[strongSwan] Problem connecting to a Cisco Unity gateway

Noel Kuntze noel at familie-kuntze.de
Fri Feb 13 19:17:58 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bas,

That usually means that the two peers could not decide on a common cipher proiposal.
It is likely that the CISCO peer has PFS disabled. The normal cipher proposal for phase two
on strongSwan is all PFS by default. Try this: esp=aes128-sha1! or esp=aes128-sha!
That will set the proposal for phase two to only propose AES-cbc-128 and SHA1 in combination
without PFS.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 13.02.2015 um 16:48 schrieb Bas van Dijk:
> I solved the "no netkey IPsec stack detected" errors. It turned out
> that the NixOS strongSwan configuration used a modprobe which couldn't
> find the right kernel modules. I fixed that and now it starts up
> without that error. See the log at: http://pastebin.com/ufutkmdC
>
> However, my original problem remains. With the following ipsec.conf:
>
> conn data-display
>   aggressive=no
>   auto=add
>   fragmentation=yes
>   ike=des-sha1-modp1024
>   ikelifetime=24h
>   keyexchange=ikev1
>   left=%any
>   leftauth=psk
>   leftfirewall=yes
>   leftid=83.161.66.130
>   lifetime=1h
>   right=213.163.70.4
>   rightauth=psk
>   rightsubnet=10.180.0.0/16
>
> I get the following error:
>
> $ sudo ipsec up data-display
> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
> generating ID_PROT request 0 [ SA V V V V V ]
> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes)
> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes)
> parsed ID_PROT response 0 [ SA V V ]
> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> received FRAGMENTATION vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes)
> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a
> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes)
> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA data-display[1] established between
> 192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4]
> scheduling reauthentication in 85668s
> maximum IKE_SA lifetime 86208s
> generating QUICK_MODE request 384749459 [ HASH SA No ID ID ]
> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 bytes)
> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
> parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
> establishing connection 'data-display' failed
>
> What does NO_PROPOSAL_CHOSEN mean?
>
> Thanks,
>
> Bas
>
> On 10 February 2015 at 16:48, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>> Hello,
>>
>> Apologies in advance for the rather long message but I'm new to
>> strongSwan and want to include as much information as I think is
>> relevant to my problem.
>>
>> I'm having some problems using strongSwan-5.2.2 to establish a
>> connection to a host on the subnet 10.180.0.0/16 which is behind the
>> gateway 213.163.70.4. The IP address of my machine is 192.168.42.162
>> and I'm using NAT to access the internet. My public IP address is:
>> 83.161.66.130. I don't control the 213.163.70.4 gateway and I have
>> been told it uses the following settings:
>>
>> Target address: 213.163.70.4
>> Source address: 83.161.66.130
>> IKE SA: Phase 1
>> Encryption: AES-128 with SHA-1
>> Diffie-hellman: Group 2
>> SA lifetime: 86400 seconds
>> IKE negotistion mode: Main (non aggressive)
>> Pre-shared key: XXXX (censored)
>> IPsec proposal: Phase 2
>> Encryption: AES-128 with SHA-1
>> IPsec type: ESP
>> IPsec tunnel lifetime: 3600 seconds
>>
>> I set my ipsec.secrets (censored) to:
>> 213.163.70.4 %any : PSK 0xXXXX
>>
>> ipsec.conf:
>> conn data-display
>>   aggressive=no
>>   authby=secret
>>   auto=add
>>   esp=aes128-sha1
>>   fragmentation=yes
>>   ike=des-sha1-modp1024
>>   ikelifetime=24h
>>   keyexchange=ikev1
>>   left=%any
>>   leftfirewall=yes
>>   leftid=83.161.66.130
>>   lifetime=1h
