[strongSwan] IKEv2 tunnel establishment, initiator does not repond
Groebl, Laurence (Laurence)
laurence.groebl at alcatel-lucent.com
Fri Sep 17 17:07:08 CEST 2010
Hello,
I'm setting up an IKEv2 tunnel between a Juniper Gateway and Strongswan with IKEv2
Simple configuration: static IP addresses on both side , pre-shared secret, tunnel mode (see strongSwan IPsec configuration file below).
The initiator (Strongswan) sends the first message and gets an answer, but then Strongswan does not answer anymore (see wireshark trace below).
I noticed in the answer of the Responder there is a Certificate Request, even though pre-shared secrets are used, could it be the reason why it is not responding?
Best regards,
Laurence
--------------
Wireshark trace:
No. Time Source Destination Protocol Info
1 0.000000 192.168.30.51 192.168.30.254 ISAKMP IKE_SA_INIT
Frame 1 (386 bytes on wire, 386 bytes captured)
Ethernet II, Src: Belkin_d0:77:2c (00:17:3f:d0:77:2c), Dst: 80:71:1f:b7:b1:85 (80:71:1f:b7:b1:85)
Internet Protocol, Src: 192.168.30.51 (192.168.30.51), Dst: 192.168.30.254 (192.168.30.254)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 352
Checksum: 0x2d58 [correct]
Internet Security Association and Key Management Protocol
Initiator cookie: 593AD8AC6A5DB624
Responder cookie: 0000000000000000
Next payload: Security Association (33)
Version: 2.0
Exchange type: IKE_SA_INIT (34)
Flags: 0x08
Message ID: 0x00000000
Length: 344
Security Association payload
Next payload: Key Exchange (34)
0... .... = Not critical
Payload length: 88
Proposal payload # 1
Next payload: Proposal (2)
0... .... = Not critical
Payload length: 44
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 4
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 12
Transform type: Encryption Algorithm (ENCR) (1)
Transform ID: ENCR_AES_CBC (12)
Key Length (in bits) (14): Key-Length (128)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: AUTH_HMAC_SHA1_96 (2)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: PRF_HMAC_SHA1 (2)
Transform payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 8
Transform type: Diffie-Hellman Group (D-H) (4)
Transform ID: Group 2 - 1024 Bit MODP (2)
Proposal payload # 2
Next payload: NONE (0)
0... .... = Not critical
Payload length: 40
Proposal number: 2
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 4
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Encryption Algorithm (ENCR) (1)
Transform ID: ENCR_3DES (3)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: AUTH_HMAC_SHA1_96 (2)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: PRF_HMAC_SHA1 (2)
Transform payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 8
Transform type: Diffie-Hellman Group (D-H) (4)
Transform ID: Group 2 - 1024 Bit MODP (2)
Key Exchange payload
Next payload: Nonce (40)
0... .... = Not critical
Payload length: 136
DH Group #: 2
Key Exchange Data (128 bytes / 1024 bits)
Nonce payload
Next payload: Notification (41)
0... .... = Not critical
Payload length: 36
Nonce Data
Notification payload
Next payload: Notification (41)
0... .... = Not critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Message type: NAT_DETECTION_SOURCE_IP (16388)
Notification Data
Notification payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Message type: NAT_DETECTION_DESTINATION_IP (16389)
Notification Data
No. Time Source Destination Protocol Info
2 0.001877 192.168.30.254 192.168.30.51 ISAKMP IKE_SA_INIT
Frame 2 (295 bytes on wire, 295 bytes captured)
Ethernet II, Src: 80:71:1f:b7:b1:85 (80:71:1f:b7:b1:85), Dst: Belkin_d0:77:2c (00:17:3f:d0:77:2c)
Internet Protocol, Src: 192.168.30.254 (192.168.30.254), Dst: 192.168.30.51 (192.168.30.51)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 261
Checksum: 0xa6ee [correct]
Internet Security Association and Key Management Protocol
Initiator cookie: 593AD8AC6A5DB624
Responder cookie: 66094DB1161AFEE6
Next payload: Security Association (33)
Version: 2.0
Exchange type: IKE_SA_INIT (34)
Flags: 0x20
Message ID: 0x00000000
Length: 253
Security Association payload
Next payload: Key Exchange (34)
0... .... = Not critical
Payload length: 48
Proposal payload # 1
Next payload: NONE (0)
0... .... = Not critical
Payload length: 44
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 4
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 12
Transform type: Encryption Algorithm (ENCR) (1)
Transform ID: ENCR_AES_CBC (12)
RESERVED TO IANA (7424): <too big (128 bytes)>
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: PRF_HMAC_SHA1 (2)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: AUTH_HMAC_SHA1_96 (2)
Transform payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 8
Transform type: Diffie-Hellman Group (D-H) (4)
Transform ID: Group 2 - 1024 Bit MODP (2)
Key Exchange payload
Next payload: Nonce (40)
0... .... = Not critical
Payload length: 136
DH Group #: 2
Key Exchange Data (128 bytes / 1024 bits)
Nonce payload
Next payload: Certificate Request (38)
0... .... = Not critical
Payload length: 36
Nonce Data
Certificate Request payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 5
Certificate type: 4 - X.509 Certificate - Signature
------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
plutostart=no
charondebug="ike 4, knl 4, cfg 4"
conn %default
dpdaction=restart
dpddelay=10s
auth=esp
forceencaps=no
installpolicy=yes
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
ike=aes128-sha-modp1024,3des-sha-modp1024!
ikelifetime=28800s
keylife=28880s
rekeymargin=5760s
keyingtries=1
leftauth=psk
rightauth=psk
keyexchange=ikev2
mobike=no
reauth=no
conn net-net
left=192.168.30.51
leftsourceip=192.168.30.20
right=192.168.30.254
auto=start
type=tunnel
rightsubnet=192.168.1.2/24
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100917/bdc94dee/attachment.html>
More information about the Users
mailing list