[strongSwan] xauth forced in site-to-site

Randy Wyatt rwwyatt01 at gmail.com
Fri Jun 5 20:32:25 CEST 2015 

Increase your loglevel so we can see the initial messages of the
connection.  We need to see all the ISAKMP exchange messages.

On Fri, Jun 5, 2015 at 10:48 AM, Alexandre DEPREZ <alex at madrouter.com>
wrote:

> Here's everything I got
>
> Jun  5 18:44:32 x pluto[23543]: "tunnel-1" #686575: initiating Main Mode
> to replace #686529
> Jun  5 18:44:32 x pluto[23543]: "tunnel-1" #686575: ignoring Vendor ID
> payload [FRAGMENTATION c0000000]
> Jun  5 18:44:42 x pluto[23543]: "tunnel-1" #686575: Informational Exchange
> message must be encrypted
> Jun  5 18:45:02 x pluto[23543]: "tunnel-1" #686575: Informational Exchange
> message must be encrypted
> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686575: max number of
> retransmissions (2) reached STATE_MAIN_I2
> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686575: starting keying
> attempt 49 of an unlimited number
> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686617: initiating Main Mode
> to replace #686575
> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686617: ignoring Vendor ID
> payload [FRAGMENTATION c0000000]
> Jun  5 18:45:52 x pluto[23543]: "tunnel-1" #686617: Informational Exchange
> message must be encrypted
> Jun  5 18:46:12 x pluto[23543]: "tunnel-1" #686617: Informational Exchange
> message must be encrypted
> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686617: max number of
> retransmissions (2) reached STATE_MAIN_I2
> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686617: starting keying
> attempt 50 of an unlimited number
> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686661: initiating Main Mode
> to replace #686617
> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686661: ignoring Vendor ID
> payload [FRAGMENTATION c0000000]
> Jun  5 18:47:02 x pluto[23543]: "tunnel-1" #686661: Informational Exchange
> message must be encrypted
> Jun  5 18:47:22 x pluto[23543]: "tunnel-1" #686661: Informational Exchange
> message must be encrypted
>
>
> Continuously
>
>
>
> On Fri, Jun 5, 2015 at 7:44 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
>
>> Can you post your logfile ?
>>
>> The difference in configurations is the wiki has authby=secret in the
>> default connection whereas you have it in the individual connection.
>>
>> Regards,
>> Randy
>>
>> On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <alex at madrouter.com>
>> wrote:
>>
>>> yes, true, they are for openswan, my bad.
>>>
>>> I do not have a hand on the other side. Can't tell
>>>
>>> On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <noel at familie-kuntze.de>
>>> wrote:
>>>
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> Hello Alexandre,
>>>>
>>>> These options don't exist:
>>>>         leftxauthclient=no
>>>>         rightxauthserver=no
>>>> You described using those in one of your last emails.
>>>> What is the config on the other side?
>>>>
>>>> Mit freundlichen Grüßen/Kind Regards,
>>>> Noel Kuntze
>>>>
>>>> GPG Key ID: 0x63EC6658
>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>
>>>> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ:
>>>> > Randy,
>>>> >
>>>> > I'll change if there is no other possibilities.
>>>> >
>>>> > As for the link you gave me, thank you for it. I did a lot of digging
>>>> in the documentation I could read. So far, nothing seems to work.
>>>> >
>>>> >
>>>> > Noel,
>>>> >
>>>> > version 2.0
>>>> >
>>>> > config setup
>>>> >         charonstart=no
>>>> >         interfaces="%none"
>>>> >         nat_traversal=no
>>>> >
>>>> > conn clear
>>>> >         auto=ignore
>>>> >
>>>> > conn clear-or-private
>>>> >         auto=ignore
>>>> >
>>>> > conn private-or-clear
>>>> >         auto=ignore
>>>> >
>>>> > conn private
>>>> >         auto=ignore
>>>> >
>>>> > conn block
>>>> >         auto=ignore
>>>> >
>>>> > conn packetdefault
>>>> >         auto=ignore
>>>> >
>>>> > conn %default
>>>> >         keyexchange=ikev1
>>>> >
>>>> > conn tunnel-1
>>>> >         left=a.a.a.a
>>>> >         right=b.b.b.b
>>>> >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
>>>> >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
>>>> >         leftsourceip=a.a.a.a
>>>> >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>>>> >         ikelifetime=86400s
>>>> >         dpddelay=15s
