[strongSwan] IKEv1 not working

Lm, Kavitha (NSN - IN/Bangalore) kavitha.lm at nsn.com
Fri Aug 19 09:22:53 CEST 2011 

Hi,

This is regarding an issue that we are facing with IKEv1.

We are able to setup an IPSEC tunnel with IKEv2 but the same is failing
with  IKEv1.

Ipsec.conf file for IKEv2:

config setup
        # plutodebug=all
         strictcrlpolicy=no
        charonstart=yes
        plutostart=no
        charondebug=all


ca strongswan
        cacert=caCert.der
        auto=add

conn sample-with-ca-cert
      left=169.254.1.70
      leftsubnet=169.254.1.0/24
      leftcert=VC2Cert.der
      right=169.254.0.70
      rightsubnet=169.254.0.0/24
      rightid="C=CH, O=strongSwan, CN=169.254.0.70"
      keyexchange=ikev2
      auto=start

This configuration works fine for IKEv2 tunnels:
# ipsec status
Security Associations:
sample-with-ca-cert[1]: ESTABLISHED 18 seconds ago, 169.254.0.70[C=CH,
O=strongSwan, CN=169.254.0.70]...169.254.1.70[C=CH, O=strongSwan,
CN=169.254.1.70]
sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cb854b6d_i
cd9ac880_o
sample-with-ca-cert{1}:   169.254.0.0/24 === 169.254.1.0/24

The instant we try this for IKEv1(keyexchange=ikev1 ,  charonstart=no,
plutostart=yes), it fails and the tunnel is not getting established.

# ipsec status
000 "sample-with-ca-cert": 169.254.1.0/24===169.254.1.70[C=CH,
O=strongSwan, CN=169.254.1.70]...169.254.0.70[C=CH, O=strongSwan,
CN=169.254.0.70]===169.254.0.0/24; unrouted; eroute owner: #0
000 "sample-with-ca-cert":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 
000 #1: "sample-with-ca-cert" STATE_MAIN_I2 (sent MI2, expecting MR2);
EVENT_RETRANSMIT in 8s
000 #1: pending Phase 2 for "sample-with-ca-cert" replacing #0
000

No logging was observed at all for IKEv1. Could you please let us know
how to solve this issue??

Please find some of the details of our environment below:

Server:  Ubuntu - linux-2.6.35

Strongswan IKEv1 version: 
# apt-cache policy strongswan-ikev1
strongswan-ikev1:
  Installed: 4.5.2-1.1
  Candidate: 4.5.2-1.1
  Version table:
 *** 4.5.2-1.1 0
        100 /var/lib/dpkg/status

We assume that IKEv1 is already installed from the above status.
Can you let us know of any other way to check if IKEv1 is supported?

Thanks & Regards, 
Kavitha 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110819/18b95d6d/attachment.html>

More information about the Users mailing list