[strongSwan] Problems connecting with NAT-T, aggressive mode and PSK

Jakob Curdes jc at info-systems.de
Mon May 26 12:24:01 CEST 2014 

Hello, we are trying to connect to a Strongswan 5.1 box with an older 
Sarian GPRS router (MR4110).
One thing for the record, this router ships without encryption, only 
authentication.
But we are stuck elsewhere: we use aggressive mode with PSK for testing, 
with the following config :

conn test
     keyexchange=ikev1
     authby=secret
     left=w.x.y.z
     leftsubnet=10.100.100.0/24
     right=%any
     rightsubnet=172.16.45.0/24
     rightid=@test_id
     auto=add
     ike=aes256-sha1-modp1024
     esp=null-sha1



and we see the following:
(some lines omitted)

May 26 12:06:47 router-cmsdmz charon: 02[NET] received packet: from 
a.b.c.d[500] to w.x.y.z[500]
May 26 12:06:47 router-cmsdmz charon: 13[ENC] parsed AGGRESSIVE request 
0 [ SA KE No ID V V V V V ]
May 26 12:06:47 router-cmsdmz charon: 13[CFG] looking for an ike config 
for w.x.y.z...a.b.c.d
May 26 12:06:47 router-cmsdmz charon: 13[CFG] ike config match: 1052 
(w.x.y.z a.b.c.d IKEv1)
May 26 12:06:47 router-cmsdmz charon: 13[CFG]   candidate: 
w.x.y.z...%any, prio 1052
May 26 12:06:47 router-cmsdmz charon: 13[CFG] found matching ike config: 
w.x.y.z...%any with prio 1052
May 26 12:06:47 router-cmsdmz charon: 13[IKE] received DPD vendor ID
May 26 12:06:47 router-cmsdmz charon: 13[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 26 12:06:47 router-cmsdmz charon: 13[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 26 12:06:47 router-cmsdmz charon: 13[IKE] received NAT-T (RFC 3947) 
vendor ID
May 26 12:06:47 router-cmsdmz charon: 13[IKE] received Cisco Unity vendor ID
May 26 12:06:47 router-cmsdmz charon: 13[IKE] a.b.c.d is initiating a 
Aggressive Mode IKE_SA
May 26 12:06:47 router-cmsdmz charon: 13[CFG] selecting proposal:
May 26 12:06:47 router-cmsdmz charon: 13[CFG]   proposal matches
May 26 12:06:47 router-cmsdmz charon: 13[CFG] received proposals: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 26 12:06:47 router-cmsdmz charon: 13[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 26 12:06:47 router-cmsdmz charon: 13[CFG] looking for pre-shared key 
peer configs matching w.x.y.z...a.b.c.d[test_id]
*May 26 12:06:47 router-cmsdmz charon: 13[CFG] peer config match local: 
1 (ID_ANY)**
**May 26 12:06:47 router-cmsdmz charon: 13[CFG] peer config match 
remote: 0 (ID_KEY_ID -> (...))*
*May 26 12:06:47 router-cmsdmz charon: 13[CFG] ike config match: 1052 
(w.x.y.z a.b.c.d IKEv1)*
*May 26 12:06:47 router-cmsdmz charon: 13[IKE] no peer config found*
May 26 12:06:47 router-cmsdmz charon: 13[IKE] queueing INFORMATIONAL task
May 26 12:06:47 router-cmsdmz charon: 13[IKE] activating new tasks
May 26 12:06:47 router-cmsdmz charon: 13[IKE]   activating INFORMATIONAL 
task
May 26 12:06:47 router-cmsdmz charon: 13[ENC] generating 
INFORMATIONAL_V1 request 2881963356 [ N(AUTH_FAILED) ]
May 26 12:06:47 router-cmsdmz charon: 13[IKE] IKE_SA (unnamed)[2] state 
change: CONNECTING => DESTROYING

So the peer sends its ID and charon finds the matching config section 
but then decides it does not actually match ?
What is wrong here? Sadly I cannot get the client to send a /*remote 
ID*/, might that be the problem in a NAT-T situation?


Best regards,
Jakob Curdes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140526/a17587f0/attachment.html>

More information about the Users mailing list