[strongSwan] but none allows XAuthInitPSK authentication using Aggressive Mode

Tom Hu pleasetalktome at gmail.com
Thu Jul 16 02:08:15 CEST 2015 

Hi ALL

I used strongswan as GW and cisco vpn as client on Windows 7 to test
interoperbility using preshare key.
got the error "but none allows XAuthInitPSK authentication using Aggressive
Mode"

the config of strongswan

conn %default
 ikelifetime=60m
 rekeymargin=3m
 keyingtries=1
 mobike=no
 keyexchange=ikev1

include /etc/ipsec.cert.conf


conn cert
 type=tunnel
 auto=add
 esp=aes128-sha1!
 ike=aes128-sha1-modp1024!
 left=192.168.11.55
 right=%any
 leftauth=psk
 rightauth=psk
 rightauth2=xauth
 rightdns=10.3.0.1
 leftsubnet=10.3.1.0/24
 rightsourceip=10.3.0.0/28



cisco vpn Client (not anyconnect) - using "group authentication"

stronswan.conf
charon {
 cisco_unity = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
plugins {
         attr {
                UNITY_SPLIT_INCLUDE=28676
                INTERNAL_IP4_ADDRESS=1
                INTERNAL_IP4_NETMASK=2
                INTERNAL_IP4_DNS=3
                UNITY_LOCAL_LAN=28678
              }
        }
}

when I forced to main mode by comment out
i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client
still send AG mode

log of swan is

17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-

220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)
17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
17:36:03 00[CFG]   loaded ca certificate "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1" from

'/etc/ipsec.d/cacerts/ca.pem'
17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such
file or directory
17:36:03 00[CFG]   reading directory failed
17:36:03 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such
file or directory
17:36:03 00[CFG]   reading directory failed
17:36:03 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such
file or directory
17:36:03 00[CFG]   reading directory failed
17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls'
17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file
or directory
17:36:03 00[CFG]   reading directory failed
17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets'
17:36:03 00[CFG]   loaded IKE secret for %any
17:36:03 00[CFG] loaded 1 RADIUS server configuration
17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem pkcs1
gmp random nonce

xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-mschapv2

eap-md5 eap-tls eap-identity eap-radius updown
17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet
dependencies)
17:36:03 00[JOB] spawning 16 worker threads
17:36:03 05[CFG] received stroke: add connection 'cert'
17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28
17:36:03 05[CFG] added configuration 'cert'
17:36:28 07[NET] received packet: from 192.168.11.10[53029] to
192.168.11.55[500] (865 bytes)
17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
17:36:28 07[IKE] received XAuth vendor ID
17:36:28 07[IKE] received DPD vendor ID
17:36:28 07[IKE] received FRAGMENTATION vendor ID
17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
17:36:28 07[IKE] received Cisco Unity vendor ID
17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching
192.168.11.55...192.168.11.10

[admin]
17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK
authentication using

Aggressive Mode
17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [
N(AUTH_FAILED) ]
17:36:28 07[NET] sending packet: from 192.168.11.55[500] to
192.168.11.10[53029] (56 bytes)
17:36:33 08[NET] received packet: from 192.168.11.10[53029] to
192.168.11.55[500] (865 bytes)
17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
17:36:33 08[IKE] received XAuth vendor ID
17:36:33 08[IKE] received DPD vendor ID
17:36:33 08[IKE] received FRAGMENTATION vendor ID
17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
17:36:33 08[IKE] received Cisco Unity vendor ID
17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching
192.168.11.55...192.168.11.10

[admin]
17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK
authentication using Aggressive Mode
17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 [
N(AUTH_FAILED) ]
17:36:33 08[NET] sending packet: from 192.168.11.55[500] to
192.168.11.10[53029] (56 bytes)
repeat.......


the client log is

Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1      09:07:02.435  07/15/15  Sev=Info/4 CM/0x63100002
Begin connection process

2      09:07:02.461  07/15/15  Sev=Info/4 CM/0x63100004
Establish secure connection

3      09:07:02.461  07/15/15  Sev=Info/4 CM/0x63100024
Attempt connection with server "192.168.11.55"

4      09:07:02.465  07/15/15  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 192.168.11.55.

5      09:07:02.471  07/15/15  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      09:07:02.479  07/15/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Frag), VID(Nat-T), VID

(Unity)) to 192.168.11.55

7      09:07:02.481  07/15/15  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

8      09:07:02.481  07/15/15  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

9      09:07:02.484  07/15/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55

10     09:07:02.484  07/15/15  Sev=Warning/2 IKE/0xE300009B
Discarding incoming packet: Message is NOT encrypted (PacketReceiver:422)

11     09:07:02.484  07/15/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55

12     09:07:07.658  07/15/15  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

13     09:07:07.658  07/15/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55

repeat

I did comment out strongswan source file due
to receive error "payload type %N was not encrypted" first packet
for temporary workaround.

diff -u -N opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
--- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09
02:58:17.000000000 -0800
+++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10
11:50:55.000000000 -0700
@@ -2487,7 +2487,7 @@
  {
  DBG1(DBG_ENC, "payload type %N was not encrypted",
  payload_type_names, type);
- status = FAILED;
+ //status = FAILED;
  break;
  }
  }

I have no idea why got this error
Any input, I am very appreciated

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150715/03968e77/attachment-0001.html>

More information about the Users mailing list