[strongSwan] Problem connecting to a Cisco Unity gateway

Bas van Dijk v.dijk.bas at gmail.com
Mon Feb 16 08:59:55 CET 2015 

Hi Noel,

Thanks for your help so far.

When setting:

  esp=aes128-sha!

I get the following:

 sudo ipsec up data-display
...
IKE_SA data-display[1] established between
192.168.42.213[83.161.66.130]...213.163.70.4[213.163.70.4]
scheduling reauthentication in 85738s
maximum IKE_SA lifetime 86278s
generating QUICK_MODE request 693888767 [ HASH SA No ID ID ]
sending packet: from 192.168.42.213[4500] to 213.163.70.4[4500] (172 bytes)
received packet: from 213.163.70.4[4500] to 192.168.42.213[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3364452724 [ HASH D ]
received DELETE for IKE_SA data-display[1]
deleting IKE_SA data-display[1] between
192.168.42.213[83.161.66.130]...213.163.70.4[213.163.70.4]
establishing connection 'data-display' failed

So with that esp setting the gateway sends me a DELETE instead of a
NO_PROPOSAL_CHOSEN.

I also enabled:

charon {
  cisco_unity = yes
  ...
}

but that didn't change anything.

Bas

On 13 February 2015 at 20:43, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Bas,
>
> You might also want to enable the CISCO unity extension in strongswan by setting charon.cisco_unity = yes
> in strongswan.conf and restart the daemon. For that to work, you also need to have the unity plugin loaded.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 13.02.2015 um 21:17 schrieb Bas van Dijk:
>> Hi Noel,
>>
>> Thanks for your reply.
>>
>> I did already try esp=aes128-sha1! which didn't help. I will try
>> esp=aes128-sha! when I'm back at the office.
>>
>> Cheers,
>>
>> Bas
>>
>> On 13 February 2015 at 19:17, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>
>> Hello Bas,
>>
>> That usually means that the two peers could not decide on a common cipher proiposal.
>> It is likely that the CISCO peer has PFS disabled. The normal cipher proposal for phase two
>> on strongSwan is all PFS by default. Try this: esp=aes128-sha1! or esp=aes128-sha!
>> That will set the proposal for phase two to only propose AES-cbc-128 and SHA1 in combination
>> without PFS.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 13.02.2015 um 16:48 schrieb Bas van Dijk:
>> >>> I solved the "no netkey IPsec stack detected" errors. It turned out
>> >>> that the NixOS strongSwan configuration used a modprobe which couldn't
>> >>> find the right kernel modules. I fixed that and now it starts up
>> >>> without that error. See the log at: http://pastebin.com/ufutkmdC
>> >>>
>> >>> However, my original problem remains. With the following ipsec.conf:
>> >>>
>> >>> conn data-display
>> >>>   aggressive=no
>> >>>   auto=add
>> >>>   fragmentation=yes
>> >>>   ike=des-sha1-modp1024
>> >>>   ikelifetime=24h
>> >>>   keyexchange=ikev1
>> >>>   left=%any
>> >>>   leftauth=psk
>> >>>   leftfirewall=yes
>> >>>   leftid=83.161.66.130
>> >>>   lifetime=1h
>> >>>   right=213.163.70.4
>> >>>   rightauth=psk
>> >>>   rightsubnet=10.180.0.0/16
>> >>>
>> >>> I get the following error:
>> >>>
>> >>> $ sudo ipsec up data-display
>> >>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
>> >>> generating ID_PROT request 0 [ SA V V V V V ]
>> >>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes)
>> >>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes)
>> >>> parsed ID_PROT response 0 [ SA V V ]
>> >>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> >>> received FRAGMENTATION vendor ID
>> >>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> >>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes)
>> >>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes)
