[strongSwan] IKEv2 StrongSwan to Cisco IOS 15.1 interop quirks: some 'attributes failed'

Richard Chan rspchan at starhub.net.sg
Wed Oct 12 03:08:11 CEST 2011 

Hi,

Much to my pleasant surprise I was able to set up a RW connection to a Cisco
IOS 15.1
headend using IKEv2. Kudos so the StrongSwan team!


The StrongSwan RW successfully connects with split tunneling (two subnets
behind IOS). It obtains
a /32 address, and installs the xfrm correctly. Everything works as
expected. There are however
some messages about attribute failed. Just wondering what these 'failed'
messages mean.


(StrongSwan is behind a NAT device)
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'XXXX' with RSA signature successful
IKE_SA roadw2[1] established between 192.168.2.139[XXXX]...1.2.3.4[YYYY]
scheduling reauthentication in 10105s
maximum IKE_SA lifetime 10645s
handling INTERNAL_IP4_NETMASK attribute failed
handling INTERNAL_IP4_SUBNET attribute failed
handling INTERNAL_IP4_SUBNET attribute failed
installing new virtual IP 192.168.87.35


conn roadw2
    left=%defaultroute
    leftsourceip=%config
    leftcert=mycert.crt
    right=1.2.3.4
    rightsubnet=192.168.10.0/24,192.168.11.0/24
    rightid="CN=IOS15"
    rightca="CN=IOS-CA"
    ike=aes256-sha1-modp1536
    esp=aes256-sha1
    auto=add
    authby=pubkey
    keyexchange=ikev2

While this is not an IOS list, I noticed that IOS installs an
"all IP traffic to 192.168.87.35/32" selector, instead of narrowing its
selectors to match StrongSwan's rightsubnets. So just incase there are some
inter-op experts here

  protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.87.35/255.255.255.255/0/0)
   current_peer 1.2.3.4 port 4500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.2.3.5, remote crypto endpt.: 1.2.3.4
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
     current outbound spi: 0xCAF25434(3404878900)
     PFS (Y/N): N, DH group: none

(I am by no means an IOS 15.1 expert and it took some time to figure this
out).
This split tunnel networks are specified by an acl.


Extended IP access list acl.ROADW
    10 permit ip 192.168.10.0 0.255.255.255 any
    20 permit ip 192.168.11.0 0.0.0.255 any


crypto ikev2 name-mangler MANGLER
 dn organization-unit
crypto ikev2 authorization policy ROADW
 pool pool.ROADW
 netmask 255.255.255.0
 subnet-acl 199
crypto ikev2 proposal AES256
 encryption aes-cbc-256
 integrity sha1
 group 5
crypto ikev2 policy ROADW
 proposal AES256
crypto ikev2 profile ROADW
 match certificate CERTMAP
 identity local dn
 authentication local rsa-sig
 authentication remote rsa-sig
 pki trustpoint MYCA
 aaa authorization group MYLOCAL name-mangler MANGLER
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111012/d1d03be1/attachment.html>

More information about the Users mailing list