<div dir="ltr">Just to clarify, the client and the server mode has to agree. In your case, the client is sending aggressive, but the server doesn't support it. I actually use NCP-e for ikev1, and there is a setting for aggressive versus main mode.<div><br></div><div>Aggresive mode should only be used in a no other solution exists scenario.</div><div><br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 15, 2015 at 7:05 PM, Randy Wyatt <span dir="ltr"><<a href="mailto:rwwyatt01@gmail.com" target="_blank">rwwyatt01@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">You commented the line <span style="font-size:12.8000001907349px">i_dont_care_about_security_</span><span style="font-size:12.8000001907349px">and_use_aggressive_mode_psk = yes out of strongswan.conf so aggressive mode is no longer supported.</span><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">The line </span><span style="font-size:12.8000001907349px">i_dont_care_about_security_</span><span style="font-size:12.8000001907349px">and_use_aggressive_mode_psk = yes must <b>not</b> be commented out.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">The client is expecting aggressive mode, but you disabled it on the server.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Does this clarify things?</span></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Wed, Jul 15, 2015 at 7:02 PM, Tom Hu <span dir="ltr"><<a href="mailto:pleasetalktome@gmail.com" target="_blank">pleasetalktome@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Randy<div><br></div><div>Thanks for replying</div><div><br></div><div>I do not understand that "Strongswan didn't find a proposal to match because it doesn't support aggressive mode"</div><div>BTW: Does strongswan not support AG mode? is it true? I did test of cert, it uses MM mode</div><div><br></div><div>the problem is got error "<span style="color:rgb(80,0,80)">but none allows XAuthInitPSK authentication using Aggressive Mode"</span></div><div><span style="color:rgb(80,0,80)"><br></span></div><div><span style="color:rgb(80,0,80)">and communication is stopped</span></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks </div><span><font color="#888888"><div class="gmail_extra"><br></div></font></span><div class="gmail_extra"><span><font color="#888888">Tom</font></span><div><div><br><div class="gmail_quote">On Wed, Jul 15, 2015 at 5:13 PM, Randy Wyatt <span dir="ltr"><<a href="mailto:rwwyatt01@gmail.com" target="_blank">rwwyatt01@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>I think the behavior is right, but someone more qualified than me would have to comment.</div><div><br></div><div>Strongswan didn't find a proposal to match because it doesn't support aggressive mode. What is the problem here?</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <span dir="ltr"><<a href="mailto:pleasetalktome@gmail.com" target="_blank">pleasetalktome@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div dir="ltr">Hi ALL<br><br>I used strongswan as GW and cisco vpn as client on Windows 7 to test interoperbility using preshare key.<br>got the error "but none allows XAuthInitPSK authentication using Aggressive Mode"<br><br>the config of strongswan<br><br>conn %default<br> ikelifetime=60m<br> rekeymargin=3m<br> keyingtries=1<br> mobike=no<br> keyexchange=ikev1<br><br>include /etc/ipsec.cert.conf<br><br><br>conn cert<br> type=tunnel<br> auto=add<br> esp=aes128-sha1!<br> ike=aes128-sha1-modp1024!<br> left=192.168.11.55<br> right=%any<br> leftauth=psk<br> rightauth=psk<br> rightauth2=xauth<br> rightdns=10.3.0.1<br> leftsubnet=<a href="http://10.3.1.0/24" target="_blank">10.3.1.0/24</a><br> rightsourceip=<a href="http://10.3.0.0/28" target="_blank">10.3.0.0/28</a><br><br><br><br>cisco vpn Client (not anyconnect) - using "group authentication"<br><br>stronswan.conf<br>charon {<br> cisco_unity = yes<br>i_dont_care_about_security_and_use_aggressive_mode_psk = yes<br>plugins {<br> attr {<br> UNITY_SPLIT_INCLUDE=28676<br> INTERNAL_IP4_ADDRESS=1<br> INTERNAL_IP4_NETMASK=2<br> INTERNAL_IP4_DNS=3<br> UNITY_LOCAL_LAN=28678<br> }<br> }<br>}<br><br>when I forced to main mode by comment out i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client still send AG mode<br><br>log of swan is<br><br>17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-<br><br>220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)<br>17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" from <br><br>'/etc/ipsec.d/cacerts/ca.pem'<br>17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such file or directory<br>17:36:03 00[CFG] reading directory failed<br>17:36:03 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such file or directory<br>17:36:03 00[CFG] reading directory failed<br>17:36:03 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such file or directory<br>17:36:03 00[CFG] reading directory failed<br>17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file or directory<br>17:36:03 00[CFG] reading directory failed<br>17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>17:36:03 00[CFG] loaded IKE secret for %any<br>17:36:03 00[CFG] loaded 1 RADIUS server configuration<br>17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce <br><br>xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 <br><br>eap-md5 eap-tls eap-identity eap-radius updown<br>17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet dependencies)<br>17:36:03 00[JOB] spawning 16 worker threads<br>17:36:03 05[CFG] received stroke: add connection 'cert'<br>17:36:03 05[CFG] adding virtual IP address pool <a href="http://10.3.0.0/28" target="_blank">10.3.0.0/28</a><br>17:36:03 05[CFG] added configuration 'cert'<br>17:36:28 07[NET] received packet: from 192.168.11.10[53029] to 192.168.11.55[500] (865 bytes)<br>17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]<br>17:36:28 07[IKE] received XAuth vendor ID<br>17:36:28 07[IKE] received DPD vendor ID<br>17:36:28 07[IKE] received FRAGMENTATION vendor ID<br>17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID<br>17:36:28 07[IKE] received Cisco Unity vendor