>> >>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
>> >>> received Cisco Unity vendor ID
>> >>> received XAuth vendor ID
>> >>> received unknown vendor ID: 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a
>> >>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
>> >>> local host is behind NAT, sending keep alives
>> >>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
>> >>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes)
>> >>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
>> >>> parsed ID_PROT response 0 [ ID HASH V ]
>> >>> received DPD vendor ID
>> >>> IKE_SA data-display[1] established between
>> >>> 192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4]
>> >>> scheduling reauthentication in 85668s
>> >>> maximum IKE_SA lifetime 86208s
>> >>> generating QUICK_MODE request 384749459 [ HASH SA No ID ID ]
>> >>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 bytes)
>> >>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
>> >>> parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ]
>> >>> received NO_PROPOSAL_CHOSEN error notify
>> >>> establishing connection 'data-display' failed
>> >>>
>> >>> What does NO_PROPOSAL_CHOSEN mean?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Bas
>> >>>
>> >>> On 10 February 2015 at 16:48, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>> >>>> Hello,
>> >>>>
>> >>>> Apologies in advance for the rather long message but I'm new to
>> >>>> strongSwan and want to include as much information as I think is
>> >>>> relevant to my problem.
>> >>>>
>> >>>> I'm having some problems using strongSwan-5.2.2 to establish a
>> >>>> connection to a host on the subnet 10.180.0.0/16 which is behind the
>> >>>> gateway 213.163.70.4. The IP address of my machine is 192.168.42.162
>> >>>> and I'm using NAT to access the internet. My public IP address is:
>> >>>> 83.161.66.130. I don't control the 213.163.70.4 gateway and I have
>> >>>> been told it uses the following settings:
>> >>>>
>> >>>> Target address: 213.163.70.4
>> >>>> Source address: 83.161.66.130
>> >>>> IKE SA: Phase 1
>> >>>> Encryption: AES-128 with SHA-1
>> >>>> Diffie-hellman: Group 2
>> >>>> SA lifetime: 86400 seconds
>> >>>> IKE negotistion mode: Main (non aggressive)
>> >>>> Pre-shared key: XXXX (censored)
>> >>>> IPsec proposal: Phase 2
>> >>>> Encryption: AES-128 with SHA-1
>> >>>> IPsec type: ESP
>> >>>> IPsec tunnel lifetime: 3600 seconds
>> >>>>
>> >>>> I set my ipsec.secrets (censored) to:
>> >>>> 213.163.70.4 %any : PSK 0xXXXX
>> >>>>
>> >>>> ipsec.conf:
>> >>>> conn data-display
>> >>>>   aggressive=no
>> >>>>   authby=secret
>> >>>>   auto=add
>> >>>>   esp=aes128-sha1
>> >>>>   fragmentation=yes
>> >>>>   ike=des-sha1-modp1024
>> >>>>   ikelifetime=24h
>> >>>>   keyexchange=ikev1
>> >>>>   left=%any
>> >>>>   leftfirewall=yes
>> >>>>   leftid=83.161.66.130
>> >>>>   lifetime=1h
>> >>>>   right=213.163.70.4
>> >>>>   rightsubnet=10.180.0.0/16
>> >>>>
>> >>>> I noticed from the strongSwan logs that the gateway is a Cisco Unity
>> >>>> device so I configured strongSwan with --enable-unity. I'm not sure
>> >>>> that is required.
>> >>>>
>> >>>> When I start stongSwan using "sudo systemctl start strongswan" I get
>> >>>> the following log (I'm using logging level 2):
>> >>>>
>> >>>> http://pastebin.com/pC1WYegL
>> >>>>
>> >>>> I'm a bit confused why I get the "no netkey IPsec stack detected"
>> >>>> warning since all required[1] kernel options are enabled (either build
>> >>>> in or as modules). In particular:
>> >>>>
>> >>>> cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY=
>> >>>> CONFIG_NET_KEY=m
>> >>>>
>> >>>> Since it's a warning I ignore it for a moment and try to start up the
