[strongSwan] Strongswan 5.2.1 client problem - IKEv1 aggressive PSK+XAUTH with Virtual IP

Noel Kuntze noel at familie-kuntze.de
Tue Dec 23 20:02:11 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello MK,

Please enable CISCO UNITY and ommit "leftsubnet". If you use virtual IPs, those should be
included in the traffic selector. "leftsubnet" defaults to "%dynamic". "%dynamic" is replaced dynamically by either the received virtual IP or the
the value of "left". Also, please compile/download and install and load the UNITY plugin and enable it by setting the
"charon.cisco_unity" key in strongswan.conf to "yes". That will enable support for split tunneling in IKEv1.
I think you need a configuration similiar to [1] and [2].

[1] http://www.strongswan.org/uml/testresults/ikev1/virtual-ip/index.html
[2] http://www.strongswan.org/uml/testresults/ikev1/rw-cert-unity/index.html

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 22.12.2014 um 13:51 schrieb MK:
> Thank you Martin.
> It helped IPsec is now established but only IKE Phase 1 is up. Logs are saying, that everything established successfully, but no Phase2 is up.
>
> /root at enb-17:/etc# ipsec restart
> Stopping strongSwan IPsec...
> Starting strongSwan 5.2.1 IPsec [starter]...
> root at enb-17:/etc# ipsec up test
> initiating Aggressive Mode IKE_SA test[1] to 192.168.yy.yy
> generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
> sending packet: from 192.168.xx.xx[500] to 192.168.yy.yy[500] (350 bytes)
> received packet: from 192.168.yy.yy[500] to 192.168.xx.xx[500] (409 bytes)
> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]
> received DPD vendor ID
> received NAT-T (RFC 3947) vendor ID
> received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
> faking NAT situation to enforce UDP encapsulation
> generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (108 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)
> parsed TRANSACTION request 4069442794 [ HASH CPRQ(X_USER X_PWD) ]
> generating TRANSACTION response 4069442794 [ HASH CPRP(X_USER X_PWD) ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (92 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)
> parsed TRANSACTION request 666211454 [ HASH CPS(X_STATUS) ]
> XAuth authentication of 'user' (myself) successful
> IKE_SA test[1] established between 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]
> scheduling reauthentication in 86220s
> maximum IKE_SA lifetime 86400s
> generating TRANSACTION response 666211454 [ HASH CPA(X_STATUS) ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)
> parsed TRANSACTION request 1168201470 [ HASH CPS(ADDR MASK SUBNET) ]
> handling INTERNAL_IP4_NETMASK attribute failed
> handling INTERNAL_IP4_SUBNET attribute failed
> installing new virtual IP 10.20.zz.zz
> generating TRANSACTION response 1168201470 [ HASH CPA(ADDR) ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
> generating QUICK_MODE request 1154954290 [ HASH SA No KE ID ID ]
> sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (316 bytes)
> received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (300 bytes)
> parsed QUICK_MODE response 1154954290 [ HASH SA No KE ID ID ]
> connection 'test' established successfully/
> /root at enb-17:/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.10.41-031041-generic, x86_64):
>   uptime: 15 seconds, since Dec 22 13:43:47 2014
>   malloc: sbrk 675840, mmap 0, used 535920, free 139920
>   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9
>   loaded plugins: charon test-vectors ldap pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic tnc-tnccs dhcp led addrblock
