[strongSwan] road warrior setup to Cisco 3000 with certificates

Andreas Steffen andreas.steffen at strongswan.org
Mon Aug 8 20:42:08 CEST 2011


Hello John,

it seems that the IKE message containing the certificate
is large than the MTU and is getting fragmented and the
IP fragments get discarded somewhere on the way. Please
check your routers and firewalls.

Best regards

Andreas

On 08.08.2011 18:34, John Serink wrote:
> Hi All:
> 
> I have managed to convert my IIS produced certificate into a private key and cert that strong swan can read. The ipsec listcets command shows all the right stuff and there are no errors in the logs. My xauth details and key are loaded correctly:
> 
> Aug 08 23:41:42 [pluto] loading secrets from "/etc/ipsec.secrets"
> Aug 08 23:41:42 [pluto] |   file content is not binary ASN.1_
> Aug 08 23:41:42 [pluto] |   -----BEGIN RSA PRIVATE KEY-----_
> Aug 08 23:41:42 [pluto] |   -----END RSA PRIVATE KEY-----_
> Aug 08 23:41:42 [pluto] | L0 - RSAPrivateKey:_
> Aug 08 23:41:42 [pluto] | L1 - version:_
> Aug 08 23:41:42 [pluto] | L1 - modulus:_
> Aug 08 23:41:42 [pluto] | L1 - publicExponent:_
> Aug 08 23:41:42 [pluto] | L1 - privateExponent:_
> Aug 08 23:41:42 [pluto] | L1 - prime1:_
> Aug 08 23:41:42 [pluto] | L1 - prime2:_
> Aug 08 23:41:42 [pluto] | L1 - exponent1:_
> Aug 08 23:41:42 [pluto] | L1 - exponent2:_
> Aug 08 23:41:42 [pluto] | L1 - coefficient:_
> Aug 08 23:41:42 [pluto] | no events, waiting_
> Aug 08 23:41:42 [pluto] | started worker thread, ID: 2_
> Aug 08 23:41:42 [pluto] | started worker thread, ID: 4_
> Aug 08 23:41:42 [pluto] loaded private key from 'server.key'
> Aug 08 23:41:42 [pluto] loaded PSK secret for 203.125.87.10 %any 
> Aug 08 23:41:42 [pluto] loaded XAUTH secret for jserink 
> Aug 08 23:41:42 [pluto] |   file content is not binary ASN.1_
> Aug 08 23:41:42 [pluto] |   -----BEGIN CERTIFICATE-----_
> Aug 08 23:41:42 [pluto] |   -----END CERTIFICATE-----_
> Aug 08 23:41:42 [pluto] | L0 - x509:_
> Aug 08 23:41:42 [pluto] | => 1430 bytes @ 0x6c1160_
> 
> Here is the problem:
> 
> Aug 08 23:41:42 [pluto] "christchurch" #1: initiating Main Mode
> Aug 08 23:41:42 [pluto] "christchurch" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Aug 08 23:41:42 [pluto] "christchurch" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> Aug 08 23:41:42 [pluto] "christchurch" #1: enabling possible NAT-traversal with method RFC 3947
> Aug 08 23:41:42 [pluto] | size of DH secret exponent: 1023 bits_
> Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Vendor ID payload [Cisco-Unity]
> Aug 08 23:41:43 [pluto] "christchurch" #1: received Vendor ID payload [XAUTH]
> Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Vendor ID payload [158867397dfb61746cb65f98dacfb308]
> Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> Aug 08 23:41:43 [pluto] "christchurch" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> Aug 08 23:41:43 [pluto] "christchurch" #1: we have a cert and are sending it 
> Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Delete SA payload: ISAKMP SA not established
> Aug 08 23:42:53 [pluto] "christchurch" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
> Aug 08 23:42:53 [pluto] "christchurch" #1: starting keying attempt 2 of at most 3
> Aug 08 23:42:53 [pluto] "christchurch" #2: initiating Main Mode to replace #1
> Aug 08 23:42:53 [pluto] "christchurch" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Aug 08 23:42:53 [pluto] "christchurch" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> Aug 08 23:42:53 [pluto] "christchurch" #2: enabling possible NAT-traversal with method RFC 3947
> Aug 08 23:42:53 [pluto] | size of DH secret exponent: 1023 bits_
> Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Vendor ID payload [Cisco-Unity]
> Aug 08 23:42:54 [pluto] "christchurch" #2: received Vendor ID payload [XAUTH]
> Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Vendor ID payload [840b1be9362ecc407091722bda4f36be]
> Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> Aug 08 23:42:54 [pluto] "christchurch" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> Aug 08 23:42:54 [pluto] "christchurch" #2: we have a cert and are sending it 
> Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Delete SA payload: ISAKMP SA not established
> Aug 08 23:44:04 [pluto] "christchurch" #2: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
> Aug 08 23:44:04 [pluto] "christchurch" #2: starting keying attempt 3 of at most 3
> Aug 08 23:44:04 [pluto] "christchurch" #3: initiating Main Mode to replace #2
> Aug 08 23:44:04 [pluto] "christchurch" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> Aug 08 23:44:04 [pluto] "christchurch" #3: enabling possible NAT-traversal with method RFC 3947
> Aug 08 23:44:04 [pluto] | size of DH secret exponent: 1023 bits_
> Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [Cisco-Unity]
> Aug 08 23:44:04 [pluto] "christchurch" #3: received Vendor ID payload [XAUTH]
> Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [2c3ae4fef14c0b8e6faa7eb376a79007]
> Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> Aug 08 23:44:04 [pluto] "christchurch" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> Aug 08 23:44:04 [pluto] "christchurch" #3: we have a cert and are sending it 
> Aug 08 23:44:05 [pluto] "christchurch" #3: ignoring Delete SA payload: ISAKMP SA not established
> Aug 08 23:45:14 [pluto] "christchurch" #3: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
> 
> 
> So, I'm scratching my head here.
> 
> Any one have any clues on this? I'm not able to see the logs on the Cisco 3000 as our IS supports only the cisco vpn client on widows officially. I have used the console based one for Linux and it works but it puts the entire machine inside the IPSec network which is what I don't want. I only want traffic destined for the network on the vpn to go there and everything else out the default route.
> 
> Any ideas on how to past this last error?
> 
> Cheers,
> John
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list