[strongSwan] Fw: cisco vpn client failed to connect to my strongswan vpn server

tefeng.em at gmail.com tefeng.em at gmail.com
Sun Jun 22 16:59:47 CEST 2014 

I got it working just after disabling “leftauth=pubkey” in the “conn cisco” section, although it works with 4.6.4.

Many thanks!

Regards!
Quine
2012-6-22



From: tefeng.em at gmail.com 
Sent: Sunday, June 22, 2014 00:07
To: users at lists.strongswan.org 
Subject: cisco vpn client failed to connect to my strongswan vpn server

Dear All,

I’ve installed strongswan 4.6.4 (both pluto and charon enabled) on my server (debian 6.0.8) and it works well with cisco vpn client 5.0.07.0410 on WinXP (also with ios, android and win7).  Recently I upgraded to 5.1.3 and it works too with ios, android and win7 except for cisco vpn client.

Follows the compiling configuration:
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-unity --enable-openssl --enable-md4 --enable-xauth-eap --enable-xauth-pam --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-sim-pcsc --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls --enable-tools

/etc/ipsec.conf:
config setup
        #nat_traversal=yes
        uniqueids=yes
        charondebug="ike 2, mgr 2, net 2, enc 2"   # this line doesn’t work?
        crlcheckinterval=10m
        strictcrlpolicy=no

ca vpnca
        cacert=caCert.pem
        crluri=crl.pem
        auto=add

conn %default
        auto=add
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        right=%any

conn ios
        keyexchange=ikev1
        authby=xauthpsk
        xauth=server
        #leftfirewall=yes
        rightsubnet=10.11.0.0/24
        rightsourceip=10.11.0.0/24
        #dpddelay=30s
        #dpdtimeout=120s
        #dpdaction=clear

conn win7&android
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        leftauth=pubkey
        leftcert=serverCert.pem
        leftid="C=CH, O=strongSwan, CN=x.x.x.x"
        rightsourceip=10.11.1.0/24
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any

conn cisco
        keyexchange=ikev1
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        leftauth=pubkey
        leftcert=serverCert.pem
        leftid="C=CH, O=strongSwan, CN=x.x.x.x"
        rightsourceip=10.11.2.0/24
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        #type=tunnel
        authby=xauthrsasig
        xauth=server
        #pfs=no


When I try to connect to server with cisco vpn client it returns the error “412: The remote peer is no longer responding” and the following logs:
1      23:47:53.418  06/20/14  Sev=Info/4    CERT/0x63600015
Cert (cn=client,o=strongSwan,c=CH) verification succeeded.

2      23:47:53.433  06/20/14  Sev=Info/4    CM/0x63100002
Begin connection process

3      23:47:53.449  06/20/14  Sev=Info/4    CM/0x63100004
Establish secure connection

4      23:47:53.449  06/20/14  Sev=Info/4    CM/0x63100024
Attempt connection with server "x.x.x.x"

5      23:47:53.449  06/20/14  Sev=Info/4    IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      23:47:53.465  06/20/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x

7      23:47:53.543  06/20/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T)) from x.x.x.x

8      23:47:53.543  06/20/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x

9      23:47:53.574  06/20/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, NAT-D, NAT-D) from x.x.x.x

10     23:47:53.605  06/20/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to x.x.x.x

11     23:47:53.621  06/20/14  Sev=Info/4    IKE/0x63000084
Out of Order Packet Processing - Queuing a packet (Informational) received out of order

12     23:47:58.887  06/20/14  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

13     23:47:58.887  06/20/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x

14     23:48:03.887  06/20/14  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

15     23:48:03.887  06/20/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x

16     23:48:08.887  06/20/14  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

17     23:48:08.887  06/20/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x

18     23:48:13.887  06/20/14  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=8B242615179718BE R_Cookie=1BD7EDD3CABC3E02) reason = DEL_REASON_PEER_NOT_RESPONDING

19     23:48:13.887  06/20/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x

20     23:48:14.402  06/20/14  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=8B242615179718BE R_Cookie=1BD7EDD3CABC3E02) reason = DEL_REASON_PEER_NOT_RESPONDING

21     23:48:14.402  06/20/14  Sev=Info/4    CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"

22     23:48:14.418  06/20/14  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection


/var/log/auth.log:
...
Jun 21 11:50:45 debian6 charon: 14[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG N(INITIAL_CONTACT) ]
Jun 21 11:50:45 debian6 charon: 14[IKE] received cert request for 'C=CH, O=strongSwan, CN=strongSwan CA'
Jun 21 11:50:45 debian6 charon: 14[IKE] received end entity cert "C=CH, O=strongSwan, CN=client"
Jun 21 11:50:45 debian6 charon: 14[IKE] no peer config found
Jun 21 11:50:45 debian6 charon: 14[IKE] queueing INFORMATIONAL task
Jun 21 11:50:45 debian6 charon: 14[IKE] activating new tasks
Jun 21 11:50:45 debian6 charon: 14[IKE]   activating INFORMATIONAL task
Jun 21 11:50:45 debian6 charon: 14[ENC] added payload of type NOTIFY_V1 to message
Jun 21 11:50:45 debian6 charon: 14[ENC] added payload of type NOTIFY_V1 to message
Jun 21 11:50:45 debian6 charon: 14[ENC] generating INFORMATIONAL_V1 request 2841545593 [ HASH N(AUTH_FAILED) ]
Jun 21 11:50:45 debian6 charon: 14[ENC] insert payload HASH_V1 into encrypted payload
Jun 21 11:50:45 debian6 charon: 14[ENC] insert payload NOTIFY_V1 into encrypted payload
Jun 21 11:50:45 debian6 charon: 14[ENC] generating payload of type HEADER
Jun 21 11:50:45 debian6 charon: 14[ENC]   generating rule 0 IKE_SPI
Jun 21 11:50:45 debian6 charon: 14[ENC]   generating rule 1 IKE_SPI
...


Any recommendations would be really appreciated.  Thanks in adv.

B. Regards!
Quine
2014-6-21
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140622/2643646d/attachment.html>

More information about the Users mailing list