[strongSwan] but none allows XAuthInitPSK authentication using Aggressive Mode
Randy Wyatt
rwwyatt01 at gmail.com
Thu Jul 16 04:23:20 CEST 2015
You specifically said
when I forced to main mode by comment out
i_dont_care_about_security_and_use_aggressive_mode_psk
= yes, the client still send AG mode
log of swan is
17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-
The log provided matches what you stated. Cisco doesn't even recommend
their own ipsec client. This comes directly from Cisco support. It kept
bluescreening on Windows 7 64 for me.
Please copy the entire mailing list in the response.
Regards,
Randy
On Wed, Jul 15, 2015 at 7:19 PM, Tom Hu <pleasetalktome at gmail.com> wrote:
> Randy
>
> my attached log did not comment out i_dont_care_about_security_and_use_aggressive_mode_psk
> = yes "
>
> If I commented out it, the client kept trying AG mode and never giving up
>
> hmm, I did not have a way to disable AG mode and enable MM in the cisco
> vpn client config.
>
> Thanks
>
> Tom
>
> On Wed, Jul 15, 2015 at 7:05 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
>
>> You commented the line i_dont_care_about_security_and_use_aggressive_mode_psk
>> = yes out of strongswan.conf so aggressive mode is no longer supported.
>>
>> The line i_dont_care_about_security_and_use_aggressive_mode_psk = yes
>> must *not* be commented out.
>>
>> The client is expecting aggressive mode, but you disabled it on the
>> server.
>>
>> Does this clarify things?
>>
>> On Wed, Jul 15, 2015 at 7:02 PM, Tom Hu <pleasetalktome at gmail.com> wrote:
>>
>>> Randy
>>>
>>> Thanks for replying
>>>
>>> I do not understand that "Strongswan didn't find a proposal to match
>>> because it doesn't support aggressive mode"
>>> BTW: Does strongswan not support AG mode? is it true? I did test of
>>> cert, it uses MM mode
>>>
>>> the problem is got error "but none allows XAuthInitPSK authentication
>>> using Aggressive Mode"
>>>
>>> and communication is stopped
>>>
>>>
>>> Thanks
>>>
>>> Tom
>>>
>>> On Wed, Jul 15, 2015 at 5:13 PM, Randy Wyatt <rwwyatt01 at gmail.com>
>>> wrote:
>>>
>>>> I think the behavior is right, but someone more qualified than me would
>>>> have to comment.
>>>>
>>>> Strongswan didn't find a proposal to match because it doesn't support
>>>> aggressive mode. What is the problem here?
>>>>
>>>> On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <pleasetalktome at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi ALL
>>>>>
>>>>> I used strongswan as GW and cisco vpn as client on Windows 7 to test
>>>>> interoperbility using preshare key.
>>>>> got the error "but none allows XAuthInitPSK authentication using
>>>>> Aggressive Mode"
>>>>>
>>>>> the config of strongswan
>>>>>
>>>>> conn %default
>>>>> ikelifetime=60m
>>>>> rekeymargin=3m
>>>>> keyingtries=1
>>>>> mobike=no
>>>>> keyexchange=ikev1
>>>>>
>>>>> include /etc/ipsec.cert.conf
>>>>>
>>>>>
>>>>> conn cert
>>>>> type=tunnel
>>>>> auto=add
>>>>> esp=aes128-sha1!
>>>>> ike=aes128-sha1-modp1024!
>>>>> left=192.168.11.55
>>>>> right=%any
>>>>> leftauth=psk
>>>>> rightauth=psk
>>>>> rightauth2=xauth
>>>>> rightdns=10.3.0.1
>>>>> leftsubnet=10.3.1.0/24
>>>>> rightsourceip=10.3.0.0/28
>>>>>
>>>>>
>>>>>
>>>>> cisco vpn Client (not anyconnect) - using "group authentication"
>>>>>
>>>>> stronswan.conf
>>>>> charon {
>>>>> cisco_unity = yes
>>>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes
>>>>> plugins {
>>>>> attr {
>>>>> UNITY_SPLIT_INCLUDE=28676
>>>>> INTERNAL_IP4_ADDRESS=1
>>>>> INTERNAL_IP4_NETMASK=2
>>>>> INTERNAL_IP4_DNS=3
>>>>> UNITY_LOCAL_LAN=28678
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>> when I forced to main mode by comment out
>>>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client
>>>>> still send AG mode
>>>>>
>>>>> log of swan is
>>>>>
>>>>> 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux
>>>>> 2.6.32-
>>>>>
>>>>> 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)
>>>>> 17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>>>>> 17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM,
>>>>> OU=Dev, CN=CA1" from
>>>>>
>>>>> '/etc/ipsec.d/cacerts/ca.pem'
>>>>> 17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No
>>>>> such file or directory
>>>>> 17:36:03 00[CFG] reading directory failed
>>>>> 17:36:03 00[CFG] loading ocsp signer certificates from
>>>>> '/etc/ipsec.d/ocspcerts'
>>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No
>>>>> such file or directory
>>>>> 17:36:03 00[CFG] reading directory failed
>>>>> 17:36:03 00[CFG] loading attribute certificates from
>>>>> '/etc/ipsec.d/acerts'
>>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No
>>>>> such file or directory
>>>>> 17:36:03 00[CFG] reading directory failed
>>>>> 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such
>>>>> file or directory
>>>>> 17:36:03 00[CFG] reading directory failed
>>>>> 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>> 17:36:03 00[CFG] loaded IKE secret for %any
>>>>> 17:36:03 00[CFG] loaded 1 RADIUS server configuration
>>>>> 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem
>>>>> pkcs1 gmp random nonce
>>>>>
