[strongSwan] interop between FREES/WAN and racoon2;

Yatong Cui yacui at redhat.com
Fri Oct 22 11:28:10 CEST 2010


Hi all,

In recent days,i've tried to configure a ikev2 connection between racoon2 with openswan and strongswan yet encountering some troubles. Hope people experienced in the interop between racoon2 with FREES/WAN can give me some advice on it.

I've made successful connection between 2 racoon2 hosts and 2 FREES/WAN hosts(either openswan or strongswan). But both the connections from racoon2 to openswan and strongswan are not established.

============================================================================
|Here is the details configuration info between the strongswan and racoon2.|
============================================================================

TOPO:

RACOON2<=====>ROUTER<========>STRONGSWAN


CONFIG:
-------------------------------------------------------------
RACOON2 SIDE:
TAR-EN1# cat racoon2.conf
include "/usr/local/etc/racoon2/vals.conf";
interface
{
        ike {
                2001:db8:1:1:20c:29ff:fe4d:489 port 500;
        };
        spmd {
                unix "/var/run/racoon2/spmif";
        };
        spmd_password "/usr/local/etc/racoon2/spmd.pwd";
};
resolver
{
        resolver off;
};
include "/usr/local/etc/racoon2/default.conf";
include "/usr/local/etc/racoon2/transport_ike.conf";
TAR-EN1# cat vals.conf
setval {
        PSKDIR          "/usr/local/etc/racoon2/psk";
        PRESHRD_KEY     "tahi.psk"; 
        MY_IPADDRESS    2001:db8:1:1:20c:29ff:fe4d:489; 
        PEERS_IPADDRESS 2001:db8:1:2:20c:29ff:fe45:b04e;
        IKESAUP_SCR     "/usr/local/etc/racoon2/hook/ikesa-up";
        IKESADOWN_SCR   "/usr/local/etc/racoon2/hook/ikesa-down";
        CHILDUP_SCR     "/usr/local/etc/racoon2/hook/child-up";
        CHILDOWN_SCR    "/usr/local/etc/racoon2/hook/child-down";
        IKESAREKEY_SCR  "/usr/local/etc/racoon2/hook/ikesa-rekey";
        CHILDREKEY_SCR  "/usr/local/etc/racoon2/hook/child-rekey";
        MIGRATION_SCR   "/usr/local/etc/racoon2/hook/migration";
};
TAR-EN1# cat default.conf
default
{
        remote {
                acceptable_kmp { ikev2; };
                ikev2 {
                        logmode normal;
                        kmp_sa_lifetime_time infinite;
                        kmp_sa_lifetime_byte infinite;
                        max_retry_to_send 3;
                        interval_to_send 10 sec;
                        times_per_send 1;
                        kmp_enc_alg { 3des_cbc; };
                        kmp_hash_alg { hmac_sha1; };
                        kmp_prf_alg  { hmac_sha1;};
                        kmp_dh_group { modp1024;};
                        kmp_auth_method { psk; };
                        random_pad_content on;
                        random_padlen on;
                        max_padlen 50 bytes;
                 };
        };

        policy {
                ipsec_mode transport;
                ipsec_level require;
        };

        ipsec {
                ipsec_sa_lifetime_time infinite;
                ipsec_sa_lifetime_byte infinite;
        };

        sa {
                esp_enc_alg {  3des_cbc; };
                esp_auth_alg { hmac_sha1; };
        };
};

ipsec ipsec_esp {
        ipsec_sa_lifetime_time 28800 sec;
        sa_index esp_01;
};

sa esp_01 {
        sa_protocol esp;
        esp_enc_alg { 3des_cbc; };
        esp_auth_alg { hmac_sha1; };
};
TAR-EN1# cat transport_ike.conf
remote ike_trans_remote {
        acceptable_kmp { ikev2; };
        ikev2 {
                my_id ipaddr 2001:db8:1:1:20c:29ff:fe4d:489;
                peers_id ipaddr 2001:db8:1:2:20c:29ff:fe45:b04e;
                peers_ipaddr 2001:db8:1:2:20c:29ff:fe45:b04e port 500;
                kmp_auth_method { psk; };
                pre_shared_key "/usr/local/etc/racoon2/psk/tahi.psk";
              };
        selector_index ike_trans_sel_in;
};

selector ike_trans_sel_out {
        direction outbound;
        src 2001:db8:1:1:20c:29ff:fe4d:489;
        dst 2001:db8:1:2:20c:29ff:fe45:b04e;
        upper_layer_protocol "any";
        policy_index ike_trans_policy;
};

selector ike_trans_sel_in {
        direction inbound;
        dst 2001:db8:1:1:20c:29ff:fe4d:489;
        src 2001:db8:1:2:20c:29ff:fe45:b04e;
        upper_layer_protocol "any";
        policy_index ike_trans_policy;
};

policy ike_trans_policy {
        action auto_ipsec;
        remote_index ike_trans_remote;
        ipsec_mode transport;
        ipsec_index { ipsec_esp; };
        ipsec_level require;
};
TAR-EN1# cat psk/tahi.psk 
IKETEST123!
------------------------------------------------------------
STRONGSWAN SIDE:
linux-9deg:~ # cat /etc/ipsec.conf 
config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        charonstart=yes

conn %default
        keyingtries=1
        ike=aes-sha1-modp1024
        esp=3des-sha1
        authby=secret
        keyexchange=ikev2
        rekey=yes

conn TAHI
        right=2001:db8:1:1:20c:29ff:fe4d:489
        left=2001:db8:1:2:20c:29ff:fe45:b04e
        rightid=2001:db8:1:1:20c:29ff:fe4d:489
        leftid=2001:db8:1:2:20c:29ff:fe45:b04e
        type=transport
        compress=no
        auto=add
linux-9deg:~ # cat /etc/ipsec.secrets 
: PSK "IKETEST123!"

----------------------------------------------------------------
The FAIL LOG FROM the strongswan side:

linux-9deg:~ # ipsec up TAHI
initiating IKE_SA TAHI[1] to 2001:db8:1:1:20c:29ff:fe4d:489
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 2001:db8:1:2:20c:29ff:fe45:b04e[500] to 2001:db8:1:1:20c:29ff:fe4d:489[500]
received packet: from 2001:db8:1:1:20c:29ff:fe4d:489[500] to 2001:db8:1:2:20c:29ff:fe45:b04e[500]
parsed IKE_SA_INIT response 0 [ SA KE No ]
authentication of '2001:db8:1:2:20c:29ff:fe45:b04e' (myself) with pre-shared key
establishing CHILD_SA TAHI
generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 2001:db8:1:2:20c:29ff:fe45:b04e[500] to 2001:db8:1:1:20c:29ff:fe4d:489[500]
received packet: from 2001:db8:1:1:20c:29ff:fe4d:489[500] to 2001:db8:1:2:20c:29ff:fe45:b04e[500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error

-------------------------------------------------------------------
Previously i've tried the connection from openswan to racoon2,and fail message is 
"INVALID IN INFORMATION",yet the ID should be correct from the configuration perspective.
--------------------------------------------------------------------

I know this problem should probably due to my wrong or improper configuration somewhere,hope experienced users can help me point out the problem,thanks a lot in advance.


Best Regards,
Frank

































More information about the Users mailing list