[strongSwan] xauth forced in site-to-site

Alexandre DEPREZ alex at madrouter.com
Fri Jun 5 19:48:48 CEST 2015


Here's everything I got

Jun  5 18:44:32 x pluto[23543]: "tunnel-1" #686575: initiating Main Mode to
replace #686529
Jun  5 18:44:32 x pluto[23543]: "tunnel-1" #686575: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Jun  5 18:44:42 x pluto[23543]: "tunnel-1" #686575: Informational Exchange
message must be encrypted
Jun  5 18:45:02 x pluto[23543]: "tunnel-1" #686575: Informational Exchange
message must be encrypted
Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686575: max number of
retransmissions (2) reached STATE_MAIN_I2
Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686575: starting keying attempt
49 of an unlimited number
Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686617: initiating Main Mode to
replace #686575
Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686617: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Jun  5 18:45:52 x pluto[23543]: "tunnel-1" #686617: Informational Exchange
message must be encrypted
Jun  5 18:46:12 x pluto[23543]: "tunnel-1" #686617: Informational Exchange
message must be encrypted
Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686617: max number of
retransmissions (2) reached STATE_MAIN_I2
Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686617: starting keying attempt
50 of an unlimited number
Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686661: initiating Main Mode to
replace #686617
Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686661: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Jun  5 18:47:02 x pluto[23543]: "tunnel-1" #686661: Informational Exchange
message must be encrypted
Jun  5 18:47:22 x pluto[23543]: "tunnel-1" #686661: Informational Exchange
message must be encrypted


Continuously



On Fri, Jun 5, 2015 at 7:44 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:

