[strongSwan] Problem connecting to a Cisco Unity gateway

Noel Kuntze noel at familie-kuntze.de
Fri Feb 13 21:43:50 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bas,

You might also want to enable the CISCO unity extension in strongswan by setting charon.cisco_unity = yes
in strongswan.conf and restart the daemon. For that to work, you also need to have the unity plugin loaded.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 13.02.2015 um 21:17 schrieb Bas van Dijk:
> Hi Noel,
>
> Thanks for your reply.
>
> I did already try esp=aes128-sha1! which didn't help. I will try
> esp=aes128-sha! when I'm back at the office.
>
> Cheers,
>
> Bas
>
> On 13 February 2015 at 19:17, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
> Hello Bas,
>
> That usually means that the two peers could not decide on a common cipher proiposal.
> It is likely that the CISCO peer has PFS disabled. The normal cipher proposal for phase two
> on strongSwan is all PFS by default. Try this: esp=aes128-sha1! or esp=aes128-sha!
> That will set the proposal for phase two to only propose AES-cbc-128 and SHA1 in combination
> without PFS.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 13.02.2015 um 16:48 schrieb Bas van Dijk:
> >>> I solved the "no netkey IPsec stack detected" errors. It turned out
> >>> that the NixOS strongSwan configuration used a modprobe which couldn't
> >>> find the right kernel modules. I fixed that and now it starts up
> >>> without that error. See the log at: http://pastebin.com/ufutkmdC
> >>>
> >>> However, my original problem remains. With the following ipsec.conf:
> >>>
> >>> conn data-display
> >>>   aggressive=no
> >>>   auto=add
> >>>   fragmentation=yes
> >>>   ike=des-sha1-modp1024
> >>>   ikelifetime=24h
> >>>   keyexchange=ikev1
> >>>   left=%any
> >>>   leftauth=psk
> >>>   leftfirewall=yes
> >>>   leftid=83.161.66.130
> >>>   lifetime=1h
> >>>   right=213.163.70.4
> >>>   rightauth=psk
> >>>   rightsubnet=10.180.0.0/16
> >>>
> >>> I get the following error:
> >>>
> >>> $ sudo ipsec up data-display
> >>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
> >>> generating ID_PROT request 0 [ SA V V V V V ]
> >>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes)
> >>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes)
> >>> parsed ID_PROT response 0 [ SA V V ]
> >>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> >>> received FRAGMENTATION vendor ID
> >>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> >>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes)
> >>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes)
> >>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> >>> received Cisco Unity vendor ID
> >>> received XAuth vendor ID
> >>> received unknown vendor ID: 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a
> >>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> >>> local host is behind NAT, sending keep alives
> >>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> >>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes)
> >>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
> >>> parsed ID_PROT response 0 [ ID HASH V ]
> >>> received DPD vendor ID
> >>> IKE_SA data-display[1] established between
> >>> 192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4]
> >>> scheduling reauthentication in 85668s
> >>> maximum IKE_SA lifetime 86208s
> >>> generating QUICK_MODE request 384749459 [ HASH SA No ID ID ]
> >>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 bytes)
> >>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
> >>> parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ]
> >>> received NO_PROPOSAL_CHOSEN error notify
> >>> establishing connection 'data-display' failed
> >>>
> >>> What does NO_PROPOSAL_CHOSEN mean?
> >>>
> >>> Thanks,
> >>>
> >>> Bas
> >>>
> >>> On 10 February 2015 at 16:48, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
> >>>> Hello,
> >>>>
> >>>> Apologies in advance for the rather long message but I'm new to
> >>>> strongSwan and want to include as much information as I think is
> >>>> relevant to my problem.
> >>>>
> >>>> I'm having some problems using strongSwan-5.2.2 to establish a
> >>>> connection to a host on the subnet 10.180.0.0/16 which is behind the
> >>>> gateway 213.163.70.4. The IP address of my machine is 192.168.42.162
> >>>> and I'm using NAT to access the internet. My public IP address is:
> >>>> 83.161.66.130. I don't control the 213.163.70.4 gateway and I have
> >>>> been told it uses the following settings:
> >>>>
> >>>> Target address: 213.163.70.4
> >>>> Source address: 83.161.66.130
> >>>> IKE SA: Phase 1
> >>>> Encryption: AES-128 with SHA-1
> >>>> Diffie-hellman: Group 2
> >>>> SA lifetime: 86400 seconds
> >>>> IKE negotistion mode: Main (non aggressive)
> >>>> Pre-shared key: XXXX (censored)
