[strongSwan] but none allows XAuthInitPSK authentication using Aggressive Mode
Randy Wyatt
rwwyatt01 at gmail.com
Thu Jul 16 04:12:02 CEST 2015
Just to clarify, the client and the server mode has to agree. In your
case, the client is sending aggressive, but the server doesn't support
it. I actually use NCP-e for ikev1, and there is a setting for aggressive
versus main mode.
Aggresive mode should only be used in a no other solution exists scenario.
On Wed, Jul 15, 2015 at 7:05 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
> You commented the line i_dont_care_about_security_and_use_aggressive_mode_psk
> = yes out of strongswan.conf so aggressive mode is no longer supported.
>
> The line i_dont_care_about_security_and_use_aggressive_mode_psk = yes
> must *not* be commented out.
>
> The client is expecting aggressive mode, but you disabled it on the server.
>
> Does this clarify things?
>
> On Wed, Jul 15, 2015 at 7:02 PM, Tom Hu <pleasetalktome at gmail.com> wrote:
>
>> Randy
>>
>> Thanks for replying
>>
>> I do not understand that "Strongswan didn't find a proposal to match
>> because it doesn't support aggressive mode"
>> BTW: Does strongswan not support AG mode? is it true? I did test of cert,
>> it uses MM mode
>>
>> the problem is got error "but none allows XAuthInitPSK authentication
>> using Aggressive Mode"
>>
>> and communication is stopped
>>
>>
>> Thanks
>>
>> Tom
>>
>> On Wed, Jul 15, 2015 at 5:13 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
>>
>>> I think the behavior is right, but someone more qualified than me would
>>> have to comment.
>>>
>>> Strongswan didn't find a proposal to match because it doesn't support
>>> aggressive mode. What is the problem here?
>>>
>>> On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <pleasetalktome at gmail.com>
>>> wrote:
>>>
>>>> Hi ALL
>>>>
>>>> I used strongswan as GW and cisco vpn as client on Windows 7 to test
>>>> interoperbility using preshare key.
>>>> got the error "but none allows XAuthInitPSK authentication using
>>>> Aggressive Mode"
>>>>
>>>> the config of strongswan
>>>>
>>>> conn %default
>>>> ikelifetime=60m
>>>> rekeymargin=3m
>>>> keyingtries=1
>>>> mobike=no
>>>> keyexchange=ikev1
>>>>
>>>> include /etc/ipsec.cert.conf
>>>>
>>>>
>>>> conn cert
>>>> type=tunnel
>>>> auto=add
>>>> esp=aes128-sha1!
>>>> ike=aes128-sha1-modp1024!
>>>> left=192.168.11.55
>>>> right=%any
>>>> leftauth=psk
>>>> rightauth=psk
>>>> rightauth2=xauth
>>>> rightdns=10.3.0.1
>>>> leftsubnet=10.3.1.0/24
>>>> rightsourceip=10.3.0.0/28
>>>>
>>>>
>>>>
>>>> cisco vpn Client (not anyconnect) - using "group authentication"
>>>>
>>>> stronswan.conf
>>>> charon {
>>>> cisco_unity = yes
>>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes
>>>> plugins {
>>>> attr {
>>>> UNITY_SPLIT_INCLUDE=28676
>>>> INTERNAL_IP4_ADDRESS=1
>>>> INTERNAL_IP4_NETMASK=2
>>>> INTERNAL_IP4_DNS=3
>>>> UNITY_LOCAL_LAN=28678
>>>> }
>>>> }
>>>> }
>>>>
>>>> when I forced to main mode by comment out
>>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client
>>>> still send AG mode
>>>>
>>>> log of swan is
>>>>
>>>> 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux
>>>> 2.6.32-
>>>>
>>>> 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)
>>>> 17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>>>> 17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM,
>>>> OU=Dev, CN=CA1" from
>>>>
>>>> '/etc/ipsec.d/cacerts/ca.pem'
>>>> 17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No
>>>> such file or directory
>>>> 17:36:03 00[CFG] reading directory failed
>>>> 17:36:03 00[CFG] loading ocsp signer certificates from
>>>> '/etc/ipsec.d/ocspcerts'
>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No
>>>> such file or directory
>>>> 17:36:03 00[CFG] reading directory failed
>>>> 17:36:03 00[CFG] loading attribute certificates from
>>>> '/etc/ipsec.d/acerts'
>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No
>>>> such file or directory
>>>> 17:36:03 00[CFG] reading directory failed
>>>> 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such
>>>> file or directory
>>>> 17:36:03 00[CFG] reading directory failed
>>>> 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>> 17:36:03 00[CFG] loaded IKE secret for %any
>>>> 17:36:03 00[CFG] loaded 1 RADIUS server configuration
>>>> 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem
>>>> pkcs1 gmp random nonce
>>>>
>>>> xauth-pam x509 revocation hmac xcbc stroke kernel-netlink
>>>> socket-default fips-prf eap-mschapv2
>>>>
>>>> eap-md5 eap-tls eap-identity eap-radius updown
>>>> 17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet
>>>> dependencies)
>>>> 17:36:03 00[JOB] spawning 16 worker threads