>>>>> xauth-pam x509 revocation hmac xcbc stroke kernel-netlink
>>>>> socket-default fips-prf eap-mschapv2
>>>>>
>>>>> eap-md5 eap-tls eap-identity eap-radius updown
>>>>> 17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet
>>>>> dependencies)
>>>>> 17:36:03 00[JOB] spawning 16 worker threads
>>>>> 17:36:03 05[CFG] received stroke: add connection 'cert'
>>>>> 17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28
>>>>> 17:36:03 05[CFG] added configuration 'cert'
>>>>> 17:36:28 07[NET] received packet: from 192.168.11.10[53029] to
>>>>> 192.168.11.55[500] (865 bytes)
>>>>> 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
>>>>> 17:36:28 07[IKE] received XAuth vendor ID
>>>>> 17:36:28 07[IKE] received DPD vendor ID
>>>>> 17:36:28 07[IKE] received FRAGMENTATION vendor ID
>>>>> 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>>> 17:36:28 07[IKE] received Cisco Unity vendor ID
>>>>> 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
>>>>> 17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching
>>>>> 192.168.11.55...192.168.11.10
>>>>>
>>>>> [admin]
>>>>> 17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK
>>>>> authentication using
>>>>>
>>>>> Aggressive Mode
>>>>> 17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [
>>>>> N(AUTH_FAILED) ]
>>>>> 17:36:28 07[NET] sending packet: from 192.168.11.55[500] to
>>>>> 192.168.11.10[53029] (56 bytes)
>>>>> 17:36:33 08[NET] received packet: from 192.168.11.10[53029] to
>>>>> 192.168.11.55[500] (865 bytes)
>>>>> 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
>>>>> 17:36:33 08[IKE] received XAuth vendor ID
>>>>> 17:36:33 08[IKE] received DPD vendor ID
>>>>> 17:36:33 08[IKE] received FRAGMENTATION vendor ID
>>>>> 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>>> 17:36:33 08[IKE] received Cisco Unity vendor ID
>>>>> 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
>>>>> 17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching
>>>>> 192.168.11.55...192.168.11.10
>>>>>
>>>>> [admin]
>>>>> 17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK
>>>>> authentication using Aggressive Mode
>>>>> 17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 [
>>>>> N(AUTH_FAILED) ]
>>>>> 17:36:33 08[NET] sending packet: from 192.168.11.55[500] to
>>>>> 192.168.11.10[53029] (56 bytes)
>>>>> repeat.......
>>>>>
>>>>>
>>>>> the client log is
>>>>>
>>>>> Cisco Systems VPN Client Version 5.0.07.0440
>>>>> Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
>>>>> Client Type(s): Windows, WinNT
>>>>> Running on: 6.1.7600
>>>>> Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
>>>>>
>>>>> 1 09:07:02.435 07/15/15 Sev=Info/4 CM/0x63100002
>>>>> Begin connection process
>>>>>
>>>>> 2 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100004
>>>>> Establish secure connection
>>>>>
>>>>> 3 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100024
>>>>> Attempt connection with server "192.168.11.55"
>>>>>
>>>>> 4 09:07:02.465 07/15/15 Sev=Info/6 IKE/0x6300003B
>>>>> Attempting to establish a connection with 192.168.11.55.
>>>>>
>>>>> 5 09:07:02.471 07/15/15 Sev=Info/4 IKE/0x63000001
>>>>> Starting IKE Phase 1 Negotiation
>>>>>
>>>>> 6 09:07:02.479 07/15/15 Sev=Info/4 IKE/0x63000013
>>>>> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
>>>>> VID(Frag), VID(Nat-T), VID
>>>>>
>>>>> (Unity)) to 192.168.11.55
>>>>>
>>>>> 7 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700008
>>>>> IPSec driver successfully started
>>>>>
>>>>> 8 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700014
>>>>> Deleted all keys
>>>>>
>>>>> 9 09:07:02.484 07/15/15 Sev=Info/5 IKE/0x6300002F
>>>>> Received ISAKMP packet: peer = 192.168.11.55
>>>>>
>>>>> 10 09:07:02.484 07/15/15 Sev=Warning/2 IKE/0xE300009B
>>>>> Discarding incoming packet: Message is NOT encrypted
>>>>> (PacketReceiver:422)
>>>>>
>>>>> 11 09:07:02.484 07/15/15 Sev=Info/4 IKE/0x63000014
>>>>> RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55
>>>>>
>>>>> 12 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000021
>>>>> Retransmitting last packet!
>>>>>
>>>>> 13 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000013
>>>>> SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55
>>>>>
>>>>> repeat
>>>>>
>>>>> I did comment out strongswan source file due
>>>>> to receive error "payload type %N was not encrypted" first packet
>>>>> for temporary workaround.
>>>>>
>>>>> diff -u -N
>>>>> opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
>>>>> opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
>>>>> --- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09
>>>>> 02:58:17.000000000 -0800
>>>>> +++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10
>>>>> 11:50:55.000000000 -0700
>>>>> @@ -2487,7 +2487,7 @@
>>>>> {
>>>>> DBG1(DBG_ENC, "payload type %N was not encrypted",
>>>>> payload_type_names, type);
>>>>> - status = FAILED;
>>>>> + //status = FAILED;
>>>>> break;
>>>>> }
>>>>> }
>>>>>
>>>>> I have no idea why got this error
>>>>> Any input, I am very appreciated
>>>>>
>>>>> Tom
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150715/dbdbef68/attachment-0001.html>
More information about the Users
mailing list