[strongSwan] strongSwan - Juniper/Cisco IKEv1 interoperability

Andreas Steffen andreas.steffen at strongswan.org
Tue Nov 12 22:34:55 CET 2013


Hi Mihai,

in order to help you I need a strongSwan log showing the regular IKEv1 
negotiation and the additional packets sent by Juniper/Cisco which lead 
to the deletion of the SA.

I hope that you are using strongSwan 5.x since we rather don't support 
the old pluto daemon any more.

Regards

Andreas

On 11.11.2013 18:52, Mihai Maties wrote:
> Hi,
>
> What could be the reason for interoperability issues of strongSwan
> with Cisco/Juniper devices that cause tunnels instability in IKEv1? I
> keep seeing the same pattern with different devices and I find it
> unlikely to be the other peer's fault.
>
> Basically, what I see is:
>
> 1. IKE succesfully established
> 2. CHILD SAs created and used for a few minutes (<5)
> 3. the remote peer then sends some IKE messages to us
> 4. strongSwan ignores the requests completely
> 5. the remote peer sends a DELETE for the already established IKE session
> 6. strongSwan complies and deletes both the IKE and IPsec SAs
> 7. goto 1
>
>
> Or a more detailed description of the issue:
>
> Main Mode OK:  strongSwan (Init cookie I_1) -> Juniper (Resp cookie R_1)
> Quick Mode OK: strongSwan (I_1) -> Juniper (R_1)
> ...
> ...a few minutes of ESP traffic flows, no other ISAKMP messages are
> exchanged. No DPD requests/answers from either end...
> ...
> Main Mode ??:  Juniper (I_X) -> strongSwan (R_X) (retransmitted a few times)
> Main Mode ??:  Juniper (I_X) -> strongSwan (R_X)
> Main Mode ??:  Juniper (I_X) -> strongSwan (R_X)
> Main Mode ??:  Juniper (I_X) -> strongSwan (R_X)
> Inf DELETE:    Juniper (I_1) -> strongSwan (R_1)
>
> Note the I_X/R_X cookies from the ignored packets. They are not the
> cookies for the active SAs, but maybe were used at some point in the
> past.
>
> As I said, since I encounter the same behavior whith both
> Juniper/Cisco devices on the other end, it seems more likely to be an
> issue with strongSwan.
>
> Any ideas? I already tried changing uniqueids to all possible values,
> but without any luck.
>
>
> Best regards,
> Mihai
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131112/d357f927/attachment.bin>


More information about the Users mailing list