ID<br>17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA<br>17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching 192.168.11.55...192.168.11.10<br><br>[admin]<br>17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK authentication using <br><br>Aggressive Mode<br>17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [ N(AUTH_FAILED) ]<br>17:36:28 07[NET] sending packet: from 192.168.11.55[500] to 192.168.11.10[53029] (56 bytes)<br>17:36:33 08[NET] received packet: from 192.168.11.10[53029] to 192.168.11.55[500] (865 bytes)<br>17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]<br>17:36:33 08[IKE] received XAuth vendor ID<br>17:36:33 08[IKE] received DPD vendor ID<br>17:36:33 08[IKE] received FRAGMENTATION vendor ID<br>17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID<br>17:36:33 08[IKE] received Cisco Unity vendor ID<br>17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA<br>17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching 192.168.11.55...192.168.11.10<br><br>[admin]<br><span style="background-color:rgb(255,0,0)">17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode</span><br>17:36:33 08[ENC] generating INFORMATIONAL_V1 request <a href="tel:3136248912" value="+13136248912" target="_blank">3136248912</a> [ N(AUTH_FAILED) ]<br>17:36:33 08[NET] sending packet: from 192.168.11.55[500] to 192.168.11.10[53029] (56 bytes)<br>repeat.......<br><div><br></div><div><br></div><div>the client log is </div><div><br></div><div><div>Cisco Systems VPN Client Version 5.0.07.0440</div><div>Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.</div><div>Client Type(s): Windows, WinNT</div><div>Running on: 6.1.7600 </div><div>Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\</div><div><br></div><div>1 09:07:02.435 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>CM/0x63100002</div><div>Begin connection process</div><div><br></div><div>2 09:07:02.461 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>CM/0x63100004</div><div>Establish secure connection</div><div><br></div><div>3 09:07:02.461 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>CM/0x63100024</div><div>Attempt connection with server "192.168.11.55"</div><div><br></div><div>4 09:07:02.465 07/15/15 Sev=Info/6<span style="white-space:pre-wrap"> </span>IKE/0x6300003B</div><div>Attempting to establish a connection with 192.168.11.55.</div><div><br></div><div>5 09:07:02.471 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>IKE/0x63000001</div><div>Starting IKE Phase 1 Negotiation</div><div><br></div><div>6 09:07:02.479 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>IKE/0x63000013</div><div>SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID</div><div><br></div><div>(Unity)) to 192.168.11.55</div><div><br></div><div>7 09:07:02.481 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>IPSEC/0x63700008</div><div>IPSec driver successfully started</div><div><br></div><div>8 09:07:02.481 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>IPSEC/0x63700014</div><div>Deleted all keys</div><div><br></div><div>9 09:07:02.484 07/15/15 Sev=Info/5<span style="white-space:pre-wrap"> </span>IKE/0x6300002F</div><div>Received ISAKMP packet: peer = 192.168.11.55</div><div><br></div><div>10 09:07:02.484 07/15/15 Sev=Warning/2<span style="white-space:pre-wrap"> </span>IKE/0xE300009B</div><div>Discarding incoming packet: Message is NOT encrypted (PacketReceiver:422)</div><div><br></div><div><span style="background-color:rgb(255,0,0)">11 09:07:02.484 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>IKE/0x63000014</span></div><div><span style="background-color:rgb(255,0,0)">RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55</span></div><div><br></div><div>12 09:07:07.658 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>IKE/0x63000021</div><div>Retransmitting last packet!</div><div><br></div><div>13 09:07:07.658 07/15/15 Sev=Info/4<span style="white-space:pre-wrap"> </span>IKE/0x63000013</div><div>SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55</div><div><br></div><div>repeat</div></div><div><br></div><div>I did comment out strongswan source file due </div><div>to receive error "payload type %N was not encrypted" first packet</div><div>for temporary workaround.</div><div><br></div><div>diff -u -N opensource/strongswan-5.2.2/src/libcharon/encoding/message.c opensource/strongswan-5.2.2/src/libcharon/encoding/message.c<br></div><div><div>--- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c<span style="white-space:pre-wrap"> </span>2014-12-09 02:58:17.000000000 -0800</div><div>+++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c<span style="white-space:pre-wrap"> </span>2015-07-10 11:50:55.000000000 -0700</div><div>@@ -2487,7 +2487,7 @@</div><div> <span style="white-space:pre-wrap"> </span>{</div><div> <span style="white-space:pre-wrap"> </span>DBG1(DBG_ENC, "payload type %N was not encrypted",</div><div> <span style="white-space:pre-wrap"> </span> payload_type_names, type);</div><div>-<span style="white-space:pre-wrap"> </span>status = FAILED;</div><div>+<span style="white-space:pre-wrap"> </span>//status = FAILED;</div><div> <span style="white-space:pre-wrap"> </span>break;</div><div> <span style="white-space:pre-wrap"> </span>}</div><div> <span style="white-space:pre-wrap"> </span>}</div></div><div><br></div><div>I have no idea why got this error</div><div>Any input, I am very appreciated</div><span><font color="#888888"><div><br></div><div>Tom</div></font></span></div>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div></div></blockquote></div></div></div></div></div></blockquote></div></div></div></div></div></blockquote></div><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br><table width="93%" align="center" style="background-color:rgb(242,245,247)" border="0" cellspacing="0" cellpadding="4"><tbody><tr><td valign="top" style="width:169px;line-height:155%"><font color="#000000" face="Verdana, Arial" style="font-size:11px;margin-top:4px" valign="top"><b></b></font></td><td valign="top"><span style="color:rgb(0,51,102);font-size:18px;font-weight:bold"><font color="#1155cc"><br></font></span></td></tr></tbody></table></div></div></div></div>
</div></div></div>