[strongSwan] Cisco brings up the tunnel, but Linux not --- AH only

Andreas Steffen andreas.steffen at strongswan.org
Wed May 18 08:59:56 CEST 2011 

Hi,

if you observe AH packets this means that ESP is used for encryption
only (without optional ESP MAC) and authentication is done on top of ESP
via AH. You can achieve the same with strongSwan as an initiator if
you set

   auth=ah

Best regards

Andreas

On 05/17/2011 05:31 PM, Zoltan wrote:
> Hi Everyone,
>
> The IPSEC traffic works fine between my strongSwan gateway
> (and my clients) and the Cisco gateway/clients on the other side.
> However, I cannot fully initiate it. It stops:
>
> 002 "vtest" #1: initiating Main Mode
> 104 "vtest" #1: STATE_MAIN_I1: initiate
> 106 "vtest" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "vtest" #1: ignoring Vendor ID payload [Cisco-Unity]
> 003 "vtest" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "vtest" #1: ignoring Vendor ID payload [b1d915cbf5b7575752babd9fbc1f897a]
> 003 "vtest" #1: received Vendor ID payload [XAUTH]
> 108 "vtest" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "vtest" #1: Peer ID is ID_IPV4_ADDR: 'XXXa.b.c.dXXX'
> 002 "vtest" #1: ISAKMP SA established
> 004 "vtest" #1: STATE_MAIN_I4: ISAKMP SA established
> 002 "vtest" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> 112 "vtest" #2: STATE_QUICK_I1: initiate
> 010 "vtest" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> ...
> 010 "vtest" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "vtest" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
> 000 "vtest" #2: starting keying attempt 2 of at most 3, but releasing whack
>
> ===
> My config works fine, if the otherside Cisco gateway (or its clients)
> initiate the traffic. My ipsec.conf is very simple (No NAT).
>
> What is strange for me is that on a router of our company I see
> only AH packets, but no ESP, when the tunnel works fine.
> (after some UDP 500 IKE traffic of course).
>
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>          # plutodebug=all
>          # crlcheckinterval=600
>          # strictcrlpolicy=yes
>          # cachecrls=yes
>          # nat_traversal=yes
>          charonstart=yes
>          plutostart=yes
>          charondebug=all
>          ##plutodebug="controlmore natt parsing private"
>          plutodebug=all
>
> conn vtest
>          auto=add
>          keyexchange=ikev1
>          authby=psk
>          ##auth=ah
>          #
>          left=M.N.O.125
>          leftsubnet=M.N.O.96/27
>          #
>          right=XXXa.b.c.dXXX
>          rightsubnet=10.14.140.0/24
>          #
>          ike=3des-md5-modp1024!
>          esp=3des-md5!
>          ikelifetime=86400
>          pfs=no
>
> Can you help me to understand what happens?
> (Omitting the strict !s from the config doesn't help.)
> Regards
> Zoltan
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list