[strongSwan] interop between FREES/WAN and racoon2;
Andreas Steffen
andreas.steffen at strongswan.org
Fri Oct 22 11:42:41 CEST 2010
Hello,
according to your posted configuration files you are defining the
pre-shared key as
cat psk/tahi.psk
IKETEST123!
on racoon2 and as
: PSK "IKETEST123!"
on strongSwan. Could it be that tahi.psk appended a
newline character to the password so that the secrets
are not equal? Example:
echo 'IKETEST123!' > tahi.psk
results incorrectly in
od -a tahi.psk
0000000 I K E T E S T 1 2 3 ! nl
whereas
echo -n 'IKETEST123!' > tahi.psk
results correctly in
andi at koala:~$ od -a tahi.psk
0000000 I K E T E S T 1 2 3 !
Regards
Andreas
On 22.10.2010 11:28, Yatong Cui wrote:
> Hi all,
>
> In recent days,i've tried to configure a ikev2 connection between racoon2 with openswan and strongswan yet encountering some troubles. Hope people experienced in the interop between racoon2 with FREES/WAN can give me some advice on it.
>
> I've made successful connection between 2 racoon2 hosts and 2 FREES/WAN hosts(either openswan or strongswan). But both the connections from racoon2 to openswan and strongswan are not established.
>
> ============================================================================
> |Here is the details configuration info between the strongswan and racoon2.|
> ============================================================================
>
> TOPO:
>
> RACOON2<=====>ROUTER<========>STRONGSWAN
>
>
> CONFIG:
> -------------------------------------------------------------
> RACOON2 SIDE:
> TAR-EN1# cat racoon2.conf
> include "/usr/local/etc/racoon2/vals.conf";
> interface
> {
> ike {
> 2001:db8:1:1:20c:29ff:fe4d:489 port 500;
> };
> spmd {
> unix "/var/run/racoon2/spmif";
> };
> spmd_password "/usr/local/etc/racoon2/spmd.pwd";
> };
> resolver
> {
> resolver off;
> };
> include "/usr/local/etc/racoon2/default.conf";
> include "/usr/local/etc/racoon2/transport_ike.conf";
> TAR-EN1# cat vals.conf
> setval {
> PSKDIR "/usr/local/etc/racoon2/psk";
> PRESHRD_KEY "tahi.psk";
> MY_IPADDRESS 2001:db8:1:1:20c:29ff:fe4d:489;
> PEERS_IPADDRESS 2001:db8:1:2:20c:29ff:fe45:b04e;
> IKESAUP_SCR "/usr/local/etc/racoon2/hook/ikesa-up";
> IKESADOWN_SCR "/usr/local/etc/racoon2/hook/ikesa-down";
> CHILDUP_SCR "/usr/local/etc/racoon2/hook/child-up";
> CHILDOWN_SCR "/usr/local/etc/racoon2/hook/child-down";
> IKESAREKEY_SCR "/usr/local/etc/racoon2/hook/ikesa-rekey";
> CHILDREKEY_SCR "/usr/local/etc/racoon2/hook/child-rekey";
> MIGRATION_SCR "/usr/local/etc/racoon2/hook/migration";
> };
> TAR-EN1# cat default.conf
> default
> {
> remote {
> acceptable_kmp { ikev2; };
> ikev2 {
> logmode normal;
> kmp_sa_lifetime_time infinite;
> kmp_sa_lifetime_byte infinite;
> max_retry_to_send 3;
> interval_to_send 10 sec;
> times_per_send 1;
> kmp_enc_alg { 3des_cbc; };
> kmp_hash_alg { hmac_sha1; };
> kmp_prf_alg { hmac_sha1;};
> kmp_dh_group { modp1024;};
> kmp_auth_method { psk; };
> random_pad_content on;
> random_padlen on;
> max_padlen 50 bytes;
> };
> };
>
> policy {
> ipsec_mode transport;
> ipsec_level require;
> };
>
> ipsec {
> ipsec_sa_lifetime_time infinite;
> ipsec_sa_lifetime_byte infinite;
> };
>
> sa {
> esp_enc_alg { 3des_cbc; };
> esp_auth_alg { hmac_sha1; };
> };
> };
>
