[strongSwan] [Strongswan] AH mode support in Strongswan for Ikev1

Andreas Steffen andreas.steffen at strongswan.org
Mon May 28 16:54:10 CEST 2012 

Hello,

AH withouth ESP is not supported by strongSwan IKEv1 (which goes all
the way back to FreeS/WAN).

With auth=esp which is the default you opt for ESP encryption and ESP's
optional authentication mode.

With auth=ah you get ESP encryption withouth ESP's optional
authentication mode but you get AH on top of ESP instead.

If you don't want to encrypt your packets please use either
ESP NULL encryption

  http://www.strongswan.org/uml/testresults/ikev1/esp-alg-null

or AES-GMAC

  http://www.strongswan.org/uml/testresults/ikev1/esp-alg-aes-gmac

Regards

Andreas

On 28.05.2012 15:40, SaRaVanAn wrote:
> Hi Team,
>     I hope , ah mode in strongswan is supported for Ikev1. But I tried
> to form a tunnel
> using AH mode with ikev1, but strongswan was expecting ESP proposal even
> i configured
> auth=ah.  If ah mode is supported for Ikev1 , please correct me if there
> any syntax error in
> the below configuration file which makes thing not working.
> 
> *ipsec.conf*
> ____________
> # basic configuration
> ca vpnca
>          cacert=ca1Cert.pem
>          #crluri=crl.pem
>          auto=add
> 
> config setup
>           plutostart=yes
>           plutodebug=all
>           charonstart=yes
>           charondebug=all
>           nat_traversal=yes
>           crlcheckinterval=10m
>           strictcrlpolicy=no
> 
> conn %default
>         ikelifetime=1h
>         keylife=2h
>         keyingtries=1
> 
> conn fqdn_vr
>     auth=ah
>     type=transport
>     keyexchange=ikev1
>     left=172.31.114.227
>     right=%any
>     rightid=172.31.114.211
>     pfs=no
>     rekey=no
>     auto=add
> 
> *logs*
> _____
> May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI
> attribute:
> May 28 18:48:07 uxcasxxx pluto[32284]: |    af+type: ENCAPSULATION_MODE
> May 28 18:48:07 uxcasxxx pluto[32284]: |    length/value: 1
> May 28 18:48:07 uxcasxxx pluto[32284]: |    [1 is ENCAPSULATION_MODE_TUNNEL]
> May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI
> attribute:
> May 28 18:48:07 uxcasxxx pluto[32284]: |    af+type: AUTH_ALGORITHM
> May 28 18:48:07 uxcasxxx pluto[32284]: |    length/value: 2
> May 28 18:48:07 uxcasxxx pluto[32284]: |    [2 is HMAC_SHA1]
> *May 28 18:48:07 uxcasxxx pluto[32284]: | policy for "fqdn_vr" requires
> encryption but ESP not in Proposal from 172.31.114.211
> May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2:
> no acceptable Proposal in IPsec SA
> May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2:
> sending encrypted notification *NO_PROPOSAL_CHOSEN to 172.31.114.211:500
> <http://172.31.114.211:500>
> May 28 18:48:07 uxcasxxx pluto[32284]: | **emit ISAKMP Message:
> May 28 18:48:07 uxcasxxx pluto[32284]: |    initiator cookie:
> May 28 18:48:07 uxcasxxx pluto[32284]: |   39 e8 20 f0  36 bb c5 63
> May 28 18:48:07 uxcasxxx pluto[32284]: |    responder cookie:
> May 28 18:48:07 uxcasxxx pluto[32284]: |   1b 60 45 9a  ac b4 b9 d9
> May 28 18:48:07 uxcasxxx pluto[32284]: |    next payload type:
> ISAKMP_NEXT_HASH
> May 28 18:48:07 uxcasxxx pluto[32284]: |    ISAKMP version: ISAKMP
> Version 1.0
> May 28 18:48:07 uxcasxxx pluto[32284]: |    exchange type: ISAKMP_XCHG_INFO
> May 28 18:48:07 uxcasxxx pluto[32284]: |    flags: ISAKMP_FLAG_ENCRYPTION
> May 28 18:48:07 uxcasxxx pluto[32284]: |    message ID:  4a 6d 47 56
> May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Hash Payload:
> May 28 18:48:07 uxcasxxx pluto[32284]: |    next payload type: ISAKMP_NEXT_N
> May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 20 zero bytes of HASH
> into ISAKMP Hash Payload
> May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP Hash
> Payload: 24
> May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Notification
> Payload:
> May 28 18:48:07 uxcasxxx pluto[32284]: |    next payload type:
> ISAKMP_NEXT_NONE
> May 28 18:48:07 uxcasxxx pluto[32284]: |    DOI: ISAKMP_DOI_IPSEC
> May 28 18:48:07 uxcasxxx pluto[32284]: |    protocol ID: 1
> May 28 18:48:07 uxcasxxx pluto[32284]: |    SPI size: 0
> May 28 18:48:07 uxcasxxx pluto[32284]: |    Notify Message Type:
> NO_PROPOSAL_CHOSEN
> May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 0 raw bytes of spi
> into ISAKMP Notification Payload
> May 28 18:48:07 uxcasxxx pluto[32284]: | spi
> May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP
> Notification Payload: 12
> 
> 
> Regards,
> Saravanan N
================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120528/a1dbe886/attachment.bin>

More information about the Users mailing list