
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta name="Generator" content="Microsoft Exchange Server">

<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>

</head>

<body>

<meta content="text/html; charset=UTF-8">

<style type="text/css" style="">

<!--

p

        {margin-top:0;

        margin-bottom:0}

-->

</style>

<div dir="ltr">

<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">

<p>Hi Noel-</p>

<p><br>

</p>

<p>I saw your note about NAT-T, and it matched my understanding for the docs. It seems that NAT-T information is not shared between the peers.  I tried adding forceencaps=yes and got the same apparent result.  I skipped the config and logs since the earlier

 thread had substantially similar configuration and got no reply.  Here's the most recent variation that I've tried (with IP numbers redacted).</p>

<p><br>

</p>

<p>ipsec.conf (StrongSwan on Linux):</p>

<p><br>

</p>

<p>config setup</p>

<p>   charondebug=ike 4, esp 4, enc 4, net 2</p>

<p><br>

</p>

<p>conn test</p>

<p>   aggressive=no</p>

<p>   keyexchange=ikev1</p>

<p>   forceencaps=yes</p>

<p>   ike=aes256-sha1-modp2048</p>

<p>   esp=aes128-sha1</p>

<p>   left=<StrongSwan Machine Local IP></p>

<p>   leftsubnet=x.x.x.x/24</p>

<p>   leftauth=psk</p>

<p>   right=<Zyxel Public IP></p>

<p>   rightsubnet=<Local Subnet Behind Zyxel>/24</p>

<p>   rightauth=psk</p>

<p>   auto=add</p>

<p><br>

</p>

<p>ipsec.secrets</p>

<p><Zyxel Public IP> : PSK "abcd"</p>

<p><br>

</p>

<p>syslog:</p>

<p>Dec 12 20:02:59 lbox charon: 13[CFG] received stroke: initiate 'test'</p>

<p><span>Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_VENDOR task</span></p>

<p><span><span>Dec 12 20:02:59 lbox charon: 15[IKE]</span> queueing ISAKMP_CERT_PRE task</span></p>

<p><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing MAIN_MODE task</span></p>

<p><span><span>Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_CERT_POST task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing ISAKMP_NATD task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing QUICK_MODE task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating new tasks</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_VENDOR task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_CERT_PRE task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating MAIN_MODE task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_CERT_POST task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_NATD task</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending XAuth vendor ID</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending DPD vendor ID</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending NAT-T (RFC 3947) vendor ID</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID</span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] initiating Main Mode IKE_SA test[1] to <Zyxel Public IP></span></span></p>

<p><span><span><span>Dec 12 20:02:59 lbox charon: 15IKE IKE_SA test[1] state change: CREATED => CONNECTING</span></span></span></p>

<p><span><span><span><span>Dec 12 20:02:59 lbox charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V ]</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (156 bytes)</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 09[NET] waiting for data on sockets</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (84 bytes)</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[ENC] parsed ID_PROT response 0 [ SA ]</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[IKE] reinitiating already active tasks</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[IKE]   ISAKMP_VENDOR task</span></span></span></span></p>

<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon: 16[IKE]   MAIN_MODE task</span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[ENC] generating ID_PROTO request 0 [ KE No ]</span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (324 bytes)</span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> <span>

Dec 12 20:02:59 lbox charon:</span> 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]</span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span></span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] waiting for data on sockets</span></span></span></span></span></span><br>

</p>

<p></p>

<p><span><span><span><span><span><span></span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (91 bytes)</span></span></span></span></span></span></p>

<p></p>

<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[ENC] parsed INFORMATIONAL_V1 request 1921070197 [ N(AUTH_FAILED) ]</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span></span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[IKE] received AUTHENTICATIN_FAILED error notify</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span></span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[IKE] IKE_SA test[1] state change: CONNECTING => DESTROYING</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>On the Zyxel, my choices are to look at "All Logs" or "Debug Logs".  They contain different information.</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>In "All Logs":</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>IKE The cookie pair is ...</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>IKE Recv Main Mode Request from [<StrongSwan Public IP>]</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>Recv:[SA][VID][VID][VID][VID]</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 2048 bit MODP;).</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>IKE The cookie pair is ....</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>IKE [SA]: No proposal chosen</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>IKE Send:[SA]</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>IKE Recv:[KE][NONCE]</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>IKE Send:[NOTIFY:AUTHENTICATION_FAILED]</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>In the "Debug Logs" I get a sequence as in my original message.</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>The Zyxel configures through a browser.  It's not clear what information from that configuration should be sent nor how to send it in this format.</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span>If I change the StrongSwan settings to use different encryption algorithms, I get a different error on both ends, so I'm convinced that the algorithms match. (In addition, I was using the same algorithms on the WORKING

 OpenSwan configuration.)  I checked the PSK several times, and I'm confident that it matches.</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><span><span><span><span><span><span><br>

</span></span></span></span></span></span></p>

<p><br>

</p>

<p><br>

</p>

<p><br>

</p>

<p><br>

</p>

<p><br>

</p>

<p><br>

</p>

<p></p>

<p></p>

<p></p>

<p><br>

</p>

<p><br>

</p>

<p><br>

</p>

<p><br>

</p>

<p><br>

</p>

<p></p>

<p><br>

</p>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Noel Kuntze <noel@familie-kuntze.de><br>

<b>Sent:</b> Monday, December 12, 2016 3:27:48 PM<br>

<b>To:</b> Watson Hewitt; users@lists.strongswan.org<br>

<b>Subject:</b> Re: [strongSwan] Issue with authentication under IKEv1 + NAT + PSK</font>

<div> </div>

</div>

</div>

<font size="2"><span style="font-size:10pt;">

<div class="PlainText">Hello Watson,<br>

<br>

On 13.12.2016 00:24, Watson Hewitt wrote:<br>

> My understanding from the docs is that StrongSwan does not support that config option anymore and that charon is supposed to handle this automatically and internally.<br>

<br>

NAT-T is enabled and enforced when NAT is detected or forced to be used by using forceencaps=yes in ipsec.conf (similiar option in swanctl.conf).<br>

<br>

Your email lacks information. We require logs and configs. You're probably doing something inherently wrong.<br>

<br>

-- <br>

<br>

Mit freundlichen Gr��en/Kind Regards,<br>

Noel Kuntze<br>

<br>

GPG Key ID: 0x63EC6658<br>

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>

<br>

<br>

</div>

</span></font>

</body>

</html>