[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

tomek_byd at tlen.pl tomek_byd at tlen.pl
Mon Jul 20 13:58:16 CEST 2015 

Hello!

After the change from IKEv1 to IKEv2 I have errors as shown below. In
the settings TP-Link I don't see the possibility to change IKEv1/v2. I
don't know what is even set in TP-Link. A sample panel is visible on
http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
What is best to change 3DES?

root at SomeWRT:~# ipsec up somename
no files found matching '/etc/strongswan.d/*.conf'
initiating Main Mode IKE_SA somename[1] to A.A.A.A
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'somename' failed

2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Tomek,
>
> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 19.07.2015 um 13:34 schrieb tomek_byd:
>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
>>
>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>>
>> TL-ER6120 configuration:
>> IKE Proposal: MD5, 3DES, DH2
>> IKE Policy:
>>   Exchange Mode: main,
>>   Local ID Type: FQDN,
>>   Local ID: A.A.A.A
>>   Remote ID Type: FQDN
>>   Remote ID: B.B.B.B
>>   Pre-shared Key: XXXXXX
>>   SA Lifetime: 28800
>>   DPD: Disable
>> IPsec Proposal: ESP, MD5, 3DES
>> IPsec Policy:
>>   Mode: LAN-to-LAN
>>   Local Subnet: 192.168.1.0/24
>>   Remote Subnet: 192.168.2.0/24
>>   WAN: WAN1
>>   Remote Gateway: B.B.B.B
>>   Policy Mode: IKE
>>   PFS: DH2
>>   SA Lifetime: 28800
>>
>> OpenWRT configuration:
>> /etc/ipsec.conf:
>> config setup
>>     # strictcrlpolicy = no
>>     # uniqueids = no
>> conn somename
>>     ikelifetime=60m
>>     keylife=20m
>>     rekeymargin=3m
>>     keyingtries=1
>>     keyexchange=ikev2
>>     type=tunnel
>>     authby=secret
>>     ike=3des-md5-modp1024!
>>     esp=3des-md5!
>>     rekey=no
>>     left=B.B.B.B
>>     leftid=B.B.B.B
>>     leftsubnet=192.168.2.0/24
>>     leftauth=psk
>>     right=A.A.A.A
>>     rightid=A.A.A.A
>>     rightsubnet=192.168.1.0/24
>>     rightauth=psk
>>     dpdaction=none
>>     auto=add
>>     mobike=no
>> /etc/ipsec.secrets
>> A.A.A.A : PSK "XXXXXX"
>> B.B.B.B : PSK "XXXXXX"
>>
>> Output:
>> root at SomeWRT:~# ipsec up somename
>> no files found matching '/etc/strongswan.d/*.conf'
>> initiating IKE_SA somename[1] to A.A.A.A
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
>> local host is behind NAT, sending keep alives
>> remote host is behind NAT
>> authentication of 'B.B.B.B' (myself) with pre-shared key
>> establishing CHILD_SA somename
>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
>> IDr payload missing
>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
>> establishing connection 'somename' failed
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrAl0AAoJEDg5KY9j7GZYzA4QAJaMsDMGmUTy3zw26s+3UBbg
> t8HUb4PeqkVOcAPN6eoKD7cElOfltyEFVeQzkPo3zfFUFAwxMQV/rHpy34YByU9X
> uFHVTxmYcxeWQKHewajIsahhD2ks05fu31agczOzWqpunZT/X0tGECI4rFG/dUFa
> wKkKf030C92e80PSQMnirNHVVQKreCc1B+gXCBGkkyFaSsTN+gNd8rae7VRAaJdw
> 88XyaI1Xkfk+59rKcnXBdLl071es12Dj36CTCWHQx3styN9VAxXFvoBBJGR3gTwU
> pDaG283ZEB+Dg7hEDWy0Q2ZEKPw5c8Ln20eY6KongDIF01L3FH4LJT0dxNkt5R3I
> 9xTa/apQeCASTNFHMNCSkANmvSOu6JbcaNUB4jlm90gLMOBXx7q17I9M23jaAoHL
> 7CJuSZudAfNPzUFgAngww4AIF2Fl3EdtcJv3En47IWcx2dMhd07eghTpqaZb8pzI
> Kcwz0IuQbGGTWw1R7czvheKkOz9JZQGmtz+Hdh+mSJynpgkzz7SSzRqAH6MV0Dmk
> 0Nem+FJpow5bVDVP96jRKWdgdf+obZ2ppjuxlTeS3j+CfPdOOOi6e6iYKo7RFjOL
> qUUPvGwnQtO3H+U55CEkG14Bfg96MQqxQ8kxNztuoSf59aCoYKu4kmBps0mCwFmI
> 7QiHscwnx9SV7O05feeH
> =B9Uu
> -----END PGP SIGNATURE-----
>

More information about the Users mailing list