[strongSwan] Setup client using main mode/draft-ietf-ipsec-nat-t-ike-02

Damien Benoist dams.benoist at gmail.com
Mon Jun 10 12:04:46 CEST 2013

>> initiating Main Mode IKE_SA tst[4] to x.x.x.x
>> generating ID_PROT request 0 [ SA V V V V ]
>> sending packet: from y.y.y.y[500] to x.x.x.x[500] (220 bytes)
>> received packet: from x.x.x.x[500] to y.y.y.y[500] (160 bytes)
>> parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
>> received NO_PROPOSAL_CHOSEN error notify

> Try to get a little more details about the SA payload when using the
> Windows client. That should give some hints if a different set of
> algorithms or authentication methods have to be used.

The dump of the request is big, I suppose the dump of the answer
is more relevant.
Here is the answer:

Internet Security Association and Key Management Protocol
    Initiator cookie: 6927dfd9c3003aff
    Responder cookie: 1a4ca7e98ddec257
    Next payload: Security Association (1)
    Version: 1.0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags: 0x00
    Message ID: 0x00000000
    Length: 128
    Type Payload: Security Association (1)
        Next payload: Vendor ID (13)
        Payload length: 56
        Domain of interpretation: IPSEC (1)
        Situation: 00000001
        Type Payload: Proposal (2) # 1
            Next payload: NONE / No Next Payload  (0)
            Payload length: 44
            Proposal number: 1
            Protocol ID: ISAKMP (1)
            SPI Size: 0
            Proposal transforms: 1
            Type Payload: Transform (3) # 21
                Next payload: NONE / No Next Payload  (0)
                Payload length: 36
                Transform number: 21
                Transform ID: KEY_IKE (1)
                Transform IKE Attribute Type (t=1,l=2)
Encryption-Algorithm : 3DES-CBC
                Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
                Transform IKE Attribute Type (t=4,l=2)
Group-Description : Alternate 1024-bit MODP group
                Transform IKE Attribute Type (t=3,l=2)
Authentication-Method : XAUTHInitRSA
                Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
                Transform IKE Attribute Type (t=12,l=4) Life-Duration : 2147483
    Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
        Next payload: Vendor ID (13)
        Payload length: 20
        Vendor ID: 90cb80913ebb696e086381b5ec427b1f
        Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
    Type Payload: Vendor ID (13) : Microsoft L2TP/IPSec VPN Client
        Next payload: NONE / No Next Payload  (0)
        Payload length: 24
        Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d3c0000000
        Vendor ID: Microsoft L2TP/IPSec VPN Client

More information about the Users mailing list