[strongSwan] Question on IKEv2

Chris Arnold carnold at electrichendrix.com
Tue Apr 3 05:11:25 CEST 2012 

I uninstalled strongswan and started over again with strongswan. This time i followed this:
http://www.strongswan.org/uml/testre...psk/index.html
under the sun heading. This time i try to ping the remote network from the subnet behind the sonicwall; i get a whole different set of logs:
3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax 
4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 
5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN; 
6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device 
7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa 
8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 
9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;

According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?

On the strongswan side:
added configuration 'teknerds'
03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
03[IKE] sonicwall.public.ip is initiating an IKE_SA
03[IKE] local host is behind NAT, sending keep alives
03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
06[ENC] invalid X509 hash length (0) in certreq
06[ENC] CERTIFICATE_REQUEST verification failed
06[ENC] encrypted payload could not be decrypted and parsed
06[ENC] could not decrypt payloads
06[IKE] message parsing failed
06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[IKE] IKE_AUTH request with message ID 1 processing failed

When it says this:
03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?

At this point i would like to know if you have to use certs with ikev2 and strongswan?



----- Original Message -----
From: "Chris Arnold" <carnold at electrichendrix.com>
To: users at lists.strongswan.org
Sent: Monday, April 2, 2012 6:24:41 PM
Subject: Re: [strongSwan] Question on IKEv2


On Apr 2, 2012, at 5:47 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:

> Hi Chris,
> 
> why do you go six years back in time?
> 
Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?

 Just have a look at our
> 
> configuration examples:
> 
> 
> 
> On 04/02/2012 10:34 PM, Chris Arnold wrote:
>> I have been trying to get a tunnel between strongSwan 4.4.x and a
>> sonicwall TZ180W to no avail. I have tried every combination known on
>> the sonicwall and every combination i know on the strongSwan side. My
>> last try was ikev2 and i think this might be the problem. This was
>> found this on a StrongSong thread found
>> http://download.strongswan.org/CHANGES42.txt
>> 
>> strongswan-4.0.0 ----------------
>> 
>> - initial support of the IKEv2 protocol. Connections in ipsec.conf
>> designated by keyexchange=ikev2 are negotiated by the new IKEv2
>> charon keying daemon whereas those marked by keyexchange=ikev1 or the
>> default keyexchange=ike are handled thy the IKEv1 pluto keying
>> daemon. Currently only a limited subset of functions are available
>> with IKEv2 (Default AES encryption, authentication based on locally 
>> imported X.509 certificates, unencrypted private RSA keys in PKCS#1
>> file format, limited functionality of the ipsec status command).
>> 
>> AES encryption, authentication based on locally imported X.509
>> certificates, unencrypted private RSA keys in PKCS#1 file format,
>> limited functionality of the ipsec status command, is this a AND/OR
>> list? Do you have to have certs to use ikev2 or can you do 1 of the
>> other auth in the list?
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list