[strongSwan] Strongswan 5.2.1 client problem - IKEv1 aggressive PSK+XAUTH with Virtual IP

MK grroch at gmail.com
Fri Dec 19 16:21:05 CET 2014 

Hello all,

I'm struggling with the problem with Strongswan 5.2.1 client.
I have a High-end Juniper SRX as VPN gateway, which is working fine and was
tested with other VPN client.

I'm using IKEv1 aggressive mode, PSK+XAUTH.
IKE phase 1 is connecting properly. The problem is on phase2 with getting
virtual IP from the VPN gateway.

Here are logs I get:


































*initiating Aggressive Mode IKE_SA test[1] to 192.168.yy.yygenerating
AGGRESSIVE request 0 [ SA KE No ID V V V V ]sending packet: from
192.168.xx.xx[500] to 192.168.yy.yy[500] (350 bytes)received packet: from
192.168.yy.yy[500] to 192.168.xx.xx[500] (409 bytes)parsed AGGRESSIVE
response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]received DPD vendor
IDreceived NAT-T (RFC 3947) vendor IDreceived unknown vendor ID:
69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00faking
NAT situation to enforce UDP encapsulationgenerating AGGRESSIVE request 0 [
NAT-D NAT-D HASH ]sending packet: from 192.168.xx.xx[4500] to
192.168.yy.yy[4500] (108 bytes)received packet: from 192.168.yy.yy[4500] to
192.168.xx.xx[4500] (76 bytes)parsed TRANSACTION request 4287602294 [ HASH
CPRQ(X_USER X_PWD) ]generating TRANSACTION response 4287602294 [ HASH
CPRP(X_USER X_PWD) ]sending packet: from 192.168.xx.xx[4500] to
192.168.yy.yy[4500] (92 bytes)received packet: from 192.168.yy.yy[4500] to
192.168.xx.xx[4500] (76 bytes)parsed TRANSACTION request 4124377813 [ HASH
CPS(X_STATUS) ]XAuth authentication of 'user' (myself) successfulIKE_SA
test[1] established between
192.168.xx.xx[HIDDED_ID1]...192.168.yy.yy[HIDDEN_ID2]scheduling
reauthentication in 86220smaximum IKE_SA lifetime 86400sgenerating
TRANSACTION response 4124377813 [ HASH CPA(X_STATUS) ]sending packet: from
192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)generating TRANSACTION
request 2379419226 [ HASH CPRQ(ADDR DNS) ]sending packet: from
192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)received packet: from
192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)queueing TRANSACTION
request as tasks still activereceived packet: from 192.168.yy.yy[4500] to
192.168.xx.xx[4500] (60 bytes)payload of type CONFIGURATION_V1 not occurred
1 times (0)message verification failedgenerating INFORMATIONAL_V1 request
1197204442 [ HASH N(PLD_MAL) ]sending packet: from 192.168.xx.xx[4500] to
192.168.yy.yy[4500] (76 bytes)TRANSACTION response with message ID
2379419226 processing failedconnection 'test' not established after 4000ms,
detaching*

Configuration of ipsec.conf file:





























*conn %default        keyingtries=%forever        mobike=no
ikelifetime=86400        keylife=86400        rekeymargin=180s
ike=aes128-sha1-modp1024!        esp=aes128-sha1-modp1024!
authby=xauthpsk        dpdaction=restart        dpddelay=10
dpdtimeout=30        rekeyfuzz=0%        auto=add
keyexchange=ikev1        rightid=HIDDEN_ID2        right=192.168.yy.yyconn
test        aggressive=yes        left=192.168.xx.xx
leftid=HIDDEN_ID1        leftauth=psk        leftauth2=xauth
leftsourceip=%config        leftsubnet=10.aa.aa.aa/32
rightsubnet=10.bb.bb.bb/32 <http://10.bb.bb.bb/32>
rightauth=psk        xauth=client        xauth_identity=user*


Did anybody have similar problem with IKEv1 aggressive PSK+XAUTH with
Virtual IP?
I'd be really grateful of some help or hint.

Best Regards,
Marcin Kieliszczyk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141219/acf8d9ac/attachment-0001.html>

More information about the Users mailing list