[strongSwan] [StrongSwan] Win7 to Strongswan 5.0.x connection issue in IKEv1 transport mode

Mickael SABELLE mickael.sabelle at gmail.com
Tue Mar 26 18:02:46 CET 2013 

> Hello,
>
> I m currently using strongSwan to authenticate a Windows 7 client to
> access my Linux Server. I use the Win7 "Windows Firewall with Advanced
> Security" with the "Connection Security rules" features for the IPSEC
> connection (Allow me to automaticaly authenticate the Win7 laptop when it
> try to access the linux server without user action). This Win7 client seems
> to only support IKEv1.
> To have the minimum of network and server impact I authenticate the win7
> using transport mode and null encryption.
>
> I was previously in strongswan version 4.x.x and I have updated strongSwan
> with the version 5.0.1.
> Since the update I m not able anymore to connect my Win7 in transport mode
> to the Linux server with strongswan 5.0.x.
> The main mode phase is ok but the quick mode never finish and I have no
> error message. I added in attachement file a pcap file from the win 7 side.
>


> My WIN7 configuration return by "netsh advfirewall consec>show rule
> name=WIN7_transport_103":
>

Rules Name:                             WIN7_transport_103
---------------------------------------------------------------------------------------------------------------
Enabled:                                    Yes
Profiles:                                      Domain,proviate,puvlic
Type:                                          Static
Mode:                                         Transport
Endpoint1:                                  192.168.1.2/32
Endpoint2:                                  192.168.1.103/32
Protocol:                                     Any
Action:                                        RequireInRequireOut
Auth1:                                         ComputerPSK
Auth1PSK:                                  toto
MainModeSecMethods:              DHGroup2-3DES-MD5,DHGroup2-AES128-MD5
QuickModeSecMethods:             ESP:MD5-None+60min+100000kb,......
OK.

My strongSwan configuration is the following:
> xxxxxxxxxxxxxxxxxxxx
> root at corellia:/etc# more ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>  charondebug="ike 2, net 2"
>        uniqueids = yes
>
> conn %default
>      auth=esp
>      mobike=no
>
> conn WIN7_Transport
>  authby=psk
>  esp=null-md5!
>  ike=aes128-md5-modp1024,3des-md5-modp1024
>  keyexchange=ikev1
>  type=transport
>  left=192.168.1.103
>  right=192.168.1.2
>  auto=start
>
> #include /var/lib/strongswan/ipsec.conf.inc
> xxxxxxxxxxxxxxxxxxxx
>
>
> I have the following ipsec status:
> xxxxxxxxxxxxxxxxxxxx
> root at corellia:/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.1, Linux 2.6.32-45-generic,
> i686):
>   uptime: 14 minutes, since Mar 22 17:49:35 2013
>   malloc: sbrk 135168, mmap 0, used 104336, free 30832
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 16
>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc
> cmac hmac attr kernel-netlink resolve socket-default stroke updown
> xauth-generic
> Listening IP addresses:
>   172.16.1.254
>   192.168.1.103
> Connections:
>          EFB:  192.168.1.103...192.168.1.2  IKEv1
>          EFB:   local:  [192.168.1.103] uses pre-shared key authentication
>          EFB:   remote: [192.168.1.2] uses pre-shared key authentication
>          EFB:   child:  dynamic === dynamic TRANSPORT
> Security Associations (1 up, 0 connecting):
>          EFB[8]: ESTABLISHED 3 seconds ago,
> 192.168.1.103[192.168.1.103]...192.168.1.2[192.168.1.2]
>          EFB[8]: IKEv1 SPIs: c911ffdc4c6bf201_i 1b1a18a730dff768_r*,
> pre-shared key reauthentication in 2 hours
>          EFB[8]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>          EFB[8]: Tasks passive: QUICK_MODE
> xxxxxxxxxxxxxxxxxxxx
>
>
> - I made some additionnal test and it work in tunnel mode with a similar
> configuration (except the type).
> - I updated my StrongSwan with the 5.0.2 release and with this version
> nothing work... (tunnel or transport).
>
> I don't know if it is a bug in the IKEv1 implementation in the 5.0.x
> release or an issue in my config and now I have no more idea and way
> forward to get something that work.
>
> thanks in advance for your help or idea to resolve my issue.
>
> Regards,
>
> Mickael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/a45d40bd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WIN7_to_Strongswan501_tun.pcapng
Type: application/octet-stream
Size: 6516 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/a45d40bd/attachment.obj>

More information about the Users mailing list