[strongSwan] Windows7 AH Mode Fail

Takamitsu Kato kato at intelligent-design.co.jp
Wed Mar 5 05:42:53 CET 2014 

Hi, All.

I tried to connect strongSwan and Windows7 by AH mode IKEv1, but I couldn't.
It's failed to set MD5, and SHA1 is also failed.
Is there any way to troubleshoot it?


(1) setting AH:MD5
-------------------------------------------------------------------
ipsec.conf:

config setup
      charondebug="dmn 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net
4, enc 4, lib 4"

conn %default
      mobike=no
      reauth=no
      keyingtries=1

conn rule01
      keyexchange=ikev1
      ikelifetime=480m
      lifetime=60m
      lifebytes=100000000
      rekeymargin=3m
      type=transport
      authby=secret
      ike=aes128-sha1-modp1024!
      ah=md5!
      left=192.168.15.111
      right=192.168.15.222
      auto=route

strongswan.log:

00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux
3.9.5-301.fc19.i686.PAE, i686)

...

02[ENC] parsed QUICK_MODE response 873019481 [ HASH SA No ID ID ]
02[IKE] Hash(2) => 20 bytes @ 0x973c4c8
02[IKE]    0: C2 B3 61 B7 EC 99 AE 58 31 CC B3 FC 47 AB FA C1
..a....X1...G...
02[IKE]   16: B2 79 FE 8F                                      .y..
02[ENC] HASH received => 20 bytes @ 0x9723a78
02[ENC]    0: C2 B3 61 B7 EC 99 AE 58 31 CC B3 FC 47 AB FA C1
..a....X1...G...
02[ENC]   16: B2 79 FE 8F                                      .y..
02[ENC] HASH expected => 20 bytes @ 0x973c4c8
02[ENC]    0: C2 B3 61 B7 EC 99 AE 58 31 CC B3 FC 47 AB FA C1
..a....X1...G...
02[ENC]   16: B2 79 FE 8F                                      .y..
02[IKE] next IV for MID 873019481 => 16 bytes @ 0x973ad38
02[IKE]    0: 46 3A 0B 82 98 B7 98 71 0F C4 01 AD 34 6D 1F D6
F:.....q....4m..
02[CFG] selecting proposal:
02[CFG]   no acceptable INTEGRITY_ALGORITHM found
02[CFG] received proposals: AH:UNDEFINED/NO_EXT_SEQ
02[CFG] configured proposals: AH:HMAC_MD5_96/NO_EXT_SEQ
02[IKE] no matching proposal found
02[IKE] queueing INFORMATIONAL task
02[KNL] deleting SAD entry with SPI cd4c67df  (mark 0/0x00000000)
02[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0xb6c91c60
02[KNL]    0: 28 00 00 00 11 00 05 00 CC 00 00 00 DB 07 00 00
(...............
02[KNL]   16: C0 A8 0F 28 00 00 00 00 00 00 00 00 00 00 00 00
...(............
02[KNL]   32: CD 4C 67 DF 02 00 33 00                          .Lg...3.
08[JOB] watcher got notification, rebuilding
08[JOB]   watching 9 for reading
08[JOB]   watching 15 for reading
08[JOB]   watching 16 for reading
08[JOB] watcher going to select()
02[KNL] deleted SAD entry with SPI cd4c67df (mark 0/0x00000000)
02[IKE] activating new tasks
02[IKE]   activating INFORMATIONAL task
02[ENC] added payload of type NOTIFY_V1 to message
02[ENC] added payload of type NOTIFY_V1 to message
02[IKE] Hash => 20 bytes @ 0x973c4c8
02[IKE]    0: 88 2A 6D E0 1F FB B2 41 90 49 C7 EA E5 84 C7 2E
.*m....A.I......
02[IKE]   16: D1 75 61 C0                                      .ua.
02[ENC] generating INFORMATIONAL_V1 request 3556845952 [ HASH N(NO_PROP) ]

-------------------------------------------------------------------

(2) setting AH:SHA1
-------------------------------------------------------------------
ipsec.conf:

config setup
      charondebug="dmn 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net
4, enc 4, lib 4"

conn %default
      mobike=no
      reauth=no
      keyingtries=1

conn rule01
      keyexchange=ikev1
      ikelifetime=480m
      lifetime=60m
      lifebytes=100000000
      rekeymargin=3m
      type=transport
      authby=secret
      ike=aes128-sha1-modp1024!
      ah=sha1!
      left=192.168.15.111
      right=192.168.15.222
      auto=route

strongswan.log:

00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux
3.9.5-301.fc19.i686.PAE, i686)

...

02[ENC] parsed QUICK_MODE response 2607223528 [ HASH SA No ID ID ]
02[IKE] Hash(2) => 20 bytes @ 0x97cb4c8
02[IKE]    0: 19 77 92 48 30 51 59 95 45 BC 35 74 49 12 69 25
.w.H0QY.E.5tI.i%
02[IKE]   16: 55 FC 85 7B                                      U..{
02[ENC] HASH received => 20 bytes @ 0x97b2a78
02[ENC]    0: 19 77 92 48 30 51 59 95 45 BC 35 74 49 12 69 25
.w.H0QY.E.5tI.i%
02[ENC]   16: 55 FC 85 7B                                      U..{
02[ENC] HASH expected => 20 bytes @ 0x97cb4c8
02[ENC]    0: 19 77 92 48 30 51 59 95 45 BC 35 74 49 12 69 25
.w.H0QY.E.5tI.i%
02[ENC]   16: 55 FC 85 7B                                      U..{
02[IKE] next IV for MID 2607223528 => 16 bytes @ 0x97c9d38
02[IKE]    0: 1F E4 0C C4 24 90 29 46 05 A0 16 85 C3 C4 B3 BA
....$.)F........
02[CFG] selecting proposal:
02[CFG]   no acceptable INTEGRITY_ALGORITHM found
02[CFG] received proposals: AH:HMAC_MD5_96/NO_EXT_SEQ
02[CFG] configured proposals: AH:HMAC_SHA1_96/NO_EXT_SEQ
02[IKE] no matching proposal found
02[IKE] queueing INFORMATIONAL task
02[KNL] deleting SAD entry with SPI c1b13a7a  (mark 0/0x00000000)
02[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0xb6c02c60
02[KNL]    0: 28 00 00 00 11 00 05 00 CC 00 00 00 DC 08 00 00
(...............
02[KNL]   16: C0 A8 0F 28 00 00 00 00 00 00 00 00 00 00 00 00
...(............
02[KNL]   32: C1 B1 3A 7A 02 00 33 00                          ..:z..3.
08[JOB] watcher got notification, rebuilding
08[JOB]   watching 9 for reading
08[JOB]   watching 15 for reading
08[JOB]   watching 16 for reading
08[JOB] watcher going to select()
02[KNL] deleted SAD entry with SPI c1b13a7a (mark 0/0x00000000)
02[IKE] activating new tasks
02[IKE]   activating INFORMATIONAL task
02[ENC] added payload of type NOTIFY_V1 to message
02[ENC] added payload of type NOTIFY_V1 to message
02[IKE] Hash => 20 bytes @ 0x97cb4c8
02[IKE]    0: 7B C7 5E 98 54 A3 EE C5 A6 9E 17 AB F1 EE 85 5B
{.^.T..........[
02[IKE]   16: 49 A9 A9 B0                                      I...
02[ENC] generating INFORMATIONAL_V1 request 3384682819 [ HASH N(NO_PROP) ]

-------------------------------------------------------------------

Best regards,
Takamitsu Kato

More information about the Users mailing list