[strongSwan] Problem connecting to a Cisco Unity gateway

Bas van Dijk v.dijk.bas at gmail.com
Tue Feb 10 16:48:59 CET 2015


Hello,

Apologies in advance for the rather long message but I'm new to
strongSwan and want to include as much information as I think is
relevant to my problem.

I'm having some problems using strongSwan-5.2.2 to establish a
connection to a host on the subnet 10.180.0.0/16 which is behind the
gateway 213.163.70.4. The IP address of my machine is 192.168.42.162
and I'm using NAT to access the internet. My public IP address is:
83.161.66.130. I don't control the 213.163.70.4 gateway and I have
been told it uses the following settings:

Target address: 213.163.70.4
Source address: 83.161.66.130
IKE SA: Phase 1
Encryption: AES-128 with SHA-1
Diffie-hellman: Group 2
SA lifetime: 86400 seconds
IKE negotistion mode: Main (non aggressive)
Pre-shared key: XXXX (censored)
IPsec proposal: Phase 2
Encryption: AES-128 with SHA-1
IPsec type: ESP
IPsec tunnel lifetime: 3600 seconds

I set my ipsec.secrets (censored) to:
213.163.70.4 %any : PSK 0xXXXX

ipsec.conf:
conn data-display
  aggressive=no
  authby=secret
  auto=add
  esp=aes128-sha1
  fragmentation=yes
  ike=des-sha1-modp1024
  ikelifetime=24h
  keyexchange=ikev1
  left=%any
  leftfirewall=yes
  leftid=83.161.66.130
  lifetime=1h
  right=213.163.70.4
  rightsubnet=10.180.0.0/16

I noticed from the strongSwan logs that the gateway is a Cisco Unity
device so I configured strongSwan with --enable-unity. I'm not sure
that is required.

When I start stongSwan using "sudo systemctl start strongswan" I get
the following log (I'm using logging level 2):

http://pastebin.com/pC1WYegL

I'm a bit confused why I get the "no netkey IPsec stack detected"
warning since all required[1] kernel options are enabled (either build
in or as modules). In particular:

cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY=
CONFIG_NET_KEY=m

Since it's a warning I ignore it for a moment and try to start up the
"data-display" connection using "sudo ipsec up data-display". I get
the following output:

initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes)
received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes)
received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes)
received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA data-display[1] established between
192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
scheduling reauthentication in 85593s
maximum IKE_SA lifetime 86133s
generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ]
sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes)
received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ]
received DELETE for IKE_SA data-display[1]
deleting IKE_SA data-display[1] between
192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
establishing connection 'data-display' failed

The following is posted to syslog:

http://pastebin.com/1Vj1rXaq

So I can see that an IKE_SA is established between me and the gateway.
However, after that something goes wrong.

Can somebody explain what is going wrong and point me in the right direction?

Also note that I'm using NixOS running in VirtualBox. My virtual NIC
is bridged to my physical NIC.

Let me know if any more information is desired.

Cheers,

Bas

[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules


More information about the Users mailing list