[strongSwan] but none allows XAuthInitPSK authentication using Aggressive Mode
Noel Kuntze
noel at familie-kuntze.de
Thu Jul 16 04:27:11 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
Additionally to the setting in strongswan.conf, you need to enable aggressive mode
in the conn by using aggressive=yes.
And /please/ read the man pages for the config files and look on the website if you try to do things.
Also, using aggressive mode is a /very/ bad idea.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 16.07.2015 um 04:23 schrieb Randy Wyatt:
> You specifically said
> when I forced to main mode by comment out i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client still send AG mode
>
> log of swan is
>
> 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-
>
> The log provided matches what you stated. Cisco doesn't even recommend their own ipsec client. This comes directly from Cisco support. It kept bluescreening on Windows 7 64 for me.
>
> Please copy the entire mailing list in the response.
>
> Regards,
> Randy
>
> On Wed, Jul 15, 2015 at 7:19 PM, Tom Hu <pleasetalktome at gmail.com <mailto:pleasetalktome at gmail.com>> wrote:
>
> Randy
>
> my attached log did not comment out i_dont_care_about_security_and_use_aggressive_mode_psk = yes "
>
> If I commented out it, the client kept trying AG mode and never giving up
>
> hmm, I did not have a way to disable AG mode and enable MM in the cisco vpn client config.
>
> Thanks
>
> Tom
>
> On Wed, Jul 15, 2015 at 7:05 PM, Randy Wyatt <rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>> wrote:
>
> You commented the line i_dont_care_about_security_and_use_aggressive_mode_psk = yes out of strongswan.conf so aggressive mode is no longer supported.
>
> The line i_dont_care_about_security_and_use_aggressive_mode_psk = yes must *not* be commented out.
>
> The client is expecting aggressive mode, but you disabled it on the server.
>
> Does this clarify things?
>
> On Wed, Jul 15, 2015 at 7:02 PM, Tom Hu <pleasetalktome at gmail.com <mailto:pleasetalktome at gmail.com>> wrote:
>
> Randy
>
> Thanks for replying
>
> I do not understand that "Strongswan didn't find a proposal to match because it doesn't support aggressive mode"
> BTW: Does strongswan not support AG mode? is it true? I did test of cert, it uses MM mode
>
> the problem is got error "but none allows XAuthInitPSK authentication using Aggressive Mode"
>
> and communication is stopped
>
>
> Thanks
>
> Tom
>
> On Wed, Jul 15, 2015 at 5:13 PM, Randy Wyatt <rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>> wrote:
>
> I think the behavior is right, but someone more qualified than me would have to comment.
>
> Strongswan didn't find a proposal to match because it doesn't support aggressive mode. What is the problem here?
>
> On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <pleasetalktome at gmail.com <mailto:pleasetalktome at gmail.com>> wrote:
>
> Hi ALL
>
> I used strongswan as GW and cisco vpn as client on Windows 7 to test interoperbility using preshare key.
> got the error "but none allows XAuthInitPSK authentication using Aggressive Mode"
>
> the config of strongswan
>
> conn %default
> ikelifetime=60m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> keyexchange=ikev1
>
> include /etc/ipsec.cert.conf
>
>
> conn cert
> type=tunnel
> auto=add
> esp=aes128-sha1!
> ike=aes128-sha1-modp1024!
> left=192.168.11.55
> right=%any
> leftauth=psk
> rightauth=psk
> rightauth2=xauth
> rightdns=10.3.0.1
> leftsubnet=10.3.1.0/24 <http://10.3.1.0/24>
> rightsourceip=10.3.0.0/28 <http://10.3.0.0/28>
>
>
>
> cisco vpn Client (not anyconnect) - using "group authentication"
>
> stronswan.conf
> charon {
> cisco_unity = yes
> i_dont_care_about_security_and_use_aggressive_mode_psk = yes
> plugins {
> attr {
> UNITY_SPLIT_INCLUDE=28676
> INTERNAL_IP4_ADDRESS=1
> INTERNAL_IP4_NETMASK=2
> INTERNAL_IP4_DNS=3
> UNITY_LOCAL_LAN=28678
> }
> }
> }
>
> when I forced to main mode by comment out i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client still send AG mode
>
> log of swan is
>
> 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-
>
> 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)
> 17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1" from
>
> '/etc/ipsec.d/cacerts/ca.pem'
> 17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such file or directory
> 17:36:03 00[CFG] reading directory failed
> 17:36:03 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such file or directory
> 17:36:03 00[CFG] reading directory failed
> 17:36:03 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such file or directory
> 17:36:03 00[CFG] reading directory failed
> 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file or directory
> 17:36:03 00[CFG] reading directory failed
> 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 17:36:03 00[CFG] loaded IKE secret for %any
> 17:36:03 00[CFG] loaded 1 RADIUS server configuration
> 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce
>
> xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2
>
> eap-md5 eap-tls eap-identity eap-radius updown
> 17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet dependencies)
> 17:36:03 00[JOB] spawning 16 worker threads
> 17:36:03 05[CFG] received stroke: add connection 'cert'
> 17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28 <http://10.3.0.0/28>
> 17:36:03 05[CFG] added configuration 'cert'
> 17:36:28 07[NET] received packet: from 192.168.11.10[53029] to 192.168.11.55[500] (865 bytes)
> 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> 17:36:28 07[IKE] received XAuth vendor ID
> 17:36:28 07[IKE] received DPD vendor ID
> 17:36:28 07[IKE] received FRAGMENTATION vendor ID
> 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 17:36:28 07[IKE] received Cisco Unity vendor ID
> 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
> 17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching 192.168.11.55...192.168.11.10
>
> [admin]
> 17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK authentication using
>
> Aggressive Mode
> 17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [ N(AUTH_FAILED) ]
> 17:36:28 07[NET] sending packet: from 192.168.11.55[500] to 192.168.11.10[53029] (56 bytes)
> 17:36:33 08[NET] received packet: from 192.168.11.10[53029] to 192.168.11.55[500] (865 bytes)
> 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> 17:36:33 08[IKE] received XAuth vendor ID
> 17:36:33 08[IKE] received DPD vendor ID
> 17:36:33 08[IKE] received FRAGMENTATION vendor ID
> 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 17:36:33 08[IKE] received Cisco Unity vendor ID
> 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA
> 17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching 192.168.11.55...192.168.11.10
>
> [admin]
> 17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
> 17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 <tel:3136248912> [ N(AUTH_FAILED) ]
> 17:36:33 08[NET] sending packet: from 192.168.11.55[500] to 192.168.11.10[53029] (56 bytes)
> repeat.......
