[strongSwan] Strongswan 5.2.1 client problem - IKEv1 aggressive PSK+XAUTH with Virtual IP
Noel Kuntze
noel at familie-kuntze.de
Tue Dec 23 20:02:11 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello MK,
Please enable CISCO UNITY and ommit "leftsubnet". If you use virtual IPs, those should be
included in the traffic selector. "leftsubnet" defaults to "%dynamic". "%dynamic" is replaced dynamically by either the received virtual IP or the
the value of "left". Also, please compile/download and install and load the UNITY plugin and enable it by setting the
"charon.cisco_unity" key in strongswan.conf to "yes". That will enable support for split tunneling in IKEv1.
I think you need a configuration similiar to [1] and [2].
[1] http://www.strongswan.org/uml/testresults/ikev1/virtual-ip/index.html
[2] http://www.strongswan.org/uml/testresults/ikev1/rw-cert-unity/index.html
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 22.12.2014 um 13:51 schrieb MK:
> Thank you Martin.
> It helped IPsec is now established but only IKE Phase 1 is up. Logs are saying, that everything established successfully, but no Phase2 is up.
>
> /root at enb-17:/etc# ipsec restart
> Stopping strongSwan IPsec...
> Starting strongSwan 5.2.1 IPsec [starter]...
> root at enb-17:/etc# ipsec up test
> initiating Aggressive Mode IKE_SA test[1] to 192.168.yy.yy
> generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
> sending packet: from 192.168.xx.xx[500] to 192.168.yy.yy[500] (350 bytes)
> received packet: from 192.168.yy.yy[500] to 192.168.xx.xx[500] (409 bytes)
> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]
> received DPD vendor ID
> received NAT-T (RFC 3947) vendor ID
> received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
> faking NAT situation to enforce UDP encapsulation
> generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (108 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)
> parsed TRANSACTION request 4069442794 [ HASH CPRQ(X_USER X_PWD) ]
> generating TRANSACTION response 4069442794 [ HASH CPRP(X_USER X_PWD) ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (92 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)
> parsed TRANSACTION request 666211454 [ HASH CPS(X_STATUS) ]
> XAuth authentication of 'user' (myself) successful
> IKE_SA test[1] established between 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]
> scheduling reauthentication in 86220s
> maximum IKE_SA lifetime 86400s
> generating TRANSACTION response 666211454 [ HASH CPA(X_STATUS) ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)
> parsed TRANSACTION request 1168201470 [ HASH CPS(ADDR MASK SUBNET) ]
> handling INTERNAL_IP4_NETMASK attribute failed
> handling INTERNAL_IP4_SUBNET attribute failed
> installing new virtual IP 10.20.zz.zz
> generating TRANSACTION response 1168201470 [ HASH CPA(ADDR) ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
> generating QUICK_MODE request 1154954290 [ HASH SA No KE ID ID ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (316 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (300 bytes)
> parsed QUICK_MODE response 1154954290 [ HASH SA No KE ID ID ]
> connection 'test' established successfully/
> /root at enb-17:/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.10.41-031041-generic, x86_64):
> uptime: 15 seconds, since Dec 22 13:43:47 2014
> malloc: sbrk 675840, mmap 0, used 535920, free 139920
> worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9
> loaded plugins: charon test-vectors ldap pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic tnc-tnccs dhcp led addrblock
> Listening IP addresses:
> *
> Connections:
> test: 192.168.xx.xx...192.168.yy.yy IKEv1 Aggressive, dpddelay=10s
> test: local: [HIDDEN_ID1] uses pre-shared key authentication
> test: local: [HIDDEN_ID1] uses XAuth authentication: any with XAuth identity 'user'
> test: remote: [HIDDEN_ID2] uses pre-shared key authentication
> test: child: 10.xx.xxx.xx/32 === 10.yy.yy.yy/32 TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
> test[1]: ESTABLISHED 8 seconds ago, 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]
> test[1]: IKEv1 SPIs: b88fcca7af8ef6fb_i* ed25f627ba68ed81_r, pre-shared key+XAuth reauthentication in 23 hours
> test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> root at enb-17:/etc#/
>
>
> I'm wondering - should Strongswan aggressive mode psk xauth with Juniper SRX devices?
