[strongSwan] auth fails with "no peer config found...cisco-vpn-client to strongswan-v5.0.4-server (with cisco unity plugin enabled)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Wed Nov 19 07:16:48 CET 2014 

Hi

This is a kind request for help...iam unable to bring this tunnel from a
cisco-vpn-client-v5.0 to a strongswan-v5.0.4 server (on a OpenWRT
presently...but also tried with a Linux-Fedora14 server)

The intention is to use first level PSK auth (for group authentication
simulation) and then xuth (user/passwd) in the second level of
authentication

I have tried many combinations (for PSK auth) including finally using -
: PSK "123456789"

Nothing seems to be working with PSK (if i use RSA certificates for first
level auth ...then everything works as expected)

The sample error/failure and the configurations used on the
strongswan-v5.0.4 server are as below:

======================================




root at OpenWrt:/etc# ipsec start --nofork
Starting weakSwan 5.0.4 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.2.54, armv7l)
00[LIB] openssl FIPS mode(0) unavailable
00[CFG] attr-sql plugin: database URI not set
00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned
NULL
00[CFG] sql plugin: database URI not set
00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
00[LIB] plugin 'eap-sim' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-sim.so: cannot open shared object
file: No such file or directory
00[LIB] plugin 'eap-sim-file' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'eap-aka' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-aka.so: cannot open shared object
file: No such file or directory
00[LIB] plugin 'eap-simaka-sql' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'eap-simaka-pseudonym' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so: cannot open
shared object file: No such file or directory
00[LIB] plugin 'eap-gtc' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so: cannot open shared object
file: No such file or directory
00[LIB] plugin 'eap-dynamic' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so: cannot open shared
object file: No such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[LIB] plugin 'eap-tls' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-tls.so: cannot open shared object
file: No such file or directory
00[LIB] plugin 'eap-peap' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-eap-peap.so: cannot open shared object
file: No such file or directory
00[LIB] plugin 'xauth-noauth' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'error-notify' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-error-notify.so: cannot open shared
object file: No such file or directory
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 1.1.1.30 @clientgrp1
00[CFG]   loaded EAP secret for ezclientuser1
00[CFG]   loaded EAP secret for testuser1
00[CFG]   loaded EAP secret for testuser2
00[DMN] loaded plugins: charon curl ldap mysql sqlite pkcs11 des blowfish
sha1 md4 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey
pem openssl gcrypt fips-prf gmp xcbc hmac ctr ccm
 gcm attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap
dhcp whitelist unity
00[JOB] spawning 16 worker threads
charon (3822) started after 100 ms
12[CFG] received stroke: add connection 'ezvpnclient1'
12[CFG] adding virtual IP address pool 192.168.50.0/24
12[CFG] added configuration 'ezvpnclient1'
13[NET] received packet: from 172.29.1.2[1293] to 1.1.1.30[500] (870 bytes)
13[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
13[IKE] received XAuth vendor ID
13[IKE] received DPD vendor ID
13[IKE] received FRAGMENTATION vendor ID
13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
13[IKE] received Cisco Unity vendor ID
13[IKE] 172.29.1.2 is initiating a Aggressive Mode IKE_SA
13[CFG] looking for XAuthInitPSK peer configs matching
1.1.1.30...172.29.1.2[clientgrp1]
13[IKE] no peer config found
13[ENC] generating INFORMATIONAL_V1 request 2263060300 [ N(AUTH_FAILED) ]
13[NET] sending packet: from 1.1.1.30[500] to 172.29.1.2[1293] (56 bytes)

=====================

root at OpenWrt:/etc# cat ipsec.conf
#/etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no

conn %default
        ikelifetime=60m
        keylife=30m
        rekeymargin=3m
        keyingtries=1
        mobike=no

conn ezvpnclient1
        left=1.1.1.30
        leftid=1.1.1.30
        leftsubnet=
192.168.2.0/24,192.168.200.0/24,192.168.175.0/24,172.16.0.0/16,10.1.1.0/24
        leftauth=psk
        modeconfig=push
        rightsourceip=192.168.50.0/24
        rightauth=psk
        rightauth2=xauth
        keyexchange=ikev1
        ike=aes256-sha1-modp2048
        esp=aes128-sha1
        auto=add
root at OpenWrt:/etc#

==========================

root at OpenWrt:/etc# cat ipsec.secrets
#/etc/ipsec.secrets - strongSwan IPsec secrets file
1.1.1.30 @clientgrp1 : PSK "123456789"
#1.1.1.30 %any : PSK "123456789"
#@clientgrp1 %any : PSK "123456789"
#@dutfsl @clientgrp1 : PSK "123456789"
ezclientuser1 : XAUTH "config123"
testuser1 : XAUTH "4iChxLT3"
testuser2 : XAUTH "ryftzG4A"
#: PSK "123456789"
#: RSA peer22Key.pem
root at OpenWrt:/etc#

===========================

root at OpenWrt:/etc# cat strongswan.conf
# strongswan.conf - strongSwan configuration file

charon {

        # number of worker threads in charon
        threads = 16
        cisco_unity = yes
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

        # send strongswan vendor ID?
        ##send_vendor_id = yes

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost
/database
                }
                attr {
                      dns = 172.16.0.23, 172.16.0.24
                      nbns = 172.16.1.2, 172.16.1.3
                      split-exclude = 10.65.36.0/22
                      28672 = "Welcome to Cisco from Strongswan..You are
Connected!!"
                      28675 = test1.com test2.com
                }
        }

        # ...
}

pluto {

}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}
=============================================================

I tried adding/removing leftid...rightid...with ipaddress, with fqdn, with
just about any other options i could think of for id...but it just
fails...finally iam just lost at this time and need some expert advice

Can you please please help...I need the PSK based auth to work to be
compatible with the existing cisoc clients which are not ready for
change...certificates will take some time for us as the pki infrastructure
has to be in place...


thank you so much
with regards
- rajiv kulkarni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141119/b91ccd79/attachment-0001.html>

More information about the Users mailing list