>
>
> the client log is
>
> Cisco Systems VPN Client Version 5.0.07.0440
> Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Windows, WinNT
> Running on: 6.1.7600
> Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
>
> 1 09:07:02.435 07/15/15 Sev=Info/4 CM/0x63100002
> Begin connection process
>
> 2 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100004
> Establish secure connection
>
> 3 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100024
> Attempt connection with server "192.168.11.55"
>
> 4 09:07:02.465 07/15/15 Sev=Info/6 IKE/0x6300003B
> Attempting to establish a connection with 192.168.11.55.
>
> 5 09:07:02.471 07/15/15 Sev=Info/4 IKE/0x63000001
> Starting IKE Phase 1 Negotiation
>
> 6 09:07:02.479 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID
>
> (Unity)) to 192.168.11.55
>
> 7 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700008
> IPSec driver successfully started
>
> 8 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700014
> Deleted all keys
>
> 9 09:07:02.484 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 10 09:07:02.484 07/15/15 Sev=Warning/2 IKE/0xE300009B
> Discarding incoming packet: Message is NOT encrypted (PacketReceiver:422)
>
> 11 09:07:02.484 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55
>
> 12 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000021
> Retransmitting last packet!
>
> 13 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55
>
> repeat
>
> I did comment out strongswan source file due
> to receive error "payload type %N was not encrypted" first packet
> for temporary workaround.
>
> diff -u -N opensource/strongswan-5.2.2/src/libcharon/encoding/message.c opensource/strongswan-5.2.2/src/libcharon/encoding/message.c
> --- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09 02:58:17.000000000 -0800
> +++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10 11:50:55.000000000 -0700
> @@ -2487,7 +2487,7 @@
> {
> DBG1(DBG_ENC, "payload type %N was not encrypted",
> payload_type_names, type);
> - status = FAILED;
> + //status = FAILED;
> break;
> }
> }
>
> I have no idea why got this error
> Any input, I am very appreciated
>
> Tom
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVpxZ9AAoJEDg5KY9j7GZYkVEP/2iCwzZ/1wlsbpQCVXHLEV5D
e6EKpLgCjAhRM1Ha83xICayW9Hq8LBmMnqCBPWek1GEtT8Zfu2qrWBFhBPiUtLkt
0LaRfxD/+Kdi9uQjssYOIhfKO0G1AuI7eo4seN0lGxjaaF8yls7YXjy2btwb88qU
hu6yVabK8Lwl8nE9nOZ3pIGoDAbqdcB5Pj9KwYfoC0FQ1cxVyGIK+/1yPmZrhlTo
Z9kC9khiL3o1Dm2TP7k6ZyM6KAlWMU/Nph8NCTsnpW0V3c6X+d6hlDUX2xOga1Q5
mgn5Vm0Evw5UFLS0eeLkumU9BCPApOBnfxxn6b/j3C7sz4FtR2p5+orug3ezYbfi
asnK/C9CN1WRl7/aAut14i0IWoyKU8gzO5EJHU/3sl2FXQuNusz9Yk+xbaupUpTc
8M31tYzbvZrrspiS+5iHxBfFNZiKsPkWZ1JhxnpqFatfuEGyS9l2cUKAacg5W2GO
KTxAXCqwbTKF08vXSa89HZScEWvTu8bbZ3m3c9z+12s22H5tfFAb8KCUuna48M+y
smfr64g+hX2+rQhN6EiHix7TJAt/LTX15KAz6tOxcnudn6RsB5JSvh3RcYS8brm+
i7L9Kx4OWtb4y9ecZS/luB+ubDyzeGZAe9x4ag0IiKvhlR0hwtku0EqpsVr7pkK/
2q9yrIfIe9loA7wsmZZz
=84Ju
-----END PGP SIGNATURE-----
More information about the Users
mailing list