[strongSwan] Ikev2 on initiator side and ikev1 on responder side

ashish mahalka amahalka at gmail.com
Thu Mar 11 09:36:42 CET 2010 

Hello Andreas,

I am seeing some strange behaviour while establishing security association.

10.10.10.3    ========================   10.10.10.5
(Initiator)                                                         (Responder)
(keyexchange=ikev2)
(keyexchange=ikev1)

In the ipsec.conf file for Initiator, keyexchange is specified as
ikev2 whereas for the Responder it is specified as ikev1. But still i
am able to establish a ikev2 association between the two peers.

I am using strongswan version 4.3.4.  Can you please help me in
solving this issue.
Below are the ipsec.conf file and output of  "ipsec statusall" for
both the peers.

< INITIATOR>
config setup
  strictcrlpolicy=no
  nat_traversal=no
  plutostart=yes
  plutodebug=all
  charonstart=yes
  charondebug="dmn 3, mgr 3, ike 3, chd 3, job 3, cfg 3, knl 3, net 3,enc 3"

conn conn3
   type=tunnel
   leftsubnet=10.10.10.0/24
   rightsubnet=10.10.10.0/24
   auto=start
   left=10.10.10.3
   right=10.10.10.5
   rightid="C=IN, ST=KAR, O=WIPRO, OU=NSN, CN=wipro.com,
E=sdu at wipro.com"
   leftcert=BTS_CERT_FILE.pem
   keyexchange=ikev2
   pfs=no
   ike=aes128-sha1-modp1024!
   esp=aes128-sha1!
   ikelifetime=86400s
   authby=pubkey
   keylife=86400
   keyingtries=%forever
   dpdaction=clear
   mobike=no
   dpddelay=10
   dpdtimeout=120
   rekeyfuzz=0%
   rekeymargin=17280
   leftprotoport=17/200
   rightprotoport=17/200


<RESPONDER>
config setup
  strictcrlpolicy=no
  nat_traversal=no
  plutostart=yes
  plutodebug=all
  charonstart=yes
  charondebug="dmn 3, mgr 3, ike 3, chd 3, job 3, cfg 3, knl 3, net 3,
enc 3"
conn conn1
   type=tunnel
   leftsubnet=10.10.10.0/24
   rightsubnet=10.10.10.0/24
   auto=add
   left=10.10.10.5
   right=10.10.10.3
   leftcert=BTS_CERT_FILE.pem
   rightid="C=IN, ST=KAR, O=WIPRO, OU=NSN, CN=wipro.com,
E=sdu at wipro.com"
   keyexchange=ikev1
   ike=aes128-sha1-modp1024!
   pfs=no
   ikelifetime=86400s
   esp=aes128-sha1!
   authby=pubkey
   keyingtries=%forever
   dpdaction=clear
   mobike=no
   dpddelay=10
   dpdtimeout=120
   keylife=86400
   rekeyfuzz=0%
   rekeymargin=17280
   leftprotoport=17/200
   rightprotoport=17/200

<INITIATOR>
[root at localhost etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.3.4):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.10.10.3:500
000 interface eth1/eth1 10.125.45.76:500
000 %myid = (none)
000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp
000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+control
more
000
Status of IKEv2 charon daemon (strongSwan 4.3.4):
  uptime: 26 seconds, since Mar 11 11:30:17 2010
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 5
  loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc
hmac gmp kernel-netlink stroke updown attr resolv-conf
Listening IP addresses:
  10.10.10.3
  10.125.45.76
Connections:
       conn3:  10.10.10.3...10.10.10.5, dpddelay=10s
       conn3:   local:  [C=IN, ST=KAR, O=WIPRO, OU=NSN, CN=wipro.com,
E=sdu at wipro.com] uses public key authentication
       conn3:    cert:  "C=IN, ST=KAR, O=WIPRO, OU=NSN, CN=wipro.com,
E=sdu at wipro.com"
       conn3:   remote: [C=IN, ST=KAR, O=WIPRO, OU=NSN, CN=wipro.com,
E=sdu at wipro.com] uses any authentication
       conn3:   child:  10.10.10.0/24[udp/src] ===
10.10.10.0/24[udp/src] , dpdaction=clear
Security Associations:
       conn3[1]: ESTABLISHED 18 seconds ago, 10.10.10.3[C=IN, ST=KAR,
O=WIPRO, OU=NSN, CN=wipro.com, E=sdu at wipro.com]...10.10.10.5[C=IN,
ST=KAR, O=WIPRO, OU=NSN, CN=wipro.com, E=sdu at wipro.com]
       conn3[1]: IKE SPIs: 2e4789200ae32830_i* e619a6965df7a48a_r,
public key reauthentication in 14 hours
       conn3[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
       conn3{1}:  INSTALLED, TUNNEL, ESP SPIs: c095cca0_i cfc46b81_o
       conn3{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 19 hours
       conn3{1}:   10.10.10.0/24[udp/src] === 10.10.10.0/24[udp/src]

<RESPONDER>
[root at ipsec01-axc etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.3.4):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.120.165.230:500
000 interface eth1/eth1 10.10.10.5:500
000 %myid = (none)
000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp
000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+control
more
000
000 "conn1": 10.10.10.0/24===10.10.10.5[C=IN, ST=KAR, O=WIPRO, OU=NSN,
CN=wipro.com, E=sdu at wipro.com]:17/200...10.10.10.3[C=IN, ST=KAR,
O=WIPRO, OU=NSN, CN=wipro.com, E=sdu at wipro.com]:17/200===10.10.10.0/24;
unrouted; eroute owner: #0
000 "conn1":   CAs: 'C=IN, ST=KAR, L=BAN, O=WIPRO, OU=NSN, CN=wipro.com,
E=sdu at wipro.com'...'%any'
000 "conn1":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin:
17280s; rekey_fuzz: 0%; keyingtries: 0
000 "conn1":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 120s;
000 "conn1":   policy: PUBKEY+ENCRYPT+TUNNEL; prio: 24,24; interface:
eth1;
000 "conn1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Status of IKEv2 charon daemon (strongSwan 4.3.4):
  uptime: 93 seconds, since Mar 11 11:23:59 2010
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
  loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc
hmac gmp kernel-netlink stroke updown attr resolv-conf
Listening IP addresses:
  10.120.165.230
  10.10.10.5
Connections:
Security Associations:
       conn1[1]: ESTABLISHED 86 seconds ago, 10.10.10.5[C=IN, ST=KAR,
O=WIPRO, OU=NSN, CN=wipro.com, E=sdu at wipro.com]...10.10.10.3[C=IN,
ST=KAR, O=WIPRO, OU=NSN, CN=wipro.com, E=sdu at wipro.com]
       conn1[1]: IKE SPIs: 2e4789200ae32830_i e619a6965df7a48a_r*,
public key reauthentication in 19 hours
       conn1[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
       conn1{1}:  INSTALLED, TUNNEL, ESP SPIs: cfc46b81_i c095cca0_o
       conn1{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 19 hours
       conn1{1}:   10.10.10.0/24[udp/src] === 10.10.10.0/24[udp/src]


Thanks in advance,
Regards,
Ashish.


Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of the
addressee(s) and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately and destroy all copies of this message and any
attachments.

WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of
viruses. The company accepts no liability for any damage caused by any
virus transmitted by this email.

www.wipro.com

More information about the Users mailing list