[strongSwan] Strongswan responder QM fails, Windows 7 initiating

Noel Kuntze noel at familie-kuntze.de
Thu Jul 18 23:48:02 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello Steve,

I think the initiator and the responder don't share aes128-sha1. You
need to pick another cipher-hmac pair for esp. That's why they fail in
Quick Mode, when they try to establish a CHILD_SA.
You can take a look at the part when strongSwan and Windows 7 try to
negotiate a shared cipher and look for shared ones.

Regards,

Noel

Am 18.07.2013 23:16, schrieb Steve DeLaney:
>
> Hi, we are bringing up a VPN between strongswan and windows 7
> We see a strange problem.  When strongswan initiates to windows, the
VPN is up OK.
> But when strongswan responds, the negotiation fails in Phase 2 quick mode.
> The main mode ECDSA cert auth is OK, but not quick mode.
>
> Can someone please comment and see if we are missing something?
>
> After a lot of trial and error, I ended up writing a windows netsh
script to automate the firewall rule.
> It is included below in the hopes it will be helpful to others.
>
>
> In our configuration we are using ECDSA-P256 machine certificate
>
> The strongswan wiki is very helpful to get up to speed how to
configure Windows
> firewall from the MMC snap-in and netsh command line.
> wiki.strongswan.org/projects/strongswan/wiki/WindowsSuiteB
>
> However the IKE main mode methods (mmsecmethods) used in that example
include ECDHP256
> but we don't use it.   Instead, we use a standard DH group 2 Modp 1024.
>
> Strongswan configuration:
>
> ike=aes128-sha256-modp1024!
> esp=aes128-sha1!
>
> Windows rule:
> dhgroup2:aese128-sha256
> auth1=computercertecdsap256
> auth1ecdsap256ca=...
>
>
> Here is the netsh script that does the complete setup of the firewall rule
> After the machine certificates are installed, then this script is run
and adds the rule from scratch.
>
>
> rem restart windows firewall:
> net stop mpssvc
> net start mpssvc
>
> rem configure global IPSec mainmode settings:
> netsh advfirewall set global mainmode mmsecmethods dhgroup2:aes128-sha256
> netsh advfirewall show global
>
>
> rem configure the suiteb firewall rule:
>
> netsh advfirewall consec del rule name=suiteb
>
> netsh advfirewall consec add rule name=suiteb ^
> description="SuiteB Configuration"       ^
> endpoint1=192.168.0.1                         ^
> endpoint2=192.168.0.100                       ^
> action=requireinrequireout                    ^
> qmsecmethods=esp:sha1-aes128                  ^
> auth1=computercertecdsap256                   ^
> auth1ecdsap256ca="O=\'XYZ Company\', OU=Operations, E=info at xyz.com,
L=Anytown, S=CA, C=US, CN=\'XYZ Company\'"
>
>
> netsh advfirewall consec show rule name=suiteb
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJR6GKSAAoJEDg5KY9j7GZY6QEP/1IlgZgpg1EaI25K822FiWxn
WIMis9lOuycQRe6oL+62Mkrgg5FCrBIewq++Ed/PCfWkizAnCMQADTYqr6qMlM+j
ex29Vgnph7AdpuPACNAfXu7FRaJuWwuBPOIlviuTepA75rtDsyKWzjDnfVK4lC3j
Ap7EhiuwRvrL6wta+1zQp9VCB8r6YsoQD7etIqm1IzfbNVEOgygRliLOHQfpdotr
ZTaawhK9APIkRK2tqLOHqwHvnFeiISUpK3a+Pz/jVMp5RZi5qdA8eXL8EAIgMDos
l9GhKz0VWRMJNNOnYLu5jko3IFX2dCJyq04n7hrA2YgE4LJEgCkdepdB8oyN+FAA
9WhmWVEMdpcZSMFLvZXM37WJUzsWm2fy8If1LejsnXCR/QRQozYdZFdp7JpS0hjj
UyY3KupcGaQ6qAjfl+vE+CbgYNaP7St3WrM9KUfUdAQBOKHbec2b/aB++KXhcio8
TtDMPa9ONc2HT+KsrOg0pG7TSFMHamlZN95P+yLyOlh5A7lLTc+9zNybgy/RgEx/
XqkqWqWVQV3YsMAvHRrwx0l46o0kHYh7BVXHfYni2pMOGj9SomX5rRjm39xCDgWW
1pbR1EqKS6cdS2SPYNf7lthkpiLvh/lQwJPe34zOF1mub6e6vMxjjDbDd5UAROSr
0YvwrHzGkLfyWxFxfckW
=rS61
-----END PGP SIGNATURE-----

More information about the Users mailing list