[strongSwan] Mixed ikev1/ikev2 rw setup

Andreas Steffen andreas.steffen at strongswan.org
Thu Feb 25 18:50:05 CET 2010 

Hi Russ,

I think the problem is that the Pluto IKEv1 daemon does not support
left=%any, i.e. multi-homing where the source IP is determined
automatically based on the route to right. So please set left either
to %defaultroute or to a static IP address for the IKEv1 case.
left=%any is ok with IKEv2.

Best regards

Andreas

Russ Cox wrote:
> Hi all - I've managed to get a roadwarrior setup working using ikev2 and 
> x509 certs, which is great for Linux and Windows 7 rw's but I need ikev1 
> working alongside for XP, Vista and OS X rw's - so far not having much 
> joy and google isn't throwing up much.
> 
> If I change the roadwarrior ipsec.conf 'keyexchange=ikev1" to ikev2 - it 
> works fine.
> 
> Any help would be fantastic, I would love to just get this out the way - 
> it's been dragging on now ;D
> 
> My setup
> 
> Strongswan gw
> 
> vpngw===nat/router==tinternet===nat/router===rw machine
> 192.168.0.18                                          y.y.y.y
> 
> 
> Config is below;
> 
> RW machine;
> 
> ================
> ted:/etc/ipsec.d# ipsec up nat
> 002 "nat" #1: initiating Main Mode
> 104 "nat" #1: STATE_MAIN_I1: initiate
> 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
> 031 "nat" #1: max number of retransmissions (2) reached STATE_MAIN_I1.  
> No response (or no acceptable response) to our first IKE message
> =================
> 
> /var/log/auth.log on VPN GW
> 
> =========
> Feb 25 12:34:02 lister pluto[16253]: | next event EVENT_REINIT_SECRET in 
> 2400 seconds
> Feb 25 12:34:12 lister pluto[16253]: |
> Feb 25 12:34:12 lister pluto[16253]: | *received 288 bytes from [RW NAT 
> IP]:500 on eth0
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> ignoring Vendor ID payload [strongSwan 4.3.2]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> ignoring Vendor ID payload [Cisco-Unity]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> received Vendor ID payload [XAUTH]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> received Vendor ID payload [Dead Peer Detection]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> received Vendor ID payload [RFC 3947]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Feb 25 12:34:12 lister pluto[16253]: | preparse_isakmp_policy: peer 
> requests PUBKEY authentication
> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500: 
> initial Main Mode message received on 192.168.0.18:500 but no connection 
> has been authorized with policy=PUBKEY
> Feb 25 12:34:12 lister pluto[16253]: | next event EVENT_REINIT_SECRET in 
> 2390 seconds
> Feb 25 12:34:32 lister pluto[16253]: |
> =========
> 
> 
> VPN GW machine- strongswan 4.3.5 - ipsec.conf
> 
> ====START=====
> config setup
>          crlcheckinterval=180
>          strictcrlpolicy=no
>          nat_traversal=yes
>          charonstart=yes
>          plutostart=yes
>          plutodebug=control
> 
> # Add connections here.
> 
> conn %default
>          ikelifetime=60m
>          keylife=20m
>          rekeymargin=3m
>          keyingtries=1
>          left=%any
>          leftcert=vpngw.mydomain.net-cert.pem
>          leftid=@vpngw.mydomain.net
>          leftfirewall=yes
> 
> conn nat-ikev2
>          leftsubnet=0.0.0.0/0
>          right=%any
>          keyexchange=ikev2
>          rightsourceip=192.168.5.0/24
>          auto=add
> 
> conn nat-ikev1
>          pfs=no
>          leftsubnet=0.0.0.0/0
>          right=%any
>          rightsourceip=192.168.6.0/24
>          keyexchange=ikev1
>          auto=add
> ======END ======
> 
> 
> 
> Test roadwarrior machine - debian 4 with strongswan 4.3.2
> ipsec.conf
> 
> ====START====
> 
> config setup
>          crlcheckinterval=180
>      strictcrlpolicy=no
>      charonstart=no
>      plutodebug=control
>      nat_traversal=yes
> 
> conn %default
>      ikelifetime=60m
>      keylife=20m
>      rekeymargin=3m
>      keyingtries=1
>      keyexchange=ikev1
> 
> conn nat
>      left=%defaultroute
>      forceencaps=yes
>      compress=yes
>      leftsourceip=%config
>      leftcert=russ.mydomain.net-cert.pem
>      leftid=russ.cox at mydomain.net
>      leftauth=pubkey
>      right=vpngw.mydomain.net
>      rightid=@vpngw.mydomain.net
>      rightsubnet=0.0.0.0/24
>      auto=add
> 
> ====END====

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list