[strongSwan] vpn clients (cisco/shrewsoft and other cisco unity clients) connectivity issues with Strongswan-v5.2.1

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Thu Dec 4 05:38:27 CET 2014 

Can somebody please help me with some advice on how to go about solving
this issue iam seeing in v5.2.1? please kindly help me

my config on server is as in attachments

#/etc/ipsec.conf - strongSwan IPsec configuration file

config setup
    strictcrlpolicy=no
    charondebug="ike 3, knl 3, cfg 3"

conn %default
    ikelifetime=8h
    keylife=3h
    rekeymargin=9m
    keyingtries=1
    mobike=no
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=clear

conn ezvpnclient1
    aggressive=yes
        left=10.232.90.116
    leftsubnet=192.168.2.0/24,172.16.0.0/16
    leftid=@vpnsrv1.svt.com
        leftauth=psk
        modeconfig=push
    right=%any
        rightsourceip=192.168.219.0/24
        rightauth=psk
        rightauth2=xauth
        keyexchange=ikev1
    ike=aes256-sha1-modp1024
    esp=aes128-sha1
    auto=add

#/etc/ipsec.secrets - strongSwan IPsec secrets file
#: PSK "123456789"
@vpnsrv1.svt.com @remotclient.svt.com : PSK "123456"
@vpnsrv2.svt.com @genclient.svt.com : PSK "123456"
user1 : XAUTH "config1234"
user2 : XAUTH "config1234"
user3 : XAUTH "config1234"
testuser1 : XAUTH "4iChxLT3"
testuser2 : XAUTH "ryftzG4A"

# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {

    # <attr> is an attribute name or an integer, values can be an IP
address,
    # subnet or arbitrary value.
    # <attr> =
    dns = 192.168.2.2, 192.168.2.3
        nbns = 172.16.1.2, 172.16.1.3
    # the attribute for local-lan networks to be excluded from tunneling on
the client
        split-exclude = 10.0.0.0/8, 172.31.1.0/24
    # the attribute for backup-server ipaddresses
    28681 = 10.232.90.122, 10.232.90.124
    # the attribute for default-domain name for the connected client
    28674 = svt.com
    # the attribute for split-dns domain names for the connected client
        28675 = svt.com fslintranet.com
    # the attribute for unity banner name for the connected client
        28672 = "Welcome ...You are Connected"
    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

}

------------------

In charon.conf i have enabled the following:

cisco_unity = yes
 i_dont_care_about_security_and_use_aggressive_mode_psk = yes

1. Quick mode is failing when i use shrew-soft-vpn clients (and the server
is configured with cisco unity extensions in the attr.conf file)

- one observation from the logs is that once a virtual-ip is assigned (say
x.1) to the client...subsequently once more there is a virtual-ip
assignment done again..but the quickmode negotiation is tried with the
selectors mentioning the second ip...whereas the client seems to be still
configured with the first address assigned...something like that...hence
its failing


regards
-rajiv

PS: the attachment is zipped with winrar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141204/22f0d918/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client-server-logs.rar
Type: application/rar
Size: 16646 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141204/22f0d918/attachment-0001.rar>

More information about the Users mailing list