> Can you post your logfile ?
>
> The difference in configurations is the wiki has authby=secret in the
> default connection whereas you have it in the individual connection.
>
> Regards,
> Randy
>
> On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <alex at madrouter.com>
> wrote:
>
>> yes, true, they are for openswan, my bad.
>>
>> I do not have a hand on the other side. Can't tell
>>
>> On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <noel at familie-kuntze.de>
>> wrote:
>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hello Alexandre,
>>>
>>> These options don't exist:
>>>         leftxauthclient=no
>>>         rightxauthserver=no
>>> You described using those in one of your last emails.
>>> What is the config on the other side?
>>>
>>> Mit freundlichen Grüßen/Kind Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ:
>>> > Randy,
>>> >
>>> > I'll change if there is no other possibilities.
>>> >
>>> > As for the link you gave me, thank you for it. I did a lot of digging
>>> in the documentation I could read. So far, nothing seems to work.
>>> >
>>> >
>>> > Noel,
>>> >
>>> > version 2.0
>>> >
>>> > config setup
>>> >         charonstart=no
>>> >         interfaces="%none"
>>> >         nat_traversal=no
>>> >
>>> > conn clear
>>> >         auto=ignore
>>> >
>>> > conn clear-or-private
>>> >         auto=ignore
>>> >
>>> > conn private-or-clear
>>> >         auto=ignore
>>> >
>>> > conn private
>>> >         auto=ignore
>>> >
>>> > conn block
>>> >         auto=ignore
>>> >
>>> > conn packetdefault
>>> >         auto=ignore
>>> >
>>> > conn %default
>>> >         keyexchange=ikev1
>>> >
>>> > conn tunnel-1
>>> >         left=a.a.a.a
>>> >         right=b.b.b.b
>>> >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
>>> >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
>>> >         leftsourceip=a.a.a.a
>>> >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>>> >         ikelifetime=86400s
>>> >         dpddelay=15s
>>> >         dpdtimeout=30s
>>> >         dpdaction=restart
>>> >         esp=aes256-sha1!
>>> >         keylife=3600s
>>> >         rekeymargin=540s
>>> >         type=tunnel
>>> >         authby=secret
>>> >         pfs=no
>>> >         compress=no
>>> >         auto=start
>>> >         keyingtries=%forever
>>> >
>>> >
>>> > Also, I didnt get the imaginary configuration option part ?
>>> >
>>> > Thanks
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <noel at familie-kuntze.de
>>> <mailto:noel at familie-kuntze.de>> wrote:
>>> >
>>> >
>>> > Hello Alexandre,
>>> >
>>> > Please stop trying to use some imaginary configuration options and
>>> stick to those
>>> > on the man page of ipsec.conf.
>>> >
>>> > What is your complete ipsec.conf? Pay attention to conn %default, if
>>> you have that,
>>> > as it will beqeust its own options to _all_ other conns.
>>> >
>>> >
>>> >
>>> > Mit freundlichen Grüßen/Kind Regards,
>>> > Noel Kuntze
>>> >
>>> > GPG Key ID: 0x63EC6658
>>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >
>>> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
>>> > > Hi Randy,
>>> >
>>> > > I forgot to mention, i'm using this version:
>>> >
>>> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64
>>> >
>>> > > Here is it :
>>> >
>>> > > conn tunnel-1
>>> > >         left=a.a.a.a
>>> > >         right=b.b.b.b
>>> > >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> <
>>> http://10.252.243.128/28>
>>> > >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> <
>>> http://172.23.149.0/24>
>>> > >         leftsourceip=a.a.a.a
>>> > >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>>> > >         ikelifetime=86400s
>>> > >         dpddelay=15s
>>> > >         dpdtimeout=30s
>>> > >         dpdaction=restart
>>> > >         esp=aes256-sha1!
>>> > >         keylife=3600s
>>> > >         rekeymargin=540s
>>> > >         type=tunnel
>>> > >         authby=secret
>>> > >         pfs=no
>>> > >         compress=no
>>> > >         auto=start
>>> > >         keyingtries=%forever
>>> >
>>> > > I also tried to use
>>> >
>>> > >         leftxauthclient=no
>>> > >         rightxauthserver=no
>>> >
>>> > > No changes.
>>> >
>>> > > Thanks
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com
>>> <mailto:rwwyatt01 at gmail.com> <mailto:rwwyatt01 at gmail.com <mailto:
>>> rwwyatt01 at gmail.com>>> wrote:
>>> >
>>> > >     Please send a sanitized version of your configuration.  xauth
>>> should only be sent if you configured it to be sent.
>>> >
>>> > >     On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <
>>> alex at madrouter.com <mailto:alex at madrouter.com> <mailto:
>>> alex at madrouter.com <mailto:alex at madrouter.com>>> wrote:
>>> >
>>> > >         Hi,
>>> >
>>> > >         I'm using strongswan only for L2L VPN.
>>> >
>>> > >         It's been some times now, I can not be the initiator of the
>>> VPN because strongswan is always sending an XAUTH option in the phase 1
>>> establishment.
>>> >
>>> > >         When the other side is not configured to receive remote
>>> user, it's working but when it is, I'm receiving L2TP/IPsec or some other
>>> remote access vpn protocols.
>>> >
>>> > >         I can not wait for the other side to send me trafic in order
>>> to be the responder. I tried to recompile strongswan removing xauth, but
>>> it's not working.
>>> >
>>> > >         Is there any configuration command I can use to force
>>> strongswan not to send XAUTH ?
>>> >
>>> > >         Thanks
>>> >
>>> > >         Alex
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > >         _______________________________________________
>>> > >         Users mailing list
>>> > >         Users at lists.strongswan.org <mailto:
>>> Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:
>>> Users at lists.strongswan.org>>
>>> > >         https://lists.strongswan.org/mailman/listinfo/users
>>> >
>>> >
>>> >
>>> >
>>> > >     --
>>> > >     Randy W. Wyatt
>>> > >     rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com> <mailto:
>>> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>>
>>> > >     Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel:
>>> 858-309-5303>>
>>> > >     Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel:
>>> 858-598-4421>>
>>> > >     Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel:
>>> 858-408-7554>>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > > _______________________________________________
>>> > > Users mailing list
>>> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> > > https://lists.strongswan.org/mailman/listinfo/users
>>> >
>>> >
>>> >     _______________________________________________
>>> >     Users mailing list
>>> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> >     https://lists.strongswan.org/mailman/listinfo/users
>>> >
>>> >
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>>
>>> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8
>>> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy
>>> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg
>>> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4
>>> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj
>>> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX
>>> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG
>>> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x
>>> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92
>>> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW
>>> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu
>>> 7n7QSIDcWhrXQdAOhVuV
>>> =RpI6
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> --
> Randy W. Wyatt
> rwwyatt01 at gmail.com
> Home: 858-309-5303
> Cell: 858-598-4421
> Fax: 858-408-7554
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150605/1f61930a/attachment-0001.html>


More information about the Users mailing list