[strongSwan] strongswan and Win2003
Alexander Sbitnev
alexander.sbitnev at gmail.com
Fri Jun 13 15:25:10 CEST 2014
Hi there!
I've stumble upon a problem while trying to create connection in
between strongswan and windows 2003 vanilla IKE.
Site-to-site with PSK auth. Strongswan version 5.1.1.
To me right now it looks like a bug on windows side, but my knowledge is
limited and there can be something I don't know.
So I will be happy with any comments on the situation. Is it known? Is
it something wrong in my config?
And at last, is it worth it to deal with Microsoft IKE? (I suppose it
not, but still some need to figure things out killing me :)
Problem happening on the second phase of IKE, only in the case if
win2003 peer act as a responder.
In the second packet of QUICK mode (generated on windows) there is two
ID_V1 payloads and only one of them in address form.
Second one (represent responding/win2003 side) is actually in FQDN form.
As a result "peer selected invalid traffic selectors" error occurring.
If windows side is acting as initiator everything works fine.
Here is dumps of decrypted payloads from QUICK mode packets generated on
win2003. Last 32 bytes is two ID payloads:
1) win2003 initiator, first packet of QM:
13[ENC] 0: 01 00 00 18 60 67 F4 FE 02 25 FA AE 35 52 38 D5
....`g...%..5R8.
13[ENC] 16: 11 83 3A E0 6A EA 50 DB 0A 00 00 34 00 00 00 01
..:.j.P....4....
13[ENC] 32: 00 00 00 01 00 00 00 28 01 03 04 01 3E 4E 47 82
.......(....>NG.
13[ENC] 48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04
................
13[ENC] 64: 00 00 07 08 80 04 F0 03 80 05 00 02 05 00 00 18
................
13[ENC] 80: 41 61 7A 9B B7 40 3D E5 FA 6C 02 97 66 48 66 D9
Aaz..@=..l..fHf.
13[ENC] 96: 78 98 DC 89 05 00 00 10 04 00 00 00 C0 A8 FE 00
x...............
13[ENC] 112: FF FF FF 00 00 00 00 10 04 00 00 00 AC 10 01 00
................
13[ENC] 128: FF FF FF 00 00 00 00 00 ........
both IDs are in address form
2) win2003 responder, second packet of QM:
06[ENC] 0: 01 00 00 18 9B F4 3A B0 B5 08 11 09 0D 5D 75 A0
......:......]u.
06[ENC] 16: FE 8D F9 BB 93 19 0B C1 0A 00 00 34 00 00 00 01
...........4....
06[ENC] 32: 00 00 00 01 00 00 00 28 01 03 04 01 CE 94 11 DA
.......(........
06[ENC] 48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04
................
06[ENC] 64: 00 00 04 B0 80 04 F0 03 80 05 00 02 05 00 00 18
................
06[ENC] 80: 3E C4 53 86 66 7C DF C7 F3 D2 C5 8B 5C 0C A0 81
>.S.f|......\...
06[ENC] 96: 6F 4D 7D B4 05 00 00 10 04 00 00 00 AC 10 01 00
oM}.............
06[ENC] 112: FF FF FF 00 00 00 00 10 02 00 00 00 73 65 72 76
............serv
06[ENC] 128: 32 30 30 33 00 00 00 00 2003....
second ID is in form of FQDN encoding "serv2003" as id
Just in case here is my config:
conn win2003
esp=3des-sha1!
ike=3des-sha1-modp2048!
left=192.168.100.1
leftsubnet=192.168.254.0/24
right=192.168.100.8
rightsubnet=172.16.1.0/24
authby=secret
auto=add
Approval handling log:
06[CFG] selecting proposal:
06[CFG] proposal matches
06[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[IKE] peer selected invalid traffic selectors: 172.16.1.0/24 for
172.16.1.0/24, 192.168.100.1/32 for 192.168.254.0/24
06[IKE] queueing INFORMATIONAL task
06[IKE] activating new tasks
06[IKE] activating INFORMATIONAL task
More information about the Users
mailing list