[strongSwan] Problem connecting to a Cisco Unity gateway

Bas van Dijk v.dijk.bas at gmail.com
Fri Feb 13 21:17:23 CET 2015 

Hi Noel,

Thanks for your reply.

I did already try esp=aes128-sha1! which didn't help. I will try
esp=aes128-sha! when I'm back at the office.

Cheers,

Bas

On 13 February 2015 at 19:17, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Bas,
>
> That usually means that the two peers could not decide on a common cipher proiposal.
> It is likely that the CISCO peer has PFS disabled. The normal cipher proposal for phase two
> on strongSwan is all PFS by default. Try this: esp=aes128-sha1! or esp=aes128-sha!
> That will set the proposal for phase two to only propose AES-cbc-128 and SHA1 in combination
> without PFS.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 13.02.2015 um 16:48 schrieb Bas van Dijk:
>> I solved the "no netkey IPsec stack detected" errors. It turned out
>> that the NixOS strongSwan configuration used a modprobe which couldn't
>> find the right kernel modules. I fixed that and now it starts up
>> without that error. See the log at: http://pastebin.com/ufutkmdC
>>
>> However, my original problem remains. With the following ipsec.conf:
>>
>> conn data-display
>>   aggressive=no
>>   auto=add
>>   fragmentation=yes
>>   ike=des-sha1-modp1024
>>   ikelifetime=24h
>>   keyexchange=ikev1
>>   left=%any
>>   leftauth=psk
>>   leftfirewall=yes
>>   leftid=83.161.66.130
>>   lifetime=1h
>>   right=213.163.70.4
>>   rightauth=psk
>>   rightsubnet=10.180.0.0/16
>>
>> I get the following error:
>>
>> $ sudo ipsec up data-display
>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
>> generating ID_PROT request 0 [ SA V V V V V ]
>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes)
>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes)
>> parsed ID_PROT response 0 [ SA V V ]
>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> received FRAGMENTATION vendor ID
>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes)
>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes)
>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
>> received Cisco Unity vendor ID
>> received XAuth vendor ID
>> received unknown vendor ID: 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a
>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
>> local host is behind NAT, sending keep alives
>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes)
>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
>> parsed ID_PROT response 0 [ ID HASH V ]
>> received DPD vendor ID
>> IKE_SA data-display[1] established between
>> 192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4]
>> scheduling reauthentication in 85668s
>> maximum IKE_SA lifetime 86208s
>> generating QUICK_MODE request 384749459 [ HASH SA No ID ID ]
>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 bytes)
>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
>> parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ]
>> received NO_PROPOSAL_CHOSEN error notify
>> establishing connection 'data-display' failed
>>
>> What does NO_PROPOSAL_CHOSEN mean?
>>
>> Thanks,
>>
>> Bas
>>
>> On 10 February 2015 at 16:48, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>>> Hello,
>>>
>>> Apologies in advance for the rather long message but I'm new to
>>> strongSwan and want to include as much information as I think is
>>> relevant to my problem.
>>>
>>> I'm having some problems using strongSwan-5.2.2 to establish a
>>> connection to a host on the subnet 10.180.0.0/16 which is behind the
>>> gateway 213.163.70.4. The IP address of my machine is 192.168.42.162
>>> and I'm using NAT to access the internet. My public IP address is:
>>> 83.161.66.130. I don't control the 213.163.70.4 gateway and I have
>>> been told it uses the following settings:
>>>
>>> Target address: 213.163.70.4
>>> Source address: 83.161.66.130
>>> IKE SA: Phase 1
>>> Encryption: AES-128 with SHA-1
>>> Diffie-hellman: Group 2
>>> SA lifetime: 86400 seconds
>>> IKE negotistion mode: Main (non aggressive)
>>> Pre-shared key: XXXX (censored)
>>> IPsec proposal: Phase 2
>>> Encryption: AES-128 with SHA-1
>>> IPsec type: ESP
>>> IPsec tunnel lifetime: 3600 seconds
>>>
>>> I set my ipsec.secrets (censored) to:
