[strongSwan] strongswan and Win2003

Alexander Sbitnev alexander.sbitnev at gmail.com
Fri Jun 13 15:25:10 CEST 2014 

   Hi there!
   I've stumble upon a problem while trying to create connection in 
between strongswan and windows 2003 vanilla IKE.
Site-to-site with PSK auth. Strongswan version 5.1.1.
To me right now it looks like a bug on windows side, but my knowledge is 
limited and there can be something I don't know.
So I will be happy with any comments on the situation. Is it known? Is 
it something wrong in my config?
And at last, is it worth it to deal with Microsoft IKE? (I suppose it 
not, but still some need to figure things out killing me :)

Problem happening on the second phase of IKE, only in the case if 
win2003 peer act as a responder.
In the second packet of QUICK mode (generated on windows) there is two 
ID_V1 payloads and only one of them in address form.
Second one (represent responding/win2003 side) is actually in FQDN form. 
As a result "peer selected invalid traffic selectors" error occurring.
If windows side is acting as initiator everything works fine.

Here is dumps of decrypted payloads from QUICK mode packets generated on 
win2003. Last 32 bytes is two ID payloads:
1) win2003 initiator, first packet of QM:
13[ENC]    0: 01 00 00 18 60 67 F4 FE 02 25 FA AE 35 52 38 D5 
....`g...%..5R8.
13[ENC]   16: 11 83 3A E0 6A EA 50 DB 0A 00 00 34 00 00 00 01 
..:.j.P....4....
13[ENC]   32: 00 00 00 01 00 00 00 28 01 03 04 01 3E 4E 47 82 
.......(....>NG.
13[ENC]   48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04 
................
13[ENC]   64: 00 00 07 08 80 04 F0 03 80 05 00 02 05 00 00 18 
................
13[ENC]   80: 41 61 7A 9B B7 40 3D E5 FA 6C 02 97 66 48 66 D9 
Aaz..@=..l..fHf.
13[ENC]   96: 78 98 DC 89 05 00 00 10 04 00 00 00 C0 A8 FE 00 
x...............
13[ENC]  112: FF FF FF 00 00 00 00 10 04 00 00 00 AC 10 01 00 
................
13[ENC]  128: FF FF FF 00 00 00 00 00 ........

both IDs are in address form

2) win2003 responder, second packet of QM:
06[ENC]    0: 01 00 00 18 9B F4 3A B0 B5 08 11 09 0D 5D 75 A0 
......:......]u.
06[ENC]   16: FE 8D F9 BB 93 19 0B C1 0A 00 00 34 00 00 00 01 
...........4....
06[ENC]   32: 00 00 00 01 00 00 00 28 01 03 04 01 CE 94 11 DA 
.......(........
06[ENC]   48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04 
................
06[ENC]   64: 00 00 04 B0 80 04 F0 03 80 05 00 02 05 00 00 18 
................
06[ENC]   80: 3E C4 53 86 66 7C DF C7 F3 D2 C5 8B 5C 0C A0 81 
 >.S.f|......\...
06[ENC]   96: 6F 4D 7D B4 05 00 00 10 04 00 00 00 AC 10 01 00 
oM}.............
06[ENC]  112: FF FF FF 00 00 00 00 10 02 00 00 00 73 65 72 76 
............serv
06[ENC]  128: 32 30 30 33 00 00 00 00 2003....

second ID is in form of FQDN encoding "serv2003" as id


Just in case here is my config:
conn win2003
  esp=3des-sha1!
  ike=3des-sha1-modp2048!
  left=192.168.100.1
  leftsubnet=192.168.254.0/24
  right=192.168.100.8
  rightsubnet=172.16.1.0/24
  authby=secret
  auto=add

Approval handling log:
06[CFG] selecting proposal:
06[CFG]   proposal matches
06[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[IKE] peer selected invalid traffic selectors: 172.16.1.0/24 for 
172.16.1.0/24, 192.168.100.1/32 for 192.168.254.0/24
06[IKE] queueing INFORMATIONAL task
06[IKE] activating new tasks
06[IKE]   activating INFORMATIONAL task

More information about the Users mailing list