<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Jason Zhan sent this with a slightly different subject line (thereby creating a new thread):</p>
<p><br>
</p>
<p>--------------------</p>
<p><br>
</p>
<p>   If there  is NAT between  <Zyxel> and  <StrongSwan >,suggestion add below parameter in [ipsec.conf]<br>
<br>
[ipsec.conf]<br>
type=tunnel<br>
aggressive=yes<br>
forceencaps=yes<br>
    <br>
  by the way,most small  router use peer ID  when configure ipsec  ikev1 in graphical<br>
</p>
<p><br>
</p>
<p>--------------------</p>
<p><br>
</p>
<p>The only difference here from what I had is the suggestion "aggressive-yes", I think.  I hadn't explicitly specified type, but tunnel is the default. (Just now I set it explicitly and there was no clear change in behavior.)  Changing to aggressive mode is
 not compatible with the settings on the Zyxel.  The Zyxel does have the capability to handle aggressive mode (although I've never tried it), but making this configuration change on the router would have ripple effects into the other remote sites that are working. 
 I'd like to avoid that.</p>
<p><br>
</p>
<p>I'm afraid that I don't understand the final comment starting with "by the way..."</p>
<p><br>
</p>
<p>I'm hoping there's some configuration issue here that someone can spot and that can be easily fixed.  Changing configuration on the router - taking into account potential issues with other remote machines that are working with the current configuration -
 is probably a painful option.  The number of different machine types and software providers for which this is already working makes me think that it's a situation that StrongSwan does (or at least should) support if I can get some help sorting out the differences
 in parameter settings between the various "swans."</p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Watson Hewitt<br>
<b>Sent:</b> Monday, December 12, 2016 5:36:21 PM<br>
<b>To:</b> Noel Kuntze; users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Issue with authentication under IKEv1 + NAT + PSK</font>
<div> </div>
</div>
<div>
<meta content="text/html; charset=UTF-8">
<style type="text/css" style="">
<!--
p
        {margin-top:0;
        margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hi Noel-</p>
<p><br>
</p>
<p>I saw your note about NAT-T, and it matched my understanding for the docs. It seems that NAT-T information is not shared between the peers.  I tried adding forceencaps=yes and got the same apparent result.  I skipped the config and logs since the earlier
 thread had substantially similar configuration and got no reply.  Here's the most recent variation that I've tried (with IP numbers redacted).</p>
<p><br>
</p>
<p>ipsec.conf (StrongSwan on Linux):</p>
<p><br>
</p>
<p>config setup</p>
<p>   charondebug=ike 4, esp 4, enc 4, net 2</p>
<p><br>
</p>
<p>conn test</p>
<p>   aggressive=no</p>
<p>   keyexchange=ikev1</p>
<p>   forceencaps=yes</p>
<p>   ike=aes256-sha1-modp2048</p>
<p>   esp=aes128-sha1</p>
<p>   left=<StrongSwan Machine Local IP></p>
<p>   leftsubnet=x.x.x.x/24</p>
<p>   leftauth=psk</p>
<p>   right=<Zyxel Public IP></p>
<p>   rightsubnet=<Local Subnet Behind Zyxel>/24</p>
<p>   rightauth=psk</p>
<p>   auto=add</p>
<p><br>
</p>
<p>ipsec.secrets</p>
<p><Zyxel Public IP> : PSK "abcd"</p>
<p><br>
</p>
<p>syslog:</p>
<p>Dec 12 20:02:59 lbox charon: 13[CFG] received stroke: initiate 'test'</p>
<p><span>Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_VENDOR task</span></p>
<p><span><span>Dec 12 20:02:59 lbox charon: 15[IKE]</span> queueing ISAKMP_CERT_PRE task</span></p>
<p><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing MAIN_MODE task</span></p>
<p><span><span>Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_CERT_POST task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing ISAKMP_NATD task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] queueing QUICK_MODE task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] activating new tasks</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_VENDOR task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_CERT_PRE task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating MAIN_MODE task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_CERT_POST task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE]  activating ISAKMP_NATD task</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending XAuth vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending DPD vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending NAT-T (RFC 3947) vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID</span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[IKE] initiating Main Mode IKE_SA test[1] to <Zyxel Public IP></span></span></p>
<p><span><span><span>Dec 12 20:02:59 lbox charon: 15IKE IKE_SA test[1] state change: CREATED => CONNECTING</span></span></span></p>
<p><span><span><span><span>Dec 12 20:02:59 lbox charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V ]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 15[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (156 bytes)</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 09[NET] waiting for data on sockets</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (84 bytes)</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[ENC] parsed ID_PROT response 0 [ SA ]</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[IKE] reinitiating already active tasks</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[IKE]   ISAKMP_VENDOR task</span></span></span></span></p>
<p><span><span><span><span><span>Dec 12 20:02:59 lbox charon: 16[IKE]   MAIN_MODE task</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[ENC] generating ID_PROTO request 0 [ KE No ]</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> 16[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (324 bytes)</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:02:59 lbox charon:</span> <span>
Dec 12 20:02:59 lbox charon:</span> 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]</span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] waiting for data on sockets</span></span></span></span></span></span><br>
</p>
<p></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (91 bytes)</span></span></span></span></span></span></p>
<p></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[ENC] parsed INFORMATIONAL_V1 request 1921070197 [ N(AUTH_FAILED) ]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[IKE] received AUTHENTICATIN_FAILED error notify</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span></span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Dec 12 20:03:00 lbox charon: 06[IKE] IKE_SA test[1] state change: CONNECTING => DESTROYING</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>On the Zyxel, my choices are to look at "All Logs" or "Debug Logs".  They contain different information.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>In "All Logs":</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE The cookie pair is ...</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Recv Main Mode Request from [<StrongSwan Public IP>]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Recv:[SA][VID][VID][VID][VID]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 2048 bit MODP;).</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE The cookie pair is ....</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE [SA]: No proposal chosen</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Send:[SA]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Recv:[KE][NONCE]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>IKE Send:[NOTIFY:AUTHENTICATION_FAILED]</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>In the "Debug Logs" I get a sequence as in my original message.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>The Zyxel configures through a browser.  It's not clear what information from that configuration should be sent nor how to send it in this format.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span>If I change the StrongSwan settings to use different encryption algorithms, I get a different error on both ends, so I'm convinced that the algorithms match. (In addition, I was using the same algorithms on the WORKING
 OpenSwan configuration.)  I checked the PSK several times, and I'm confident that it matches.</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><span><span><span><span><span><span><br>
</span></span></span></span></span></span></p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p></p>
<p></p>
<p></p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p></p>
<p><br>
</p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Noel Kuntze <noel@familie-kuntze.de><br>
<b>Sent:</b> Monday, December 12, 2016 3:27:48 PM<br>
<b>To:</b> Watson Hewitt; users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Issue with authentication under IKEv1 + NAT + PSK</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hello Watson,<br>
<br>
On 13.12.2016 00:24, Watson Hewitt wrote:<br>
> My understanding from the docs is that StrongSwan does not support that config option anymore and that charon is supposed to handle this automatically and internally.<br>
<br>
NAT-T is enabled and enforced when NAT is detected or forced to be used by using forceencaps=yes in ipsec.conf (similiar option in swanctl.conf).<br>
<br>
Your email lacks information. We require logs and configs. You're probably doing something inherently wrong.<br>
<br>
-- <br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
<br>
</div>
</span></font></div>
</body>
</html>