb-17:/etc# ipsec up test<br>initiating Aggressive Mode IKE_SA test[1] to 192.168.yy.yy<br>generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]<br>sending packet: from 192.168.xx.xx[500] to 192.168.yy.yy[500] (350 bytes)<br>received packet: from 192.168.yy.yy[500] to 192.168.xx.xx[500] (409 bytes)<br>parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]<br>received DPD vendor ID<br>received NAT-T (RFC 3947) vendor ID<br>received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00<br>faking NAT situation to enforce UDP encapsulation<br>generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]<br>sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (108 bytes)<br>received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)<br>parsed TRANSACTION request 4069442794 [ HASH CPRQ(X_USER X_PWD) ]<br>generating TRANSACTION response 4069442794 [ HASH CPRP(X_USER X_PWD) ]<br>sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (92 bytes)<br>received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)<br>parsed TRANSACTION request 666211454 [ HASH CPS(X_STATUS) ]<br>XAuth authentication of 'user' (myself) successful<br>IKE_SA test[1] established between 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]<br>scheduling reauthentication in 86220s<br>maximum IKE_SA lifetime 86400s<br>generating TRANSACTION response 666211454 [ HASH CPA(X_STATUS) ]<br>sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)<br>received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)<br>parsed TRANSACTION request 1168201470 [ HASH CPS(ADDR MASK SUBNET) ]<br>handling INTERNAL_IP4_NETMASK attribute failed<br>handling INTERNAL_IP4_SUBNET attribute failed<br>installing new virtual IP 10.20.zz.zz<br>generating TRANSACTION response 1168201470 [ HASH CPA(ADDR) ]<br>sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)<br>generating QUICK_MODE request 1154954290 [ HASH SA No KE ID ID ]<br>sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (316 bytes)<br>received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (300 bytes)<br>parsed QUICK_MODE response 1154954290 [ HASH SA No KE ID ID ]<br>connection 'test' established successfully</em></font></div><div><font face="monospace,monospace"><em>root@enb-17:/etc# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.10.41-031041-generic, x86_64):<br> uptime: 15 seconds, since Dec 22 13:43:47 2014<br> malloc: sbrk 675840, mmap 0, used 535920, free 139920<br> worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9<br> loaded plugins: charon test-vectors ldap pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic tnc-tnccs dhcp led addrblock<br>Listening IP addresses:<br> *<br>Connections:<br> test: 192.168.xx.xx...192.168.yy.yy IKEv1 Aggressive, dpddelay=10s<br> test: local: [HIDDEN_ID1] uses pre-shared key authentication<br> test: local: [HIDDEN_ID1] uses XAuth authentication: any with XAuth identity 'user'<br> test: remote: [HIDDEN_ID2] uses pre-shared key authentication<br> test: child: 10.xx.xxx.xx/32 === 10.yy.yy.yy/32 TUNNEL, dpdaction=restart<br>Security Associations (1 up, 0 connecting):<br> test[1]: ESTABLISHED 8 seconds ago, 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]<br> test[1]: IKEv1 SPIs: b88fcca7af8ef6fb_i* ed25f627ba68ed81_r, pre-shared key+XAuth reauthentication in 23 hours<br> test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>root@enb-17:/etc#</em></font></div><div><br></div><div><br></div><div>I'm wondering - should Strongswan aggressive mode psk xauth with Juniper SRX devices?</div><div><br></div><div>Here's IPsec.conf..</div><div>conn %default<br> keyingtries=%forever<br> mobike=no<br> ikelifetime=86400<br> keylife=86400<br> rekeymargin=180s<br> ike=aes128-sha1-modp1024!<br> esp=aes128-sha1-modp1024!<br> authby=xauthpsk<br> dpdaction=restart<br> dpddelay=10<br> dpdtimeout=30<br> rekeyfuzz=0%<br> auto=add<br> keyexchange=ikev1<br> rightid=HIDDEN_ID2<br> right=192.168.yy.yy<br>conn test<br> aggressive=yes<br> left=192.168.xx.xx<br> leftid=HIDDEN_ID1<br> leftauth=psk<br> leftauth2=xauth<br> leftsourceip=%config<br> leftsubnet=10.aa.aa.aa/32<br> rightsubnet=<a href="http://10.bb.bb.bb/32">10.bb.bb.bb/32</a><br> rightauth=psk<br> xauth=client<br> xauth_identity=user<br> modeconfig=push</div><div><br></div><div>Best Regards,</div><div>Marcin<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-12-19 16:35 GMT+01:00 Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span><br>
> generating TRANSACTION response <a href="tel:4124377813" value="+14124377813">4124377813</a> [ HASH CPA(X_STATUS) ]<br>
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)<br>
> generating TRANSACTION request 2379419226 [ HASH CPRQ(ADDR DNS) ]<br>
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)<br>
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)<br>
> queueing TRANSACTION request as tasks still active<br>
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (60 bytes)<br>
> payload of type CONFIGURATION_V1 not occurred<br>
<br>
</span>Your gateway is initiating a TRANSACTION request after XAuth. Most<br>
likely it is configured to use push mode, while strongSwan performs a<br>
Mode Config pull.<br>
<br>
Try to switch to push mode in strongSwan by setting modeconfig=push in<br>
your connection definition.<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Martin<br>
<br>
</font></span></blockquote></div><br></div>