[strongSwan] vpn clients (cisco/shrewsoft and other cisco unity clients) connectivity issues with Strongswan-v5.2.1

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Sun Nov 30 11:26:34 CET 2014 

Some history on what iam trying to do:

I have to deploy a setup with a Strongswan_VPN_Server (v5.2.1 on a
Ubuntu/Fedora..whichever works effectively) for a number of VPN clients to
connect to at the Corp-office. These clients are spread across
Cisco-VPN-Client-v5.x (legacy), Cisco_AnyConnect_Ipsec_VPN Client,
ShrewSoft_VPN Clients, some GreenBow Clients (legacy using v4.6x..) and
some branches with Cisco_BranchRouters running EzVPN_Remote_Client (u know
the RV2xx/3xx series which also have openswan for the ipsec i guess). Now a
major part of these clients use aggressive-mode with psk and xauth.

Now th issue iam facing:

My configs are as attached (used in presently v5.2.1 so...some change was
there in v5.0.4 with respect to the strongswan.conf usage...which has
changed for the good in v5.2.1)

Now I started with strongswan-v5.0.4 and a cisco-v5.0-vpnclient and a
shrewsoft-2.2-professional-edition client. I had enabled the Cisco Unity
Plugin too

I could very quickly see that some of the issues with cisco unity
extensions (and/or the access from the specific vpn clients used) were
fixed in v5.1.2 onwards (issue no: 445, etc).

Therefore i moved to v5.1.2 to validate and i found that i could not
connect either with cisco or shrewsoft clients on strongswan-v5.1.2, using
the same configs. Both the clients were getting disconnected abruptly in
the phase-1 itself...i think i have some of those logs (with v5.1.2
strongswan-server) and i will attach them if i can come across them...too
many logs to manage...presently...especially when things dont seem to be
working as expected...:-)

Anyways, finally i moved to v5.2.1 and the present issue is as below:

1. Quick mode is failing when i use shrew-soft-vpn clients (and the server
is configured with cisco unity extensions in the attr.conf file)
- one observation from the logs is that once a virtual-ip is assigned (say
x.1) to the client...subsequently once more there is a virtual-ip
assignment done again..but the quickmode negotiation is tried with the
selectors mentioning the second ip...whereas the client seems to be still
configured with the first address assigned...something like that...hence
its failing

2. Although cisco-v5.x-vpn client establishes the tunnel successfully (both
phase-1 and phase2)....it starts sending dpd-keepalives just 10 seconds
after the tunnels are up and the strongswan-vpn-server unfortunately is
refusing to send the dpd-acks...thus after some timeout period..the cisco
client disconnects the tunnel. Iam unable to solve this issue with cisco
client. One crude method which seems to work ...is that i immedietly start
sendind some traffic from the host behind the server to the client ip
(virtual-ip-addr) and also from the client to the host behind the server.
This is preventing the tunnel from going down due to dpd. But i have other
issues with the backup-server-ips not getting recognized or accepted, and
the split-dns options not working as expected (the split-dns queries to the
split-dns domains does not get forwarded thru the tunnel at all to the dns
server behind the vpn-server)

3. Tried for completeness with greenbow(v4.65) client using another conn
entry in the ipsec.conf (as this client does not understand the cisco unity
extensions...except for dns and wins ipaddresses). Here i need to try twice
(by tapping on open-tunnel) to establish a tunnel. (the quick mode
one)...although initially there are some error messages with wrong-id or
something like that...have attached the logs (on the server side only)

4. I have observed some issues with the cisco unity attributes when we
mention it in attr.conf on the server

- the backupserver-ips mentiong using the attribute "28681" does not seem
to be recognzed by any of the clients (cisco or shrewsoft)..although it is
correctly interpreted and loaded as such by the vpn server when we start
ipsec on the server (iam generally using for now the command "ipsec start
--nofork")

- unable to verify whether the split-dns options are working as expected
because only the cisco-client is able to establish as semblance of a
successfull tunnel and its not forwarding the queries to the internal dns
servers thru the established vpn tunnel. Shrewsoft is not coming up due to
quick mode failures

- are the below list of unity attributes (with their numbers defined )
supported in attr.conf with cisco unity plugin enabled?  i need to use them
with the cisco-branch routers (running as cisco ezvpn remote clients ) and
also with the cisco-anyconnect and shrewsoft clients


#define     UNITY_BANNER   28672
#define     UNITY_SAVE_PASSWD   28673
#define     UNITY_DEF_DOMAIN   28674
#define     UNITY_SPLITDNS_NAME   28675
#define     UNITY_SPLIT_INCLUDE   28676
#define     UNITY_NATT_PORT   28677
#define     UNITY_LOCAL_LAN   28678
#define     UNITY_PFS   28679
#define     UNITY_FW_TYPE   28680
#define     UNITY_BACKUP_SERVERS   28681
#define     UNITY_DDNS_HOSTNAME   28682


Kindly please help....thank you in advance for your valuable time and
advice/suggestions on how to solve the issues iam facing..



with regards
rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141130/64710656/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logs1.rar
Type: application/rar
Size: 68720 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141130/64710656/attachment-0004.rar>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: putty-logs.rar
Type: application/rar
Size: 128189 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141130/64710656/attachment-0005.rar>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v5-2-1specific-confs.rar
Type: application/rar
Size: 5148 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141130/64710656/attachment-0006.rar>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn-clients-sample-logs.rar
Type: application/rar
Size: 43288 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141130/64710656/attachment-0007.rar>

More information about the Users mailing list