[strongSwan] Incorrect Phase II for Cisco IOS Transport VPN

Miroslav Svoboda goodmirek at goodmirek.cz
Mon Apr 20 02:34:22 CEST 2015 

Hi John,

I think it is not possible to use transport mode with local (left) address 
from private range, not routable over internet, unless the peer is in the 
same private network.
I suggest to try a change to "left=%any", "rightsubnet=0.0.0.0/0", 
"leftsourceip=%config". You should not specify "leftsubnet", it has same 
effect as "leftsubnet=%dynamic". Also delete "type=transport" or change it 
to tunnel.
If that did not help, please can you increase loglevel as described here 
<https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration> 
and provide the log?
Especially emphasized lines in bold below are important, achieved with 
following settings in strongswan.d/charon-logging.conf:
            enc = 1
            job = 1
            cfg = 2
            ike = 4
            mgr = 4
            knl = 2

Also attach output of "ipsec statusall" command.

Log should look like this, even though this is from VPN server to which 
roadwarriors are connecting to:
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> IKE_SA roadwarrior[1] state 
change: CONNECTING => ESTABLISHED
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> scheduling reauthentication in 
9746s
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> maximum IKE_SA lifetime 10286s
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> sending end entity cert "C=CZ, 
O=Aloha, CN=swan.aloha.com"
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> peer requested virtual IP %any
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> assigning new lease to 'C=CZ, 
O=Aloha, CN=GoodBoy'
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> assigning virtual IP 
192.168.55.1 to peer 'C=CZ, O=Aloha, CN=GoodBoy'
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> peer requested virtual IP %any6
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> no virtual IP found for %any6 
requested by 'C=CZ, O=Aloha, CN=GoodBoy'
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> building INTERNAL_IP4_DNS 
attribute
2015-04-18 21:40:28 10[IKE] <roadwarrior|1> building INTERNAL_IP4_DNS 
attribute
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1> looking for a child config for 
0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1> proposing traffic selectors 
for us:*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  0.0.0.0/0*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1> proposing traffic selectors 
for other:*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  192.168.55.1/32*
2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   candidate "roadwarrior" with 
prio 10+2
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> found matching child config 
"roadwarrior" with prio 12
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   no acceptable 
ENCRYPTION_ALGORITHM found
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   no acceptable 
INTEGRITY_ALGORITHM found
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   no acceptable 
ENCRYPTION_ALGORITHM found
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   proposal matches
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> received proposals: 
ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, 
ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
@                                                       
2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selected proposal: 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
2015-04-18 21:40:28 10[KNL] <roadwarrior|1> got SPI cff90361
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting traffic selectors 
for us:*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 0.0.0.0/0, received: 
0.0.0.0/0 => match: 0.0.0.0/0*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 0.0.0.0/0, received: 
::/0 => no match*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting traffic selectors 
for other:*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 192.168.55.1/32, 
received: 0.0.0.0/0 => match: 192.168.55.1/32*
*2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 192.168.55.1/32, 
received: ::/0 => no match*
2015-04-18 21:40:28 10[KNL] <roadwarrior|1> adding SAD entry with SPI 
cff90361 and reqid {1}  (mark 0/0x00000000)
2015-04-18 21:40:28 10[KNL] <roadwarrior|1>   using encryption algorithm 
AES_CBC with key size 128
2015-04-18 21:40:28 10[KNL] <roadwarrior|1>   using integrity algorithm 
HMAC_SHA1_96 with key size 160
2015-04-18 21:40:28 10[KNL] <roadwarrior|1>   using replay window of 32 
packets
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding SAD entry with SPI 
a2210fbc and reqid {1}  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1>   using encryption algorithm 
AES_CBC with key size 128
2015-04-18 21:40:29 10[KNL] <roadwarrior|1>   using integrity algorithm 
HMAC_SHA1_96 with key size 160
2015-04-18 21:40:29 10[KNL] <roadwarrior|1>   using replay window of 32 
packets
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy 0.0.0.0/0 === 
192.168.55.1/32 out  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy 192.168.55.1/32 
=== 0.0.0.0/0 in  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy 192.168.55.1/32 
=== 0.0.0.0/0 fwd  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in 
traffic selector 0.0.0.0/0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to 
reach 176.74.128.37/32
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface eth0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> installing route: 
192.168.55.1/32 via 10.20.30.1 src %any dev eth0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting iface index for eth0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 0.0.0.0/0 === 
192.168.55.1/32 out  (mark 0/0x00000000) already exists, increasing refcount
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 0.0.0.0/0 === 
192.168.55.1/32 out  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 === 
0.0.0.0/0 in  (mark 0/0x00000000) already exists, increasing refcount
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 192.168.55.1/32 
=== 0.0.0.0/0 in  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 === 
0.0.0.0/0 fwd  (mark 0/0x00000000) already exists, increasing refcount
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 192.168.55.1/32 
=== 0.0.0.0/0 fwd  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in 
traffic selector 0.0.0.0/0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to 
reach 176.74.128.37/32
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface eth0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> installing route: 
192.168.55.1/32 via 10.20.30.1 src %any dev eth0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting iface index for eth0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 0.0.0.0/0 === 
192.168.55.1/32 out  (mark 0/0x00000000) already exists, increasing refcount
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 0.0.0.0/0 === 
192.168.55.1/32 out  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 === 
0.0.0.0/0 in  (mark 0/0x00000000) already exists, increasing refcount
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 192.168.55.1/32 
=== 0.0.0.0/0 in  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 === 
0.0.0.0/0 fwd  (mark 0/0x00000000) already exists, increasing refcount
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 192.168.55.1/32 
=== 0.0.0.0/0 fwd  (mark 0/0x00000000)
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in 
traffic selector 0.0.0.0/0
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to 
reach 176.74.128.37/32
2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface eth0
2015-04-18 21:40:29 10[IKE] <roadwarrior|1> CHILD_SA roadwarrior{1} 
established with SPIs cff90361_i a2210fbc_o and TS 0.0.0.0/0 === 
192.168.55.1/32
2015-04-18 21:40:29 10[ENC] <roadwarrior|1> generating IKE_AUTH response 1 
[ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) 
N(NO_ADD_ADDR) ]
2015-04-18 21:40:29 10[NET] <roadwarrior|1> sending packet: from 
10.20.30.40[4500] to 176.74.128.37[37370] (1612 bytes)
2015-04-18 21:40:29 10[MGR] <roadwarrior|1> checkin IKE_SA roadwarrior[1]
2015-04-18 21:40:29 10[MGR] <roadwarrior|1> check-in of IKE_SA successful.