>
> Here's IPsec.conf..
> conn %default
> keyingtries=%forever
> mobike=no
> ikelifetime=86400
> keylife=86400
> rekeymargin=180s
> ike=aes128-sha1-modp1024!
> esp=aes128-sha1-modp1024!
> authby=xauthpsk
> dpdaction=restart
> dpddelay=10
> dpdtimeout=30
> rekeyfuzz=0%
> auto=add
> keyexchange=ikev1
> rightid=HIDDEN_ID2
> right=192.168.yy.yy
> conn test
> aggressive=yes
> left=192.168.xx.xx
> leftid=HIDDEN_ID1
> leftauth=psk
> leftauth2=xauth
> leftsourceip=%config
> leftsubnet=10.aa.aa.aa/32
> rightsubnet=10.bb.bb.bb/32 <http://10.bb.bb.bb/32>
> rightauth=psk
> xauth=client
> xauth_identity=user
> modeconfig=push
>
> Best Regards,
> Marcin
>
>
> 2014-12-19 16:35 GMT+01:00 Martin Willi <martin at strongswan.org <mailto:martin at strongswan.org>>:
>
> Hi,
>
> > generating TRANSACTION response 4124377813 <tel:4124377813> [ HASH CPA(X_STATUS) ]
> > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
> > generating TRANSACTION request 2379419226 [ HASH CPRQ(ADDR DNS) ]
> > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
> > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)
> > queueing TRANSACTION request as tasks still active
> > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (60 bytes)
> > payload of type CONFIGURATION_V1 not occurred
>
> Your gateway is initiating a TRANSACTION request after XAuth. Most
> likely it is configured to use push mode, while strongSwan performs a
> Mode Config pull.
>
> Try to switch to push mode in strongSwan by setting modeconfig=push in
> your connection definition.
>
> Regards
> Martin
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUmbwzAAoJEDg5KY9j7GZYLFEP/0H43M3jsLDZtwtUdQDqS3Iy
O+0UF/dQNyMukZEfe1czTr4iSm0XDS6bMYDPlsAE6GRovHrgfeGp1TZo8zHEhm0q
bARQVnQjipXNwgzGyVTBs93shqIbMsCYwFq4hOo6/PoS8AfVtCKVbipgDUqKNNUC
IYNekB8VjgmPwCxc+kLbBSu1/M5LJ7hk3Tc6lp2cR1Vtlm+rFtyofMJ/WcmwlTik
KB5nRl1zyVNR76AfCyZ8InW7/+NXnDPJcJZjFa3+WFYeC6QdMsf3qgqnpkOA8gxY
leMSalf7n+hjlaC+i26/t9ZtqWJcxXdaZT9EQ6N4A9VfejmukgmhSLnYWaN2OK79
CZpv9rHFB4WeERo7HCpw7jzLesQ0Mw9MsO4qu5gRjnMR52paPXPO6AauBW2mR8fJ
CvRk4x4vE3ELKClQtCI8ISTPxD3qUm/UZwvWWMGmfZHUhHHEuOrdf7xVTciWTwVs
0sDfMjXl5Nnaiwl98gmyTVm7tZNvW989C97QWJ3jK1i97rUYwvLVofXvKGfiYo7V
NYqdZd2RQAmTgzyE6H6TvJKILKxGq2fRGyNKr4tvDJvsqWW7Bc0AKkXZ/LPlPlD5
jk6L3ClWfeivYf1ho/3pQTk/3kTyRUV0s7oRmGxPnvzzxYPKll8jeoHDfWPe+91h
f/WJw5AEd4TkxNUzrd3b
=uI+H
-----END PGP SIGNATURE-----
More information about the Users
mailing list