>>   right=213.163.70.4
>>   rightsubnet=10.180.0.0/16
>>
>> I noticed from the strongSwan logs that the gateway is a Cisco Unity
>> device so I configured strongSwan with --enable-unity. I'm not sure
>> that is required.
>>
>> When I start stongSwan using "sudo systemctl start strongswan" I get
>> the following log (I'm using logging level 2):
>>
>> http://pastebin.com/pC1WYegL
>>
>> I'm a bit confused why I get the "no netkey IPsec stack detected"
>> warning since all required[1] kernel options are enabled (either build
>> in or as modules). In particular:
>>
>> cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY=
>> CONFIG_NET_KEY=m
>>
>> Since it's a warning I ignore it for a moment and try to start up the
>> "data-display" connection using "sudo ipsec up data-display". I get
>> the following output:
>>
>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
>> generating ID_PROT request 0 [ SA V V V V V ]
>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes)
>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes)
>> parsed ID_PROT response 0 [ SA V V ]
>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> received FRAGMENTATION vendor ID
>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes)
>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes)
>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
>> received Cisco Unity vendor ID
>> received XAuth vendor ID
>> received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d
>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
>> local host is behind NAT, sending keep alives
>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes)
>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>> parsed ID_PROT response 0 [ ID HASH V ]
>> received DPD vendor ID
>> IKE_SA data-display[1] established between
>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
>> scheduling reauthentication in 85593s
>> maximum IKE_SA lifetime 86133s
>> generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ]
>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes)
>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>> parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ]
>> received NO_PROPOSAL_CHOSEN error notify
>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>> parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ]
>> received DELETE for IKE_SA data-display[1]
>> deleting IKE_SA data-display[1] between
>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
>> establishing connection 'data-display' failed
>>
>> The following is posted to syslog:
>>
>> http://pastebin.com/1Vj1rXaq
>>
>> So I can see that an IKE_SA is established between me and the gateway.
>> However, after that something goes wrong.
>>
>> Can somebody explain what is going wrong and point me in the right direction?
>>
>> Also note that I'm using NixOS running in VirtualBox. My virtual NIC
>> is bridged to my physical NIC.
>>
>> Let me know if any more information is desired.
>>
>> Cheers,
>>
>> Bas
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU3j/UAAoJEDg5KY9j7GZYNPUQAJ3Lx4G9VyrzVTLjodToZr4V
yUeKOBKll7PhJopumEnl/aytNUsckoFbrGPUKDm9q3kcv3pjIdsb2FkwoT/t4ivc
O4b95pUjH5LCy6M1U/LtMjaXS4mwbo8dvs7CrYSe218Iw8OoxcvFev0yfM89lcxL
UwIg2jJjtE1oXhbwmGq3+4EFGNDNVV0YcFtndSD79YIiWon52BHsgJk0aprhs+fa
mlJkmcxOwffn+5KFwZ2v8uHJn667UXexFcbrDiiyqb7c0grur3T+8E+zQiY8ce1q
IjvdmjRr+NETlPIcwNAbmMAVqwqFdOJ8hZZqXaYzVg048Wj8hIwGKS+hwa0A8Nrc
fK55BOimMHnm3N96zcnRZfDJdoNLwwvi/r7tuC5jfIR+9pw5antw8UPcblmdv8SA
FZy2LjiC29zcietTcI8vm9vtc7gSdcdlwYofNF8wxbc5urndHR1zp+EURXjhXHhH
lZcTqUNxXI2zWraKyUXAp1BMx4cBJ318Jaj7oJk7Fx1VR2yelr6F4mLl5Fs4lZBh
FUZdHyLqT2+09mBiHU2p3mifNEq4eKiWdRx5KZSVGN/bFYHBeCPkdjdItTgSpzG/
Fu/y1Cosr1jUC5jDMoHb035r4OBwVB1aT4P03hqYnpbNCcdHgVtWEbUrzpV9o05Q
C+su8uUN6uuJwQoqpMFI
=JK9k
-----END PGP SIGNATURE-----



More information about the Users mailing list