[strongSwan] strongSwan-5.0.2 & IKEv1-PSK issue
Karthikeyan D
dkincoming at googlemail.com
Thu Jun 13 12:32:06 CEST 2013
Dear All,
I am facing a problem with strongSwan-5.0.2. I am using strongSwan to
terminate incoming IPSec tunnels and forward the traffic flowing inside the
tunnel to other servers. strongSwan runs in a centos-6.3 linux box that
sits behind a linux firewall. The IPSec clients are Cisco ASA firewall and
Cisco ISR router. Occassionally I use strongSwan in a linux client to test
the setup. I am using PSK authentication (shared secret).
I see the below error is thrown by charon daemon when the cisco devices
initiate the tunnel using IKEv1. I can see the charon daemon is not able to
decrypt the encrypted payload to extract the ID.
Jun 13 10:43:33 09[ENC] encrypted => 96 bytes @ 0x7f8930005030
Jun 13 10:43:33 09[ENC] 0: 60 8C DB 8A 8A 6E 49 5F 7F 45 62 4E B3 09 13
8F `....nI_.EbN....
Jun 13 10:43:33 09[ENC] 16: B4 B2 7B E3 1A 97 CC 92 A9 0B F4 AF AA 2A 9E
8A ..{..........*..
Jun 13 10:43:33 09[ENC] 32: 75 67 08 53 A9 51 1D 4E 08 A9 63 85 FF F5 AB
1A ug.S.Q.N..c.....
Jun 13 10:43:33 09[ENC] 48: 9B 0E F4 E0 17 43 0C FF 6E 00 99 B8 CC 5A 0D
30 .....C..n....Z.0
Jun 13 10:43:33 09[ENC] 64: CA 11 D7 B2 C3 19 2D 93 CF 25 93 0A 78 36 51
21 ......-..%..x6Q!
Jun 13 10:43:33 09[ENC] 80: 2B 5C E2 C2 CA 22 8B 43 BD 46 4A FA 5A 75 52
90 +\...".C.FJ.ZuR.
Jun 13 10:43:33 09[ENC] plain => 96 bytes @ 0x7f8930005030
Jun 13 10:43:33 09[ENC] 0: 38 A4 9B D6 8C 89 3C A8 E4 52 95 A8 42 69 68
21 8.....<..R..Bih!
Jun 13 10:43:33 09[ENC] 16: E6 CB 40 50 3D 48 EC 9F E0 1B 7B 80 53 C5 4D
85 .. at P=H....{.S.M.
Jun 13 10:43:33 09[ENC] 32: B0 71 DA 15 08 C7 50 1E 69 B3 A2 40 B9 27 5D
13 .q....P.i.. at .'].
Jun 13 10:43:33 09[ENC] 48: 70 4D 5F E2 21 DB 1A 1F FF 10 B7 11 15 E8 D7
BA pM_.!...........
Jun 13 10:43:33 09[ENC] 64: A2 A1 69 CF DF D5 1E C4 EA C1 4C 73 20 E7 38
02 ..i.......Ls .8.
Jun 13 10:43:33 09[ENC] 80: 01 25 F3 D8 00 AE 2C 57 82 D1 82 EC E2 4D 3F
A8 .%....,W.....M?.
Jun 13 10:43:33 09[ENC] invalid ID_V1 payload length, decryption failed?
Jun 13 10:43:33 09[ENC] could not decrypt payloads
Jun 13 10:43:33 09[IKE] message parsing failed
The same setup used to work before when I was using strongSwan-4.5.3. To
make sure my client configurations are correct I downgraded strongSwan to
4.5.3 on the VPN concentrator and it worked. When I upgraded strongSwan to
5.0.2 it is not working. Can you please throw some light on this issue?
The relevant section of the server side ipsec.conf is below.
conn PSK_IKEv1
keyexchange=ikev1
authby=secret
auth=esp
esp=aes128-sha1,3des-sha1,null-sha1
leftupdown=/usr/local/etc/mark_updown
left=%defaultroute
leftsubnet=0.0.0.0/0
leftid=@my.vpn.net
right=%any
rightid=%any
rightsubnet=0.0.0.0/0
type=tunnel
auto=add
I have also ensured that the client is sending the password correctly (ie.,
the one that I have set in ipsec.secrets).
regards,
dk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130613/a2330c9c/attachment.html>
More information about the Users
mailing list