Regards,
Miroslav

On Saturday, April 18, 2015 at 2:57:02 PM UTC+2, John Marrett wrote:
>
> I'm trying to build a gre tunnel / transport based IPSec VPN between a 
> Cisco IOS router and a device running strongswan on openwrt. I successfully 
> negotiate phase 1 but then fail to negotiate phase 2.
>
> The Cisco device indicates proxy identities are not supported, which would 
> suggest that the IPSec session is being negotiated with the wrong IP 
> addresses. Here are the log messages from the Cisco device:
>
> .Apr 18 08:26:03.870: ISAKMP:(13414):Checking IPSec proposal 0
> .Apr 18 08:26:03.870: ISAKMP: transform 1, ESP_AES 
> .Apr 18 08:26:03.870: ISAKMP:   attributes in transform:
> .Apr 18 08:26:03.870: ISAKMP:      key length is 128
> .Apr 18 08:26:03.870: ISAKMP:      authenticator is HMAC-SHA512
> .Apr 18 08:26:03.870: ISAKMP:      encaps is 2 (Transport)
> .Apr 18 08:26:03.870: ISAKMP:      SA life type in seconds
> .Apr 18 08:26:03.870: ISAKMP:      SA life duration (basic) of 3600
> .Apr 18 08:26:03.870: ISAKMP:(13414):atts are acceptable.
> .Apr 18 08:26:03.870: IPSEC(ipsec_process_proposal): proxy identities not 
> supported
> .Apr 18 08:26:03.870: ISAKMP:(13414): IPSec policy invalidated proposal 
> with error 32
> .Apr 18 08:26:03.870: ISAKMP:(13414): phase 2 SA policy not acceptable! 
> (local x.x.x.x remote 10.2.0.29)
>
> And here is the configuration for strongswan. I had originally omitted the 
> subnet definitions but I added them to ensure that the correct subnets were 
> specified.
>
> conn host-host
>     left=10.2.0.29
>     leftid=10.2.0.29
>     leftsubnet=10.2.0.29/32
>     right=x.x.x.x
>     rightid=x.x.x.x
>     rightsubnet=x.x.x.x/32
>     type=transport
>     auto=start
>     keyexchange=ikev1
>     ike=aes128-sha256-modp4096!
>     esp=aes128-sha512!
>     authby=secret
>
> I am running strongswan 5.2.2 on Openwrt. The Cisco router is running a 
> dev special release of 15.3(3)M3.2.
>
> Thank you in advance for your help,
>
> -JohnF
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150419/9fc5fca5/attachment.html>

More information about the Users mailing list