[strongSwan] [Strongswan5.0.1]Strongswan is not sending phase2 Identification payload in Ikev1 for IPv6, which leads to negotiation failure

SaRaVanAn saravanan.nagarajan87 at gmail.com
Tue Dec 18 07:26:00 CET 2012 

Hi,
   We are trying to establish a site to site tunnel with strongswan5.0.1 in
Ikev1 for IPv6.
We are facing 2 issues from Strongswan side

Issue1
========
Transport Mode

In response to quick mode message of IKev1, strongswan is sending a quick
mode message
with no identification payload, which results in negotiation failure for
transport mode
I have attached packet dump (IKEV1_TRANSPORT_MODE_IPv6) for your reference.

Key details (Cookie and Encryption)
____________

65B22AA74142F433
09A1EB7E70881F42C648C9EA20880F7A224DE5FFE8060D58

Issue2
=======
Tunnel mode

Router1 is sending Quick mode message with identification data as
2007:1234::4/ffff:ffff:ffff:ffff::,
but in response to quick mode, strongswan is changing identification data
as 2007:1234::4/2007:1234::ffff:ffff:ffff:ffff, which results in
negotiation failure(ID mistmatch).
I have attached packet dump (IKEV1_TUNNEL_MODE_IPv6) for your reference

Key details (Cookie and Encryption)
____________
4ce3dbb94261df40
7B2D446BD93087DC1F17DC6C400AE5AD87436EDB61B840E3

Topology
=========
Router1 ================= Router2( Strongswan).
2007:1234::4              2007:1234::5

Please correct me if there is any problem in my configuration.

Configuration
_____________
ipsec.conf
=============

config setup
          charondebug="ike 4, mgr 4, chd 4, net 4"
          strictcrlpolicy=no

conn %default
        ikelifetime=4h
        lifetime = 5h
        margintime = 2m
        rekeyfuzz = 100%
        keyingtries=1
conn fqdn_vr
    auth=esp
    type=tunnel
    keyexchange=ikev1
    ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1536
    esp=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1536
    left=2001:1234::5
    leftid=cross at cass.com
    leftsubnet=2007:1234::5/64
    right=2001:1234::4
    rightsubnet=2007:1234::4/64
    rightid=dut at cass.com
    authby=secret
    auto=add

ipsec.secrets
==============
cross at cass.com dut at cass.com : PSK "rahuldravid"

Transport Mode
=============

    auth=esp
    type=transport
    keyexchange=ikev1
    ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1536
    esp=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1536
    left=2001:1234::5
    leftid=cross at cass.com
    right=2001:1234::4
    rightid=dut at cass.com
    authby=secret
    auto=add

Please help me on this, I need experts input.

Regards,
Saravanan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121217/5b48bbc0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IKEV1_TRANSPORT_MODE_IPv6.pcap
Type: application/octet-stream
Size: 9947 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121217/5b48bbc0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IKEV1_TUNNEL_MODE_IPv6.pcap
Type: application/octet-stream
Size: 4376 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121217/5b48bbc0/attachment-0001.obj>

More information about the Users mailing list