> ipsec ipsec_esp {
> ipsec_sa_lifetime_time 28800 sec;
> sa_index esp_01;
> };
>
> sa esp_01 {
> sa_protocol esp;
> esp_enc_alg { 3des_cbc; };
> esp_auth_alg { hmac_sha1; };
> };
> TAR-EN1# cat transport_ike.conf
> remote ike_trans_remote {
> acceptable_kmp { ikev2; };
> ikev2 {
> my_id ipaddr 2001:db8:1:1:20c:29ff:fe4d:489;
> peers_id ipaddr 2001:db8:1:2:20c:29ff:fe45:b04e;
> peers_ipaddr 2001:db8:1:2:20c:29ff:fe45:b04e port 500;
> kmp_auth_method { psk; };
> pre_shared_key "/usr/local/etc/racoon2/psk/tahi.psk";
> };
> selector_index ike_trans_sel_in;
> };
>
> selector ike_trans_sel_out {
> direction outbound;
> src 2001:db8:1:1:20c:29ff:fe4d:489;
> dst 2001:db8:1:2:20c:29ff:fe45:b04e;
> upper_layer_protocol "any";
> policy_index ike_trans_policy;
> };
>
> selector ike_trans_sel_in {
> direction inbound;
> dst 2001:db8:1:1:20c:29ff:fe4d:489;
> src 2001:db8:1:2:20c:29ff:fe45:b04e;
> upper_layer_protocol "any";
> policy_index ike_trans_policy;
> };
>
> policy ike_trans_policy {
> action auto_ipsec;
> remote_index ike_trans_remote;
> ipsec_mode transport;
> ipsec_index { ipsec_esp; };
> ipsec_level require;
> };
> TAR-EN1# cat psk/tahi.psk
> IKETEST123!
> ------------------------------------------------------------
> STRONGSWAN SIDE:
> linux-9deg:~ # cat /etc/ipsec.conf
> config setup
> crlcheckinterval="180"
> strictcrlpolicy=no
> charonstart=yes
>
> conn %default
> keyingtries=1
> ike=aes-sha1-modp1024
> esp=3des-sha1
> authby=secret
> keyexchange=ikev2
> rekey=yes
>
> conn TAHI
> right=2001:db8:1:1:20c:29ff:fe4d:489
> left=2001:db8:1:2:20c:29ff:fe45:b04e
> rightid=2001:db8:1:1:20c:29ff:fe4d:489
> leftid=2001:db8:1:2:20c:29ff:fe45:b04e
> type=transport
> compress=no
> auto=add
> linux-9deg:~ # cat /etc/ipsec.secrets
> : PSK "IKETEST123!"
>
> ----------------------------------------------------------------
> The FAIL LOG FROM the strongswan side:
>
> linux-9deg:~ # ipsec up TAHI
> initiating IKE_SA TAHI[1] to 2001:db8:1:1:20c:29ff:fe4d:489
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 2001:db8:1:2:20c:29ff:fe45:b04e[500] to 2001:db8:1:1:20c:29ff:fe4d:489[500]
> received packet: from 2001:db8:1:1:20c:29ff:fe4d:489[500] to 2001:db8:1:2:20c:29ff:fe45:b04e[500]
> parsed IKE_SA_INIT response 0 [ SA KE No ]
> authentication of '2001:db8:1:2:20c:29ff:fe45:b04e' (myself) with pre-shared key
> establishing CHILD_SA TAHI
> generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
> sending packet: from 2001:db8:1:2:20c:29ff:fe45:b04e[500] to 2001:db8:1:1:20c:29ff:fe4d:489[500]
> received packet: from 2001:db8:1:1:20c:29ff:fe4d:489[500] to 2001:db8:1:2:20c:29ff:fe45:b04e[500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
>
> -------------------------------------------------------------------
> Previously i've tried the connection from openswan to racoon2,and fail message is
> "INVALID IN INFORMATION",yet the ID should be correct from the configuration perspective.
> --------------------------------------------------------------------
>
> I know this problem should probably due to my wrong or improper configuration somewhere,hope experienced users can help me point out the problem,thanks a lot in advance.
>
>
> Best Regards,
> Frank
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list