[strongSwan] Attempted PSK IKEv2 VPN w/BB10 - fails negotiation

Karl Denninger karl at denninger.net
Fri Apr 19 16:07:11 CEST 2013 

Gateway has an external IP address of 70.169.168.7, is FreeBSD 9.x with
IPSEC in the kernel.  Strongswan 5.0.1 from the ports compilation.  This
is my first (yeah, I know) attempt getting StrongSwan and IKEv2 set up;
I have a working LT2P configuration that other clients use but is not
IPSEC-specific (and did not require the kernel recompile.)  Firewall has
both UDP 500 and 4500 permitted both directions, and logging shows no
problems with the firewall or any packets blocked.

Configuration on the phone and intended use is PSK only on the
connection, no certificate validation for either end.

ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

conn %default
        keyingtries=1
        keyexchange=ikev2
        authby=secret

conn remote
        left=70.169.168.7
        leftsubnet=192.168.1.0/24
        right=%any
        rightsourceip=192.168.2.0/24
        auto=add

ipsec.secrets:

%any : PSK "mysecretisinhere"


Z-10 phone is set up for an IKEv2 generic gateway, the DNS hostname.
When attempting to connect I get this in /var/log/daemon:


Apr 19 09:01:26 NewFS charon: 12[NET] received packet: from
192.168.1.21[500] to 70.169.168.7[500]
Apr 19 09:01:26 NewFS charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 19 09:01:26 NewFS charon: 12[IKE] 192.168.1.21 is initiating an IKE_SA
Apr 19 09:01:26 NewFS charon: 12[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr 19 09:01:26 NewFS charon: 12[NET] sending packet: from
70.169.168.7[500] to 192.168.1.21[500]
Apr 19 09:01:26 NewFS charon: 10[NET] received packet: from
192.168.1.21[4500] to 70.169.168.7[4500]
Apr 19 09:01:26 NewFS charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH CP(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT) N(MOBIKE_SUP)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 19 09:01:26 NewFS charon: 10[CFG] looking for peer configs matching
70.169.168.7[%any]...192.168.1.21[107.97.114.108]
Apr 19 09:01:26 NewFS charon: 10[CFG] selected peer config 'remote'
Apr 19 09:01:26 NewFS charon: 10[IKE] authentication of '107.97.114.108'
with pre-shared key successful
Apr 19 09:01:26 NewFS charon: 10[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 19 09:01:26 NewFS charon: 10[IKE] peer supports MOBIKE
Apr 19 09:01:26 NewFS charon: 10[IKE] authentication of '70.169.168.7'
(myself) with pre-shared key
Apr 19 09:01:26 NewFS charon: 10[IKE] IKE_SA remote[9] established
between 70.169.168.7[70.169.168.7]...192.168.1.21[107.97.114.108]
Apr 19 09:01:26 NewFS charon: 10[IKE] scheduling reauthentication in 9799s
Apr 19 09:01:26 NewFS charon: 10[IKE] maximum IKE_SA lifetime 10339s
Apr 19 09:01:26 NewFS charon: 10[IKE] peer requested virtual IP %any
Apr 19 09:01:26 NewFS charon: 10[CFG] reassigning offline lease to
'107.97.114.108'
Apr 19 09:01:26 NewFS charon: 10[IKE] assigning virtual IP 192.168.2.2
to peer '107.97.114.108'
Apr 19 09:01:26 NewFS charon: 10[IKE] CHILD_SA remote{7} established
with SPIs c46a0659_i 394d837a_o and TS 192.168.1.0/24 === 192.168.2.2/32
Apr 19 09:01:26 NewFS charon: 10[ENC] generating IKE_AUTH response 1 [
IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_4_ADDR) ]
Apr 19 09:01:26 NewFS charon: 10[NET] sending packet: from
70.169.168.7[4500] to 192.168.1.21[4500]
Apr 19 09:01:36 NewFS charon: 11[NET] received packet: from
192.168.1.21[4500] to 70.169.168.7[4500]
Apr 19 09:01:36 NewFS charon: 11[IKE] ignoring IKE_AUTH in established
IKE_SA state
Apr 19 09:01:46 NewFS charon: 13[NET] received packet: from
192.168.1.21[4500] to 70.169.168.7[4500]
Apr 19 09:01:46 NewFS charon: 13[IKE] ignoring IKE_AUTH in established
IKE_SA state

It doesn't matter if I am connected via WiFi on the local LAN (which
should work but is a degenerate case) or over the cellular network.  I
tried it on WiFi to eliminate the possibility that the carrier was
interfering with the passing of the IKE_AUTH response back to the phone.

It appears that the phone is either never seeing the AUTH response. 

If I'm reading this correctly the authentication against the PSK
succeeds, and I have this in the security associations on the host:

root at NewFS:/var/log # ipsec status
Security Associations (1 up, 0 connecting):
      remote[9]: ESTABLISHED 3 minutes ago,
70.169.168.7[70.169.168.7]...192.168.1.21[107.97.114.108]
      remote{7}:  INSTALLED, TUNNEL, ESP SPIs: c46a0659_i 394d837a_o
      remote{7}:   192.168.1.0/24 === 192.168.2.2/32

So it appears that we have a valid tunnel and connection, but the phone
never gets the authentication response and thus keeps trying to resubmit
the request.

Any ideas on where to start trying to get this thing operational?  Once
I have this working I'll worry about multi-client (e.g. PAM-based)
authentication -- right now I'm just trying to get ANY connection
operational.

Thanks in advance.

-- 
-- Karl Denninger
/The Market Ticker ®/ <http://market-ticker.org>
Cuda Systems LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130419/4d2beb9c/attachment.html>

More information about the Users mailing list