>> >>>> "data-display" connection using "sudo ipsec up data-display". I get
>> >>>> the following output:
>> >>>>
>> >>>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
>> >>>> generating ID_PROT request 0 [ SA V V V V V ]
>> >>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes)
>> >>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes)
>> >>>> parsed ID_PROT response 0 [ SA V V ]
>> >>>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> >>>> received FRAGMENTATION vendor ID
>> >>>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> >>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes)
>> >>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes)
>> >>>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
>> >>>> received Cisco Unity vendor ID
>> >>>> received XAuth vendor ID
>> >>>> received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d
>> >>>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
>> >>>> local host is behind NAT, sending keep alives
>> >>>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
>> >>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes)
>> >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>> >>>> parsed ID_PROT response 0 [ ID HASH V ]
>> >>>> received DPD vendor ID
>> >>>> IKE_SA data-display[1] established between
>> >>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
>> >>>> scheduling reauthentication in 85593s
>> >>>> maximum IKE_SA lifetime 86133s
>> >>>> generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ]
>> >>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes)
>> >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>> >>>> parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ]
>> >>>> received NO_PROPOSAL_CHOSEN error notify
>> >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
>> >>>> parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ]
>> >>>> received DELETE for IKE_SA data-display[1]
>> >>>> deleting IKE_SA data-display[1] between
>> >>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
>> >>>> establishing connection 'data-display' failed
>> >>>>
>> >>>> The following is posted to syslog:
>> >>>>
>> >>>> http://pastebin.com/1Vj1rXaq
>> >>>>
>> >>>> So I can see that an IKE_SA is established between me and the gateway.
>> >>>> However, after that something goes wrong.
>> >>>>
>> >>>> Can somebody explain what is going wrong and point me in the right direction?
>> >>>>
>> >>>> Also note that I'm using NixOS running in VirtualBox. My virtual NIC
>> >>>> is bridged to my physical NIC.
>> >>>>
>> >>>> Let me know if any more information is desired.
>> >>>>
>> >>>> Cheers,
>> >>>>
>> >>>> Bas
>> >>>>
>> >>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users at lists.strongswan.org
>> >>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJU3mIDAAoJEDg5KY9j7GZYmLgQAJ12BBk1e/OA4mhSo3toTUW9
> LKIRKxL9ueLVreQImvrTYS7oUZSAKgqW1udybGbdBRXesh1IRJ7a2EaO8nfGZv0T
> 6bzYhLa4NRdaqUsUHpkTzy6S7VfML4x8pDqqwtW7qIt7QzdZXnulqj+FlLwiuKsj
> QaKldMrFRTIZ/aMnTU1agBeRSixcc/nlB9ZymA07a8yPCWPP363ua64PCg3OBjeU
> MpXxQY9xmgihu9q4FmNPjUu/peI0g3kQLgtIGO90/WnE8JvjrcLjuaPFAbI9/Adq
> XhOxoIrSVgDiyBTzZvhd2kNmZMj9/ZcxVcLeinn9nuJJ8dRNFr+EG92GnwbM+Hve
> O/wZy/8xeDFuj4PcL/8Awk27WenwYbUCxeMYlQ/1iUZTqMTXWKKoCpWst+quRrmT
> An31s+tOrB3btd1Pe7z0xzwwblmvv3gCdLhVwidNXvmUAflx9PNvWknkqfDGDwVh
> dTndrgA105Kaew7qwwNgDYzqgICZj9hV0cPCqiaveqAgsSFeje6+Bi48TnpoV5GW
> tmfcJNRjDET6P56lKyofIrArCZ6tP0rmFV3TQVwoE+BbcjsMaRKheOSvBQYt6pu5
> W5guVZ8HFNQqKK81YB1WnD15Wa3bNSDzRkb67FNLe5mFXfaEmzXvOsSxDQ2WDDd1
> cR/x0bgJq5jAhZeLl02k
> =4Z6l
> -----END PGP SIGNATURE-----
>

More information about the Users mailing list