>>> 213.163.70.4 %any : PSK 0xXXXX
>>>
>>> ipsec.conf:
>>> conn data-display
>>>   aggressive=no
>>>   authby=secret
>>>   auto=add
>>>   esp=aes128-sha1
>>>   fragmentation=yes
>>>   ike=des-sha1-modp1024
>>>   ikelifetime=24h
>>>   keyexchange=ikev1
>>>   left=%any
>>>   leftfirewall=yes
>>>   leftid=83.161.66.130
>>>   lifetime=1h
>>>   right=213.163.70.4
>>>   rightsubnet=10.180.0.0/16
>>>
>>> I noticed from the strongSwan logs that the gateway is a Cisco Unity
>>> device so I configured strongSwan with --enable-unity. I'm not sure
>>> that is required.
>>>
>>> When I start stongSwan using "sudo systemctl start strongswan" I get
>>> the following log (I'm using logging level 2):
>>>
>>> http://pastebin.com/pC1WYegL
>>>
>>> I'm a bit confused why I get the "no netkey IPsec stack detected"
>>> warning since all required[1] kernel options are enabled (either build
>>> in or as modules). In particular:
>>>
>>> cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY=
>>> CONFIG_NET_KEY=m
>>>
>>> Since it's a warning I ignore it for a moment and try to start up the
>>> "data-display" connection using "sudo ipsec up data-display". I get
>>> the following output:
>>>
>>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
>>> generating ID_PROT request 0 [ SA V V V V V ]
>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes)
>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes)
>>> parsed ID_PROT response 0 [ SA V V ]
>>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>> received FRAGMENTATION vendor ID
>>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes)
>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes)
>>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
>>> received Cisco Unity vendor ID
>>> received XAuth vendor ID
>>> received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d
>>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
>>> local host is behind NAT, sending keep alives
>>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes)
>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>>> parsed ID_PROT response 0 [ ID HASH V ]
>>> received DPD vendor ID
>>> IKE_SA data-display[1] established between
>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
>>> scheduling reauthentication in 85593s
>>> maximum IKE_SA lifetime 86133s
>>> generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ]
>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes)
>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>>> parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ]
>>> received NO_PROPOSAL_CHOSEN error notify
>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>>> parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ]
>>> received DELETE for IKE_SA data-display[1]
>>> deleting IKE_SA data-display[1] between
>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
>>> establishing connection 'data-display' failed
>>>
>>> The following is posted to syslog:
>>>
>>> http://pastebin.com/1Vj1rXaq
>>>
>>> So I can see that an IKE_SA is established between me and the gateway.
>>> However, after that something goes wrong.
>>>
>>> Can somebody explain what is going wrong and point me in the right direction?
>>>
>>> Also note that I'm using NixOS running in VirtualBox. My virtual NIC
>>> is bridged to my physical NIC.
>>>
>>> Let me know if any more information is desired.
>>>
>>> Cheers,
>>>
>>> Bas
>>>
>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJU3j/UAAoJEDg5KY9j7GZYNPUQAJ3Lx4G9VyrzVTLjodToZr4V
> yUeKOBKll7PhJopumEnl/aytNUsckoFbrGPUKDm9q3kcv3pjIdsb2FkwoT/t4ivc
> O4b95pUjH5LCy6M1U/LtMjaXS4mwbo8dvs7CrYSe218Iw8OoxcvFev0yfM89lcxL
> UwIg2jJjtE1oXhbwmGq3+4EFGNDNVV0YcFtndSD79YIiWon52BHsgJk0aprhs+fa
> mlJkmcxOwffn+5KFwZ2v8uHJn667UXexFcbrDiiyqb7c0grur3T+8E+zQiY8ce1q
> IjvdmjRr+NETlPIcwNAbmMAVqwqFdOJ8hZZqXaYzVg048Wj8hIwGKS+hwa0A8Nrc
> fK55BOimMHnm3N96zcnRZfDJdoNLwwvi/r7tuC5jfIR+9pw5antw8UPcblmdv8SA
> FZy2LjiC29zcietTcI8vm9vtc7gSdcdlwYofNF8wxbc5urndHR1zp+EURXjhXHhH
> lZcTqUNxXI2zWraKyUXAp1BMx4cBJ318Jaj7oJk7Fx1VR2yelr6F4mLl5Fs4lZBh
> FUZdHyLqT2+09mBiHU2p3mifNEq4eKiWdRx5KZSVGN/bFYHBeCPkdjdItTgSpzG/
> Fu/y1Cosr1jUC5jDMoHb035r4OBwVB1aT4P03hqYnpbNCcdHgVtWEbUrzpV9o05Q
> C+su8uUN6uuJwQoqpMFI
> =JK9k
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list