[strongSwan] No answer to first packet (IKE Phase 1)

Martin Werthmöller mw at lw-systems.de
Fri Dec 14 14:38:01 CET 2012 

Hi Strongswan users,

we like to setup a IPSec connection to a Telco Tec LiSS VPN Gateway.
We test the VPN connection with a windows client (NCP). Here, the
connection will be established immediately.

As we run our strongSwan client, the connection establishment runs
into a timeout.

  010 "liss" #3: STATE_MAIN_I1: retransmission; will wait 20s for response
 
The pluto debug log shows no more information about this. 
The Windows Client and the strongSwan client uses the same certificate
an connection settings (configfile beneath).

We also capture the traffic of both connections establishments via
tcpdump. With our strongSwan client, the VPN gateway will no answer to
the first UDP packet from pluto. We examined the first packets of both
clients.

Here we saw a difference at the Payload (Vendor ID (13) of both
packets.

** NCP client

Type Payload: Vendor ID (13) : Unknown Vendor ID
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00
Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE 
Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Type Payload: Vendor ID (13) : Unknown Vendor ID
Type Payload: Vendor ID (13) : Unknown Vendor ID
Type Payload: Vendor ID (13) : Unknown Vendor ID
Type Payload: Vendor ID (13) : Microsoft L2TP/IPSec VPN Client


** stronSwan client

Type Payload: Vendor ID (13) : strongSwan
Type Payload: Vendor ID (13) : XAUTH
Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Type Payload: Vendor ID (13) : RFC 3947 Negotiation of Traversal in the IKE
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00


Beside the differences in "Unknown Vendor ID" and the "L2TP Client"
the strongSwan packet conatains the XAUTH "Flag".

May this be the problem of the gateway timeouts?

How could we disable the XAUT at the first packet?   


Best regards,
Martin Werthmoeller

-- 
LWsystems GmbH & Co. KG  ++  http://www.lw-systems.de/impressum
Phone: +49 +5455 932132  ++  Fax: +49 +5455 932099

Your experts for Linux, Open Source and IT security.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

LWsystems GmbH & Co. KG
Headquaters: Tegelerweg 11, D-49186 Bad Iburg, Germany
Phone +49 (0)5455 932132
fax +49 (0)5455 932099
register of commerce: Amtsgericht Osnabrück, hra 110668
VAT no. DE23852211

Managing Directors:
Dipl.-Ing. Ansgar H. Licher, Bad Iburg, Germany
Dipl.-Ing. Martin Werthmöller, Ibbenbüren, Germany

For further company details please look at:
http://www.lw-systems.de/impressum

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

More information about the Users mailing list