[strongSwan] [StrongSwan] Win7 to Strongswan 5.0.x connection issue in IKEv1 transport mode

Mickael SABELLE mickael.sabelle at gmail.com
Mon Mar 25 16:27:36 CET 2013


I m currently using strongSwan to authenticate a Windows 7 client to access
my Linux Server. I use the Win7 "Windows Firewall with Advanced Security"
with the "Connection Security rules" features for the IPSEC connection
(Allow me to automaticaly authenticate the Win7 laptop when it try to
access the linux server without user action). This Win7 client seems to
only support IKEv1.
To have the minimum of network and server impact I authenticate the win7
using transport mode and null encryption.

I was previously in strongswan version 4.x.x and I have updated strongSwan
with the version 5.0.1.
Since the update I m not able anymore to connect my Win7 in transport mode
to the Linux server with strongswan 5.0.x.
The main mode phase is ok but the quick mode never finish and I have no
error message. I added in attachment files the Win7 configuration, the
Charon log and a pcap file from the win 7 side.

My strongSwan configuration is the following:
root at corellia:/etc# more ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
charondebug="ike 2, net 2"
       uniqueids = yes

conn %default

conn WIN7_Transport

#include /var/lib/strongswan/ipsec.conf.inc

I have the following ipsec status:
root at corellia:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.1, Linux 2.6.32-45-generic,
  uptime: 14 minutes, since Mar 22 17:49:35 2013
  malloc: sbrk 135168, mmap 0, used 104336, free 30832
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 16
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac
attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
         EFB:  IKEv1
         EFB:   local:  [] uses pre-shared key authentication
         EFB:   remote: [] uses pre-shared key authentication
         EFB:   child:  dynamic === dynamic TRANSPORT
Security Associations (1 up, 0 connecting):
         EFB[8]: ESTABLISHED 3 seconds ago,[]...[]
         EFB[8]: IKEv1 SPIs: c911ffdc4c6bf201_i 1b1a18a730dff768_r*,
pre-shared key reauthentication in 2 hours
         EFB[8]: IKE proposal:
         EFB[8]: Tasks passive: QUICK_MODE

- I made some additionnal test and it work in tunnel mode with a similar
configuration (except the type).
- I updated my StrongSwan with the 5.0.2 release and with this version
nothing work... (tunnel or transport).

I don't know if it is a bug in the IKEv1 implementation in the 5.0.x
release or an issue in my config and now I have no more idea and way
forward to get something that work.

thanks in advance for your help or idea to resolve my issue.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130325/1dedd98a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charonlog.log
Type: application/octet-stream
Size: 193921 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130325/1dedd98a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WIN7_conf.png
Type: image/png
Size: 86301 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130325/1dedd98a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WIN7_to_Strongswan501_tun.pcapng
Type: application/octet-stream
Size: 6516 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130325/1dedd98a/attachment-0001.obj>

More information about the Users mailing list