[strongSwan] but none allows XAuthInitPSK authentication using Aggressive Mode

Randy Wyatt rwwyatt01 at gmail.com
Thu Jul 16 02:13:43 CEST 2015


I think the behavior is right, but someone more qualified than me would
have to comment.

Strongswan didn't find a proposal to match because it doesn't support
aggressive mode.  What is the problem here?

On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <pleasetalktome at gmail.com> wrote:

> Hi ALL
>
> I used strongswan as GW and cisco vpn as client on Windows 7 to test
> interoperbility using preshare key.
> got the error "but none allows XAuthInitPSK authentication using
> Aggressive Mode"
>
> the config of strongswan
>
> conn %default
>  ikelifetime=60m
>  rekeymargin=3m
>  keyingtries=1
>  mobike=no
>  keyexchange=ikev1
>
> include /etc/ipsec.cert.conf
>
>
> conn cert
>  type=tunnel
>  auto=add
>  esp=aes128-sha1!
>  ike=aes128-sha1-modp1024!
>  left=192.168.11.55
>  right=%any
>  leftauth=psk
>  rightauth=psk
>  rightauth2=xauth
>  rightdns=10.3.0.1
>  leftsubnet=10.3.1.0/24
>  rightsourceip=10.3.0.0/28
>
>
>
> cisco vpn Client (not anyconnect) - using "group authentication"
>
> stronswan.conf
> charon {
>  cisco_unity = yes
> i_dont_care_about_security_and_use_aggressive_mode_psk = yes
> plugins {
>          attr {
>                 UNITY_SPLIT_INCLUDE=28676
>                 INTERNAL_IP4_ADDRESS=1
>                 INTERNAL_IP4_NETMASK=2
>                 INTERNAL_IP4_DNS=3
>                 UNITY_LOCAL_LAN=28678
>               }
>         }
> }
>
> when I forced to main mode by comment out
> i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client
> still send AG mode
>
> log of swan is
>
> 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux
> 2.6.32-
>
> 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)
> 17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 17:36:03 00[CFG]   loaded ca certificate "C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1" from
>
> '/etc/ipsec.d/cacerts/ca.pem'
> 17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such
> file or directory
> 17:36:03 00[CFG]   reading directory failed
> 17:36:03 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No
> such file or directory
> 17:36:03 00[CFG]   reading directory failed
> 17:36:03 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such
> file or directory
> 17:36:03 00[CFG]   reading directory failed
> 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such
> file or directory
> 17:36:03 00[CFG]   reading directory failed
> 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 17:36:03 00[CFG]   loaded IKE secret for %any
> 17:36:03 00[CFG] loaded 1 RADIUS server configuration
> 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem
> pkcs1 gmp random nonce
>
> xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default
> fips-prf eap-mschapv2
>
> eap-md5 eap-tls eap-identity eap-radius updown
> 17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet
> dependencies)
> 17:36:03 00[JOB] spawning 16 worker threads
> 17:36:03 05[CFG] received stroke: add connection 'cert'
> 17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28
> 17:36:03 05[CFG] added configuration 'cert'
> 17:36:28 07[NET] received packet: from 192.168.11.10[53029] to
> 192.168.11.55[500] (865 bytes)
> 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> 17:36:28 07[IKE] received XAuth vendor ID
> 17:36:28 07[IKE] received DPD vendor ID
> 17:36:28 07[IKE] received FRAGMENTATION vendor ID
> 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 17:36:28 07[IKE] received Cisco Unity vendor ID
> 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
> 17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching
> 192.168.11.55...192.168.11.10
>
> [admin]
> 17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK
> authentication using
>
> Aggressive Mode
> 17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [
> N(AUTH_FAILED) ]
> 17:36:28 07[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.10[53029] (56 bytes)
> 17:36:33 08[NET] received packet: from 192.168.11.10[53029] to
> 192.168.11.55[500] (865 bytes)
> 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> 17:36:33 08[IKE] received XAuth vendor ID
> 17:36:33 08[IKE] received DPD vendor ID
> 17:36:33 08[IKE] received FRAGMENTATION vendor ID
> 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 17:36:33 08[IKE] received Cisco Unity vendor ID
> 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
> 17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching
> 192.168.11.55...192.168.11.10
>
> [admin]
> 17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK
> authentication using Aggressive Mode
> 17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 [
> N(AUTH_FAILED) ]
> 17:36:33 08[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.10[53029] (56 bytes)
> repeat.......
>
>
> the client log is
>
> Cisco Systems VPN Client Version 5.0.07.0440
> Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Windows, WinNT
> Running on: 6.1.7600
> Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
>
> 1      09:07:02.435  07/15/15  Sev=Info/4 CM/0x63100002
> Begin connection process
>
> 2      09:07:02.461  07/15/15  Sev=Info/4 CM/0x63100004
> Establish secure connection
>
> 3      09:07:02.461  07/15/15  Sev=Info/4 CM/0x63100024
> Attempt connection with server "192.168.11.55"
>
> 4      09:07:02.465  07/15/15  Sev=Info/6 IKE/0x6300003B
> Attempting to establish a connection with 192.168.11.55.
>
> 5      09:07:02.471  07/15/15  Sev=Info/4 IKE/0x63000001
> Starting IKE Phase 1 Negotiation
>
> 6      09:07:02.479  07/15/15  Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
> VID(Frag), VID(Nat-T), VID
>
> (Unity)) to 192.168.11.55
>
> 7      09:07:02.481  07/15/15  Sev=Info/4 IPSEC/0x63700008
> IPSec driver successfully started
>
> 8      09:07:02.481  07/15/15  Sev=Info/4 IPSEC/0x63700014
> Deleted all keys
>
> 9      09:07:02.484  07/15/15  Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 10     09:07:02.484  07/15/15  Sev=Warning/2 IKE/0xE300009B
> Discarding incoming packet: Message is NOT encrypted (PacketReceiver:422)
>
> 11     09:07:02.484  07/15/15  Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55
>
> 12     09:07:07.658  07/15/15  Sev=Info/4 IKE/0x63000021
> Retransmitting last packet!
>
> 13     09:07:07.658  07/15/15  Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55
>
> repeat
>
> I did comment out strongswan source file due
> to receive error "payload type %N was not encrypted" first packet
> for temporary workaround.
>
> diff -u -N opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
> opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
> --- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09
> 02:58:17.000000000 -0800
> +++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10
> 11:50:55.000000000 -0700
> @@ -2487,7 +2487,7 @@
>   {
>   DBG1(DBG_ENC, "payload type %N was not encrypted",
>   payload_type_names, type);
> - status = FAILED;
> + //status = FAILED;
>   break;
>   }
>   }
>
> I have no idea why got this error
> Any input, I am very appreciated
>
> Tom
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>



-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150715/dcee9e14/attachment.html>


More information about the Users mailing list