[strongSwan] auth fails with "no peer config found...cisco-vpn-client to strongswan-v5.0.4-server (with cisco unity plugin enabled)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Sun Nov 30 10:23:46 CET 2014


Hi

Yes!!! that was a stupid mistake from me. Thanks for the pointer. I
configured as below (ipsec.conf and ipsec.secrets) to make it work
correctly (as far as the ike tunnel coming up without any issues...the
quickmode tunnel is another issue which i will post separately for your
kind help)
==============================================
ipsec.secrets on the server

#/etc/ipsec.secrets - strongSwan IPsec secrets file
#: PSK "123456789"
@vpnsrv1.svt.com clientgrp1 : PSK "123456789"
#@vpnsrv1.svt.com @remotclient.svt.com : PSK "123456"
@vpnsrv2.svt.com @genclient.svt.com : PSK "123456"
user1 : XAUTH "config1234"
user2 : XAUTH "config1234"
user3 : XAUTH "config1234"
testuser1 : XAUTH "4iChxLT3"
testuser2 : XAUTH "ryftzG4A"

------------------------------------
ipsec.conf on the server
--------------------------------
#/etc/ipsec.conf - strongSwan IPsec configuration file

config setup
    strictcrlpolicy=no
    charondebug="ike 3, knl 3, cfg 3"

conn %default
    ikelifetime=8h
    keylife=3h
    rekeymargin=9m
    keyingtries=1
    mobike=no
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=clear

conn ezvpnclient1
    aggressive=yes
        left=10.232.90.116
    leftsubnet=192.168.2.0/24,172.16.0.0/16
    leftid=@vpnsrv1.svt.com
        leftauth=psk
        modeconfig=push
    right=%any
        rightsourceip=192.168.219.0/24
        rightauth=psk
        rightauth2=xauth
        keyexchange=ikev1
    ike=aes256-sha1-modp1024
    esp=aes128-sha1
        auto=add

conn otherclients1
        left=10.232.90.116
    leftsubnet=0.0.0.0/0
    leftid=@vpnsrv2.svt.com
        leftauth=psk
        modeconfig=push
    right=%any
        rightsourceip=192.168.220.0/24
        rightauth=psk
        rightauth2=xauth
        keyexchange=ikev1
    ike=aes128-sha1-modp1024
    esp=aes128-sha1
        auto=add

- all other configs hold true as mentioned in my previous post

============================================

the addition of "  leftid=@vpnsrv1.svt.com" and the mention of "clientgrp1"
without @ prefix solved the "no peer config found" error when using with
cisco-clients (using group-id authentication info)

>>Please note that Aggressive Mode PSK authentication is discouraged
>>because of its security issues

Yes..i agree with you completely, that aggressive-mode is not to be used if
it can be helped. But i have to deploy a setup with a Strongswan_VPN_Server
(on a Ubuntu/Fedora..whichever works effectively) for a number of VPN
clients to connect to at the Corp-office. These clients are spread across
Cisco-VPN-Client-v5.x, Cisco_AnyConnect_Ipsec_VPN Client, ShrewSoft_VPN
Clients, some GreenBow Clients and some branches with Cisco_BranchRouters
running EzVPN_Remote_Client. Now a major part of these clients use
aggressive-mode with psk and xauth. So iam kind of stuck with no options in
the short-term to migrate to main-mode only access.

thanks for your time and help

regards
rajiv


On Wed, Nov 19, 2014 at 3:11 PM, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> > Nothing seems to be working with PSK (if i use RSA certificates for first
> > level auth ...then everything works as expected)
>
> > 13[NET] received packet: from 172.29.1.2[1293] to 1.1.1.30[500] (870
> bytes)
> > 13[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> > 13[IKE] received XAuth vendor ID
> > 13[IKE] received DPD vendor ID
> > 13[IKE] received FRAGMENTATION vendor ID
> > 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> > 13[IKE] received Cisco Unity vendor ID
> > 13[IKE] 172.29.1.2 is initiating a Aggressive Mode IKE_SA
> > 13[CFG] looking for XAuthInitPSK peer configs matching
> 1.1.1.30...172.29.1.2[clientgrp1]
> > 13[IKE] no peer config found
>
> Your client uses Aggressive Mode when using PSK authentication. You'll
> have to configure that in your configuration as well, using
>
>   aggressive=yes.
>
> Please note that Aggressive Mode PSK authentication is discouraged
> because of its security issues, and is disabled by default in strongSwan
> as responder. You'll have to enable "weakSwan" mode by setting the
> i_dont_care_about_security_and_use_aggressive_mode_psk option, refer to
> [1] for details. You should do that only if you actually do not care
> about security, or if you really understand the implications.
>
> Regards
> Martin
>
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141130/9079e531/attachment-0001.html>


More information about the Users mailing list