[strongSwan] No answer to first packet (IKE Phase 1)

Andreas Steffen andreas.steffen at strongswan.org
Sat Dec 15 09:43:17 CET 2012 

Hi Martin,

it might be that the gateway does not like strongSwan's authentication
or crypto proposals. Pluto 4.x e.g. does not support IKEv1 Aggressive
Mode.

Regards

Andreas

On 12/14/2012 02:38 PM, Martin Werthmöller wrote:
> Hi Strongswan users,
> 
> we like to setup a IPSec connection to a Telco Tec LiSS VPN Gateway.
> We test the VPN connection with a windows client (NCP). Here, the
> connection will be established immediately.
> 
> As we run our strongSwan client, the connection establishment runs
> into a timeout.
> 
>   010 "liss" #3: STATE_MAIN_I1: retransmission; will wait 20s for response
>  
> The pluto debug log shows no more information about this. 
> The Windows Client and the strongSwan client uses the same certificate
> an connection settings (configfile beneath).
> 
> We also capture the traffic of both connections establishments via
> tcpdump. With our strongSwan client, the VPN gateway will no answer to
> the first UDP packet from pluto. We examined the first packets of both
> clients.
> 
> Here we saw a difference at the Payload (Vendor ID (13) of both
> packets.
> 
> ** NCP client
> 
> Type Payload: Vendor ID (13) : Unknown Vendor ID
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00
> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE 
> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
> Type Payload: Vendor ID (13) : Unknown Vendor ID
> Type Payload: Vendor ID (13) : Unknown Vendor ID
> Type Payload: Vendor ID (13) : Unknown Vendor ID
> Type Payload: Vendor ID (13) : Microsoft L2TP/IPSec VPN Client
> 
> 
> ** stronSwan client
> 
> Type Payload: Vendor ID (13) : strongSwan
> Type Payload: Vendor ID (13) : XAUTH
> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of Traversal in the IKE
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00
> 
> 
> Beside the differences in "Unknown Vendor ID" and the "L2TP Client"
> the strongSwan packet conatains the XAUTH "Flag".
> 
> May this be the problem of the gateway timeouts?
> 
> How could we disable the XAUT at the first packet?   
> 
> 
> Best regards,
> Martin Werthmoeller
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121215/68f0840e/attachment.bin>

More information about the Users mailing list