<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta content="text/html; charset=UTF-8">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hi Noel-</p>
<p><br>
</p>
<p>I saw your note about NAT-T, and it matched my understanding for the docs. It seems that NAT-T information is not shared between the peers. I tried adding forceencaps=yes and got the same apparent result. I skipped the config and logs since the earlier
thread had substantially similar configuration and got no reply. Here's the most recent variation that I've tried (with IP numbers redacted).</p>
<p><br>
</p>
<p>ipsec.conf (StrongSwan on Linux):</p>
<p><br>
</p>
<p>config setup</p>
<p> charondebug=ike 4, esp 4, enc 4, net 2</p>
<p><br>
</p>
<p>conn test</p>
<p> aggressive=no</p>
<p> keyexchange=ikev1</p>
<p> forceencaps=yes</p>
<p> ike=aes256-sha1-modp2048</p>
<p> esp=aes128-sha1</p>
<p> left=<StrongSwan Machine Local IP></p>
<p> leftsubnet=x.x.x.x/24</p>
<p> leftauth=psk</p>
<p> right=<Zyxel Public IP></p>
<p> rightsubnet=<Local Subnet Behind Zyxel>/24</p>
<p> rightauth=psk</p>
<p> auto=add</p>
<p><br>
</p>
<p>ipsec.secrets</p>
<p><Zyxel Public IP> : PSK "abcd"</p>
<p><br>
</p>
<p>syslog:</p>
<p>Dec 12 20:02:59 lbox charon: 13[CFG] received stroke: initiate 'test'</p>
<p><span>Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_VENDOR task</span></p>
<p><span><span>Dec 12 20:02:59 lbox charon: 15[IKE]</span> queueing ISAKMP_CERT_PRE task</span></p>
<p><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing MAIN_MODE task</span></p>
<p><span><span>Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_CERT_POST task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing ISAKMP_NATD task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing QUICK_MODE task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating new tasks</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating ISAKMP_VENDOR task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating ISAKMP_CERT_PRE task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating MAIN_MODE task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating ISAKMP_CERT_POST task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating ISAKMP_NATD task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending XAuth vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending DPD vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending NAT-T (RFC 3947) vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] initiating Main Mode IKE_SA test[1] to <Zyxel Public IP></span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon: 15IKE IKE_SA test[1] state change: CREATED => CONNECTING</span></span></span></p>
<p><span><span><span><span>Dec 12 20:02:59 lbox charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V ]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (156 bytes)</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 09[NET] waiting for data on sockets</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (84 bytes)</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[ENC] parsed ID_PROT response 0 [ SA ]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[IKE] reinitiating already active tasks</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[IKE] ISAKMP_VENDOR task</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon: 16[IKE] MAIN_MODE task</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[ENC] generating ID_PROTO request 0 [ KE No ]</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (324 bytes)</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> <span>
Dec 12 20:02:59 lbox charon:</span> 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] waiting for data on sockets</span></span></span></span></span></span><br>
</p>
<p></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (91 bytes)</span></span></span></span></span></span></p>
<p></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[ENC] parsed INFORMATIONAL_V1 request 1921070197 [ N(AUTH_FAILED) ]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[IKE] received AUTHENTICATIN_FAILED error notify</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[IKE] IKE_SA test[1] state change: CONNECTING => DESTROYING</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>On the Zyxel, my choices are to look at "All Logs" or "Debug Logs". They contain different information.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>In "All Logs":</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE The cookie pair is ...</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Recv Main Mode Request from [<StrongSwan Public IP>]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Recv:[SA][VID][VID][VID][VID]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 2048 bit MODP;).</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE The cookie pair is ....</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE [SA]: No proposal chosen</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Send:[SA]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Recv:[KE][NONCE]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Send:[NOTIFY:AUTHENTICATION_FAILED]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>In the "Debug Logs" I get a sequence as in my original message.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>The Zyxel configures through a browser. It's not clear what information from that configuration should be sent nor how to send it in this format.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>If I change the StrongSwan settings to use different encryption algorithms, I get a different error on both ends, so I'm convinced that the algorithms match. (In addition, I was using the same algorithms on the WORKING
OpenSwan configuration.) I checked the PSK several times, and I'm confident that it matches.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p></p>
<p></p>
<p></p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p></p>
<p><br>
</p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Noel Kuntze <noel@familie-kuntze.de><br>
<b>Sent:</b> Monday, December 12, 2016 3:27:48 PM<br>
<b>To:</b> Watson Hewitt; users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Issue with authentication under IKEv1 + NAT + PSK</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hello Watson,<br>
<br>
On 13.12.2016 00:24, Watson Hewitt wrote:<br>
> My understanding from the docs is that StrongSwan does not support that config option anymore and that charon is supposed to handle this automatically and internally.<br>
<br>
NAT-T is enabled and enforced when NAT is detected or forced to be used by using forceencaps=yes in ipsec.conf (similiar option in swanctl.conf).<br>
<br>
Your email lacks information. We require logs and configs. You're probably doing something inherently wrong.<br>
<br>
-- <br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
<br>
</div>
</span></font>
</body>
</html>