> >>>> IPsec proposal: Phase 2
> >>>> Encryption: AES-128 with SHA-1
> >>>> IPsec type: ESP
> >>>> IPsec tunnel lifetime: 3600 seconds
> >>>>
> >>>> I set my ipsec.secrets (censored) to:
> >>>> 213.163.70.4 %any : PSK 0xXXXX
> >>>>
> >>>> ipsec.conf:
> >>>> conn data-display
> >>>>   aggressive=no
> >>>>   authby=secret
> >>>>   auto=add
> >>>>   esp=aes128-sha1
> >>>>   fragmentation=yes
> >>>>   ike=des-sha1-modp1024
> >>>>   ikelifetime=24h
> >>>>   keyexchange=ikev1
> >>>>   left=%any
> >>>>   leftfirewall=yes
> >>>>   leftid=83.161.66.130
> >>>>   lifetime=1h
> >>>>   right=213.163.70.4
> >>>>   rightsubnet=10.180.0.0/16
> >>>>
> >>>> I noticed from the strongSwan logs that the gateway is a Cisco Unity
> >>>> device so I configured strongSwan with --enable-unity. I'm not sure
> >>>> that is required.
> >>>>
> >>>> When I start stongSwan using "sudo systemctl start strongswan" I get
> >>>> the following log (I'm using logging level 2):
> >>>>
> >>>> http://pastebin.com/pC1WYegL
> >>>>
> >>>> I'm a bit confused why I get the "no netkey IPsec stack detected"
> >>>> warning since all required[1] kernel options are enabled (either build
> >>>> in or as modules). In particular:
> >>>>
> >>>> cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY=
> >>>> CONFIG_NET_KEY=m
> >>>>
> >>>> Since it's a warning I ignore it for a moment and try to start up the
> >>>> "data-display" connection using "sudo ipsec up data-display". I get
> >>>> the following output:
> >>>>
> >>>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
> >>>> generating ID_PROT request 0 [ SA V V V V V ]
> >>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes)
> >>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes)
> >>>> parsed ID_PROT response 0 [ SA V V ]
> >>>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> >>>> received FRAGMENTATION vendor ID
> >>>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> >>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes)
> >>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes)
> >>>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> >>>> received Cisco Unity vendor ID
> >>>> received XAuth vendor ID
> >>>> received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d
> >>>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> >>>> local host is behind NAT, sending keep alives
> >>>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> >>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes)
> >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
> >>>> parsed ID_PROT response 0 [ ID HASH V ]
> >>>> received DPD vendor ID
> >>>> IKE_SA data-display[1] established between
> >>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
> >>>> scheduling reauthentication in 85593s
> >>>> maximum IKE_SA lifetime 86133s
> >>>> generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ]
> >>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes)
> >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
> >>>> parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ]
> >>>> received NO_PROPOSAL_CHOSEN error notify
> >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
> >>>> parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ]
> >>>> received DELETE for IKE_SA data-display[1]
> >>>> deleting IKE_SA data-display[1] between
> >>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
> >>>> establishing connection 'data-display' failed
> >>>>
> >>>> The following is posted to syslog:
> >>>>
> >>>> http://pastebin.com/1Vj1rXaq
> >>>>
> >>>> So I can see that an IKE_SA is established between me and the gateway.
> >>>> However, after that something goes wrong.
> >>>>
> >>>> Can somebody explain what is going wrong and point me in the right direction?
> >>>>
> >>>> Also note that I'm using NixOS running in VirtualBox. My virtual NIC
> >>>> is bridged to my physical NIC.
> >>>>
> >>>> Let me know if any more information is desired.
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Bas
> >>>>
> >>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU3mIDAAoJEDg5KY9j7GZYmLgQAJ12BBk1e/OA4mhSo3toTUW9
LKIRKxL9ueLVreQImvrTYS7oUZSAKgqW1udybGbdBRXesh1IRJ7a2EaO8nfGZv0T
6bzYhLa4NRdaqUsUHpkTzy6S7VfML4x8pDqqwtW7qIt7QzdZXnulqj+FlLwiuKsj
QaKldMrFRTIZ/aMnTU1agBeRSixcc/nlB9ZymA07a8yPCWPP363ua64PCg3OBjeU
MpXxQY9xmgihu9q4FmNPjUu/peI0g3kQLgtIGO90/WnE8JvjrcLjuaPFAbI9/Adq
XhOxoIrSVgDiyBTzZvhd2kNmZMj9/ZcxVcLeinn9nuJJ8dRNFr+EG92GnwbM+Hve
O/wZy/8xeDFuj4PcL/8Awk27WenwYbUCxeMYlQ/1iUZTqMTXWKKoCpWst+quRrmT
An31s+tOrB3btd1Pe7z0xzwwblmvv3gCdLhVwidNXvmUAflx9PNvWknkqfDGDwVh
dTndrgA105Kaew7qwwNgDYzqgICZj9hV0cPCqiaveqAgsSFeje6+Bi48TnpoV5GW
tmfcJNRjDET6P56lKyofIrArCZ6tP0rmFV3TQVwoE+BbcjsMaRKheOSvBQYt6pu5
W5guVZ8HFNQqKK81YB1WnD15Wa3bNSDzRkb67FNLe5mFXfaEmzXvOsSxDQ2WDDd1
cR/x0bgJq5jAhZeLl02k
=4Z6l
-----END PGP SIGNATURE-----

More information about the Users mailing list