> Listening IP addresses:
>   *
> Connections:
>     test:  192.168.xx.xx...192.168.yy.yy  IKEv1 Aggressive, dpddelay=10s
>     test:   local:  [HIDDEN_ID1] uses pre-shared key authentication
>     test:   local:  [HIDDEN_ID1] uses XAuth authentication: any with XAuth identity 'user'
>     test:   remote: [HIDDEN_ID2] uses pre-shared key authentication
>     test:   child:  10.xx.xxx.xx/32 === 10.yy.yy.yy/32 TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
>     test[1]: ESTABLISHED 8 seconds ago, 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2]
>     test[1]: IKEv1 SPIs: b88fcca7af8ef6fb_i* ed25f627ba68ed81_r, pre-shared key+XAuth reauthentication in 23 hours
>     test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> root at enb-17:/etc#/
>
>
> I'm wondering - should Strongswan aggressive mode psk xauth with Juniper SRX devices?
>
> Here's IPsec.conf..
> conn %default
>         keyingtries=%forever
>         mobike=no
>         ikelifetime=86400
>         keylife=86400
>         rekeymargin=180s
>         ike=aes128-sha1-modp1024!
>         esp=aes128-sha1-modp1024!
>         authby=xauthpsk
>         dpdaction=restart
>         dpddelay=10
>         dpdtimeout=30
>         rekeyfuzz=0%
>         auto=add
>         keyexchange=ikev1
>         rightid=HIDDEN_ID2
>         right=192.168.yy.yy
> conn test
>         aggressive=yes
>         left=192.168.xx.xx
>         leftid=HIDDEN_ID1
>         leftauth=psk
>         leftauth2=xauth
>         leftsourceip=%config
>         leftsubnet=10.aa.aa.aa/32
>         rightsubnet=10.bb.bb.bb/32 <http://10.bb.bb.bb/32>
>         rightauth=psk
>         xauth=client
>         xauth_identity=user
>         modeconfig=push
>
> Best Regards,
> Marcin
>
>
> 2014-12-19 16:35 GMT+01:00 Martin Willi <martin at strongswan.org <mailto:martin at strongswan.org>>:
>
>     Hi,
>
>     > generating TRANSACTION response 4124377813 <tel:4124377813> [ HASH CPA(X_STATUS) ]
>     > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
>     > generating TRANSACTION request 2379419226 [ HASH CPRQ(ADDR DNS) ]
>     > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
>     > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)
>     > queueing TRANSACTION request as tasks still active
>     > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (60 bytes)
>     > payload of type CONFIGURATION_V1 not occurred
>
>     Your gateway is initiating a TRANSACTION request after XAuth. Most
>     likely it is configured to use push mode, while strongSwan performs a
>     Mode Config pull.
>
>     Try to switch to push mode in strongSwan by setting modeconfig=push in
>     your connection definition.
>
>     Regards
>     Martin
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmbwzAAoJEDg5KY9j7GZYLFEP/0H43M3jsLDZtwtUdQDqS3Iy
O+0UF/dQNyMukZEfe1czTr4iSm0XDS6bMYDPlsAE6GRovHrgfeGp1TZo8zHEhm0q
bARQVnQjipXNwgzGyVTBs93shqIbMsCYwFq4hOo6/PoS8AfVtCKVbipgDUqKNNUC
IYNekB8VjgmPwCxc+kLbBSu1/M5LJ7hk3Tc6lp2cR1Vtlm+rFtyofMJ/WcmwlTik
KB5nRl1zyVNR76AfCyZ8InW7/+NXnDPJcJZjFa3+WFYeC6QdMsf3qgqnpkOA8gxY
leMSalf7n+hjlaC+i26/t9ZtqWJcxXdaZT9EQ6N4A9VfejmukgmhSLnYWaN2OK79
CZpv9rHFB4WeERo7HCpw7jzLesQ0Mw9MsO4qu5gRjnMR52paPXPO6AauBW2mR8fJ
CvRk4x4vE3ELKClQtCI8ISTPxD3qUm/UZwvWWMGmfZHUhHHEuOrdf7xVTciWTwVs
0sDfMjXl5Nnaiwl98gmyTVm7tZNvW989C97QWJ3jK1i97rUYwvLVofXvKGfiYo7V
NYqdZd2RQAmTgzyE6H6TvJKILKxGq2fRGyNKr4tvDJvsqWW7Bc0AKkXZ/LPlPlD5
jk6L3ClWfeivYf1ho/3pQTk/3kTyRUV0s7oRmGxPnvzzxYPKll8jeoHDfWPe+91h
f/WJw5AEd4TkxNUzrd3b
=uI+H
-----END PGP SIGNATURE-----




More information about the Users mailing list