[strongSwan] Strongswan 5.2.1 client problem - IKEv1 aggressive PSK+XAUTH with Virtual IP

Mon Dec 22 13:51:56 CET 2014

Thank you Martin.
It helped IPsec is now established but only IKE Phase 1 is up. Logs are
saying, that everything established successfully, but no Phase2 is up.

*root at enb-17:/etc# ipsec restartStopping strongSwan IPsec...Starting
strongSwan 5.2.1 IPsec [starter]...root at enb-17:/etc# ipsec up
testinitiating Aggressive Mode IKE_SA test[1] to 192.168.yy.yygenerating
AGGRESSIVE request 0 [ SA KE No ID V V V V ]sending packet: from
192.168.xx.xx[500] to 192.168.yy.yy[500] (350 bytes)received packet: from
192.168.yy.yy[500] to 192.168.xx.xx[500] (409 bytes)parsed AGGRESSIVE
response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]received DPD vendor
IDreceived NAT-T (RFC 3947) vendor IDreceived unknown vendor ID:
69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00faking
NAT situation to enforce UDP encapsulationgenerating AGGRESSIVE request 0 [
NAT-D NAT-D HASH ]sending packet: from 192.168.xx.xx[4500] to
192.168.yy.yy[4500] (108 bytes)received packet: from 192.168.yy.yy[4500] to
192.168.xx.xx[4500] (76 bytes)parsed TRANSACTION request 4069442794 [ HASH
CPRQ(X_USER X_PWD) ]generating TRANSACTION response 4069442794 [ HASH
CPRP(X_USER X_PWD) ]sending packet: from 192.168.xx.xx[4500] to
192.168.yy.yy[4500] (92 bytes)received packet: from 192.168.yy.yy[4500] to
192.168.xx.xx[4500] (76 bytes)parsed TRANSACTION request 666211454 [ HASH
CPS(X_STATUS) ]XAuth authentication of 'user' (myself) successfulIKE_SA
test[1] established between
192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]scheduling
reauthentication in 86220smaximum IKE_SA lifetime 86400sgenerating
TRANSACTION response 666211454 [ HASH CPA(X_STATUS) ]sending packet: from
192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)received packet: from
192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)parsed TRANSACTION
request 1168201470 [ HASH CPS(ADDR MASK SUBNET) ]handling
INTERNAL_IP4_NETMASK attribute failedhandling INTERNAL_IP4_SUBNET attribute
failedinstalling new virtual IP 10.20.zz.zzgenerating TRANSACTION response
1168201470 [ HASH CPA(ADDR) ]sending packet: from 192.168.xx.xx[4500] to
192.168.yy.yy[4500] (76 bytes)generating QUICK_MODE request 1154954290 [
HASH SA No KE ID ID ]sending packet: from 192.168.xx.xx[4500] to
192.168.yy.yy[4500] (316 bytes)received packet: from 192.168.yy.yy[4500] to
192.168.xx.xx[4500] (300 bytes)parsed QUICK_MODE response 1154954290 [ HASH
SA No KE ID ID ]connection 'test' established successfully*

*root at enb-17:/etc# ipsec statusallStatus of IKE charon daemon (strongSwan
5.2.1, Linux 3.10.41-031041-generic, x86_64):  uptime: 15 seconds, since
Dec 22 13:43:47 2014  malloc: sbrk 675840, mmap 0, used 535920, free
139920  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 9  loaded plugins: charon test-vectors ldap pkcs11 aes des rc2
sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc cmac
hmac ctr ccm gcm curl attr kernel-libipsec kernel-netlink resolve
socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic tnc-tnccs
dhcp led addrblockListening IP addresses:  *Connections:    test:
192.168.xx.xx...192.168.yy.yy  IKEv1 Aggressive, dpddelay=10s    test:
local:  [HIDDEN_ID1] uses pre-shared key authentication    test:   local:
[HIDDEN_ID1] uses XAuth authentication: any with XAuth identity 'user'
test:   remote: [HIDDEN_ID2] uses pre-shared key authentication    test:
child:  10.xx.xxx.xx/32 === 10.yy.yy.yy/32 TUNNEL,
dpdaction=restartSecurity Associations (1 up, 0 connecting):    test[1]:
ESTABLISHED 8 seconds ago,
192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]    test[1]: IKEv1
SPIs: b88fcca7af8ef6fb_i* ed25f627ba68ed81_r, pre-shared key+XAuth
reauthentication in 23 hours    test[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024root at enb-17:/etc#*

I'm wondering - should Strongswan aggressive mode psk xauth with Juniper
SRX devices?

Here's IPsec.conf..
conn %default
        keyingtries=%forever
        mobike=no
        ikelifetime=86400
        keylife=86400
        rekeymargin=180s
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1-modp1024!
        authby=xauthpsk
        dpdaction=restart
        dpddelay=10
        dpdtimeout=30
        rekeyfuzz=0%
        auto=add
        keyexchange=ikev1
        rightid=HIDDEN_ID2
        right=192.168.yy.yy
conn test
        aggressive=yes
        left=192.168.xx.xx
        leftid=HIDDEN_ID1
        leftauth=psk
        leftauth2=xauth
        leftsourceip=%config
        leftsubnet=10.aa.aa.aa/32
        rightsubnet=10.bb.bb.bb/32
        rightauth=psk
        xauth=client
        xauth_identity=user
        modeconfig=push

Best Regards,
Marcin

2014-12-19 16:35 GMT+01:00 Martin Willi <martin at strongswan.org>:

> Hi,
>
> > generating TRANSACTION response 4124377813 [ HASH CPA(X_STATUS) ]
> > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76
> bytes)
> > generating TRANSACTION request 2379419226 [ HASH CPRQ(ADDR DNS) ]
> > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76
> bytes)
> > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92
> bytes)
> > queueing TRANSACTION request as tasks still active
> > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (60
> bytes)
> > payload of type CONFIGURATION_V1 not occurred
>
> Your gateway is initiating a TRANSACTION request after XAuth. Most
> likely it is configured to use push mode, while strongSwan performs a
> Mode Config pull.
>
> Try to switch to push mode in strongSwan by setting modeconfig=push in
> your connection definition.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141222/d7f20d50/attachment.html>