[strongSwan] Mixed ikev1/ikev2 rw setup

Russ Cox russ.cox at e-dba.net
Fri Feb 26 12:27:27 CET 2010 

You are a lovely lovely man - that change plus a few easier to debug 
problems has ikev1 working for me from my offsite linux box - now to get 
XP and OS X working

Thanks so much for the quick reply ;D

R

ps - In case it's of any use to someone else - below is my current 
gateway config for a dual ikev1 and ikev2 nat rw setup

==================
# ipsec.conf - strongSwan IPsec configuration file

config setup
         crlcheckinterval=180
         strictcrlpolicy=no
         nat_traversal=yes
         charonstart=yes
         plutostart=yes
         plutodebug=control


# Add connections here.

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         leftcert=vpngw.mydomain.net-cert.pem
         leftid=@vpngw.mydomain.net
         leftfirewall=yes

conn rw-nat-ikev2
         left=%any
         leftsubnet=0.0.0.0/0
         right=%any
         keyexchange=ikev2
         rightsourceip=192.168.5.0/24
         auto=add

conn rw-nat-ikev1
         left=%defaultroute
         pfs=no
         leftsubnet=0.0.0.0/0
         right=%any
         rightsourceip=192.168.5.0/24
         keyexchange=ikev1
         auto=add
================

On 25/02/10 17:50, Andreas Steffen wrote:
> Hi Russ,
>
> I think the problem is that the Pluto IKEv1 daemon does not support
> left=%any, i.e. multi-homing where the source IP is determined
> automatically based on the route to right. So please set left either
> to %defaultroute or to a static IP address for the IKEv1 case.
> left=%any is ok with IKEv2.
>
> Best regards
>
> Andreas
>
> Russ Cox wrote:
>    
>> Hi all - I've managed to get a roadwarrior setup working using ikev2 and
>> x509 certs, which is great for Linux and Windows 7 rw's but I need ikev1
>> working alongside for XP, Vista and OS X rw's - so far not having much
>> joy and google isn't throwing up much.
>>
>> If I change the roadwarrior ipsec.conf 'keyexchange=ikev1" to ikev2 - it
>> works fine.
>>
>> Any help would be fantastic, I would love to just get this out the way -
>> it's been dragging on now ;D
>>
>> My setup
>>
>> Strongswan gw
>>
>> vpngw===nat/router==tinternet===nat/router===rw machine
>> 192.168.0.18                                          y.y.y.y
>>
>>
>> Config is below;
>>
>> RW machine;
>>
>> ================
>> ted:/etc/ipsec.d# ipsec up nat
>> 002 "nat" #1: initiating Main Mode
>> 104 "nat" #1: STATE_MAIN_I1: initiate
>> 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
>> 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
>> 031 "nat" #1: max number of retransmissions (2) reached STATE_MAIN_I1.
>> No response (or no acceptable response) to our first IKE message
>> =================
>>
>> /var/log/auth.log on VPN GW
>>
>> =========
>> Feb 25 12:34:02 lister pluto[16253]: | next event EVENT_REINIT_SECRET in
>> 2400 seconds
>> Feb 25 12:34:12 lister pluto[16253]: |
>> Feb 25 12:34:12 lister pluto[16253]: | *received 288 bytes from [RW NAT
>> IP]:500 on eth0
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> ignoring Vendor ID payload [strongSwan 4.3.2]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> ignoring Vendor ID payload [Cisco-Unity]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> received Vendor ID payload [XAUTH]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> received Vendor ID payload [Dead Peer Detection]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> received Vendor ID payload [RFC 3947]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>> Feb 25 12:34:12 lister pluto[16253]: | preparse_isakmp_policy: peer
>> requests PUBKEY authentication
>> Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
>> initial Main Mode message received on 192.168.0.18:500 but no connection
>> has been authorized with policy=PUBKEY
>> Feb 25 12:34:12 lister pluto[16253]: | next event EVENT_REINIT_SECRET in
>> 2390 seconds
>> Feb 25 12:34:32 lister pluto[16253]: |
>> =========
>>
>>
>> VPN GW machine- strongswan 4.3.5 - ipsec.conf
>>
>> ====START=====
>> config setup
>>           crlcheckinterval=180
>>           strictcrlpolicy=no
>>           nat_traversal=yes
>>           charonstart=yes
>>           plutostart=yes
>>           plutodebug=control
>>
>> # Add connections here.
>>
>> conn %default
>>           ikelifetime=60m
>>           keylife=20m
>>           rekeymargin=3m
>>           keyingtries=1
>>           left=%any
>>           leftcert=vpngw.mydomain.net-cert.pem
>>           leftid=@vpngw.mydomain.net
>>           leftfirewall=yes
>>
>> conn nat-ikev2
>>           leftsubnet=0.0.0.0/0
>>           right=%any
>>           keyexchange=ikev2
>>           rightsourceip=192.168.5.0/24
>>           auto=add
>>
>> conn nat-ikev1
>>           pfs=no
>>           leftsubnet=0.0.0.0/0
>>           right=%any
>>           rightsourceip=192.168.6.0/24
>>           keyexchange=ikev1
>>           auto=add
>> ======END ======
>>
>>
>>
>> Test roadwarrior machine - debian 4 with strongswan 4.3.2
>> ipsec.conf
>>
>> ====START====
>>
>> config setup
>>           crlcheckinterval=180
>>       strictcrlpolicy=no
>>       charonstart=no
>>       plutodebug=control
>>       nat_traversal=yes
>>
>> conn %default
>>       ikelifetime=60m
>>       keylife=20m
>>       rekeymargin=3m
>>       keyingtries=1
>>       keyexchange=ikev1
>>
>> conn nat
>>       left=%defaultroute
>>       forceencaps=yes
>>       compress=yes
>>       leftsourceip=%config
>>       leftcert=russ.mydomain.net-cert.pem
>>       leftid=russ.cox at mydomain.net
>>       leftauth=pubkey
>>       right=vpngw.mydomain.net
>>       rightid=@vpngw.mydomain.net
>>       rightsubnet=0.0.0.0/24
>>       auto=add
>>
>> ====END====
>>      
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>    

-- 

Russ Cox
Systems Engineer

e-DBA Ltd.
48A Old Steine,
Brighton, East Sussex,
BN1 1NH

Main:      +44 (0) 870 366 7800
Direct:    +44 (0) 127 322 4704
email:     russ.cox at e-dba.net
Msn:	   russ.cox at e-dba.net
Skype:     russc0x

Company No: 365969

Oracle Partner of the Year
General Business Technology

UKOUG Partner of the year
(4 categories)

More information about the Users mailing list