>>>> 17:36:03 05[CFG] received stroke: add connection 'cert'
>>>> 17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28
>>>> 17:36:03 05[CFG] added configuration 'cert'
>>>> 17:36:28 07[NET] received packet: from 192.168.11.10[53029] to
>>>> 192.168.11.55[500] (865 bytes)
>>>> 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
>>>> 17:36:28 07[IKE] received XAuth vendor ID
>>>> 17:36:28 07[IKE] received DPD vendor ID
>>>> 17:36:28 07[IKE] received FRAGMENTATION vendor ID
>>>> 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>> 17:36:28 07[IKE] received Cisco Unity vendor ID
>>>> 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
>>>> 17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching
>>>> 192.168.11.55...192.168.11.10
>>>>
>>>> [admin]
>>>> 17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK
>>>> authentication using
>>>>
>>>> Aggressive Mode
>>>> 17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [
>>>> N(AUTH_FAILED) ]
>>>> 17:36:28 07[NET] sending packet: from 192.168.11.55[500] to
>>>> 192.168.11.10[53029] (56 bytes)
>>>> 17:36:33 08[NET] received packet: from 192.168.11.10[53029] to
>>>> 192.168.11.55[500] (865 bytes)
>>>> 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
>>>> 17:36:33 08[IKE] received XAuth vendor ID
>>>> 17:36:33 08[IKE] received DPD vendor ID
>>>> 17:36:33 08[IKE] received FRAGMENTATION vendor ID
>>>> 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>> 17:36:33 08[IKE] received Cisco Unity vendor ID
>>>> 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
>>>> 17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching
>>>> 192.168.11.55...192.168.11.10
>>>>
>>>> [admin]
>>>> 17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK
>>>> authentication using Aggressive Mode
>>>> 17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 [
>>>> N(AUTH_FAILED) ]
>>>> 17:36:33 08[NET] sending packet: from 192.168.11.55[500] to
>>>> 192.168.11.10[53029] (56 bytes)
>>>> repeat.......
>>>>
>>>>
>>>> the client log is
>>>>
>>>> Cisco Systems VPN Client Version 5.0.07.0440
>>>> Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
>>>> Client Type(s): Windows, WinNT
>>>> Running on: 6.1.7600
>>>> Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
>>>>
>>>> 1 09:07:02.435 07/15/15 Sev=Info/4 CM/0x63100002
>>>> Begin connection process
>>>>
>>>> 2 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100004
>>>> Establish secure connection
>>>>
>>>> 3 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100024
>>>> Attempt connection with server "192.168.11.55"
>>>>
>>>> 4 09:07:02.465 07/15/15 Sev=Info/6 IKE/0x6300003B
>>>> Attempting to establish a connection with 192.168.11.55.
>>>>
>>>> 5 09:07:02.471 07/15/15 Sev=Info/4 IKE/0x63000001
>>>> Starting IKE Phase 1 Negotiation
>>>>
>>>> 6 09:07:02.479 07/15/15 Sev=Info/4 IKE/0x63000013
>>>> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
>>>> VID(Frag), VID(Nat-T), VID
>>>>
>>>> (Unity)) to 192.168.11.55
>>>>
>>>> 7 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700008
>>>> IPSec driver successfully started
>>>>
>>>> 8 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700014
>>>> Deleted all keys
>>>>
>>>> 9 09:07:02.484 07/15/15 Sev=Info/5 IKE/0x6300002F
>>>> Received ISAKMP packet: peer = 192.168.11.55
>>>>
>>>> 10 09:07:02.484 07/15/15 Sev=Warning/2 IKE/0xE300009B
>>>> Discarding incoming packet: Message is NOT encrypted
>>>> (PacketReceiver:422)
>>>>
>>>> 11 09:07:02.484 07/15/15 Sev=Info/4 IKE/0x63000014
>>>> RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55
>>>>
>>>> 12 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000021
>>>> Retransmitting last packet!
>>>>
>>>> 13 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000013
>>>> SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55
>>>>
>>>> repeat
>>>>
>>>> I did comment out strongswan source file due
>>>> to receive error "payload type %N was not encrypted" first packet
>>>> for temporary workaround.
>>>>
>>>> diff -u -N opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
>>>> opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
>>>> --- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09
>>>> 02:58:17.000000000 -0800
>>>> +++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10
>>>> 11:50:55.000000000 -0700
>>>> @@ -2487,7 +2487,7 @@
>>>> {
>>>> DBG1(DBG_ENC, "payload type %N was not encrypted",
>>>> payload_type_names, type);
>>>> - status = FAILED;
>>>> + //status = FAILED;
>>>> break;
>>>> }
>>>> }
>>>>
>>>> I have no idea why got this error
>>>> Any input, I am very appreciated
>>>>
>>>> Tom
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150715/5fc02489/attachment-0001.html>
More information about the Users
mailing list