>>>> >         dpdtimeout=30s
>>>> >         dpdaction=restart
>>>> >         esp=aes256-sha1!
>>>> >         keylife=3600s
>>>> >         rekeymargin=540s
>>>> >         type=tunnel
>>>> >         authby=secret
>>>> >         pfs=no
>>>> >         compress=no
>>>> >         auto=start
>>>> >         keyingtries=%forever
>>>> >
>>>> >
>>>> > Also, I didnt get the imaginary configuration option part ?
>>>> >
>>>> > Thanks
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <noel at familie-kuntze.de
>>>> <mailto:noel at familie-kuntze.de>> wrote:
>>>> >
>>>> >
>>>> > Hello Alexandre,
>>>> >
>>>> > Please stop trying to use some imaginary configuration options and
>>>> stick to those
>>>> > on the man page of ipsec.conf.
>>>> >
>>>> > What is your complete ipsec.conf? Pay attention to conn %default, if
>>>> you have that,
>>>> > as it will beqeust its own options to _all_ other conns.
>>>> >
>>>> >
>>>> >
>>>> > Mit freundlichen Grüßen/Kind Regards,
>>>> > Noel Kuntze
>>>> >
>>>> > GPG Key ID: 0x63EC6658
>>>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>> >
>>>> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
>>>> > > Hi Randy,
>>>> >
>>>> > > I forgot to mention, i'm using this version:
>>>> >
>>>> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64
>>>> >
>>>> > > Here is it :
>>>> >
>>>> > > conn tunnel-1
>>>> > >         left=a.a.a.a
>>>> > >         right=b.b.b.b
>>>> > >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> <
>>>> http://10.252.243.128/28>
>>>> > >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> <
>>>> http://172.23.149.0/24>
>>>> > >         leftsourceip=a.a.a.a
>>>> > >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>>>> > >         ikelifetime=86400s
>>>> > >         dpddelay=15s
>>>> > >         dpdtimeout=30s
>>>> > >         dpdaction=restart
>>>> > >         esp=aes256-sha1!
>>>> > >         keylife=3600s
>>>> > >         rekeymargin=540s
>>>> > >         type=tunnel
>>>> > >         authby=secret
>>>> > >         pfs=no
>>>> > >         compress=no
>>>> > >         auto=start
>>>> > >         keyingtries=%forever
>>>> >
>>>> > > I also tried to use
>>>> >
>>>> > >         leftxauthclient=no
>>>> > >         rightxauthserver=no
>>>> >
>>>> > > No changes.
>>>> >
>>>> > > Thanks
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com
>>>> <mailto:rwwyatt01 at gmail.com> <mailto:rwwyatt01 at gmail.com <mailto:
>>>> rwwyatt01 at gmail.com>>> wrote:
>>>> >
>>>> > >     Please send a sanitized version of your configuration.  xauth
>>>> should only be sent if you configured it to be sent.
>>>> >
>>>> > >     On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <
>>>> alex at madrouter.com <mailto:alex at madrouter.com> <mailto:
>>>> alex at madrouter.com <mailto:alex at madrouter.com>>> wrote:
>>>> >
>>>> > >         Hi,
>>>> >
>>>> > >         I'm using strongswan only for L2L VPN.
>>>> >
>>>> > >         It's been some times now, I can not be the initiator of the
>>>> VPN because strongswan is always sending an XAUTH option in the phase 1
>>>> establishment.
>>>> >
>>>> > >         When the other side is not configured to receive remote
>>>> user, it's working but when it is, I'm receiving L2TP/IPsec or some other
>>>> remote access vpn protocols.
>>>> >
>>>> > >         I can not wait for the other side to send me trafic in
>>>> order to be the responder. I tried to recompile strongswan removing xauth,
>>>> but it's not working.
>>>> >
>>>> > >         Is there any configuration command I can use to force
>>>> strongswan not to send XAUTH ?
>>>> >
>>>> > >         Thanks
>>>> >
>>>> > >         Alex
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > >         _______________________________________________
>>>> > >         Users mailing list
>>>> > >         Users at lists.strongswan.org <mailto:
>>>> Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:
>>>> Users at lists.strongswan.org>>
>>>> > >         https://lists.strongswan.org/mailman/listinfo/users
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > >     --
>>>> > >     Randy W. Wyatt
>>>> > >     rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com> <mailto:
>>>> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>>
>>>> > >     Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel:
>>>> 858-309-5303>>
>>>> > >     Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel:
>>>> 858-598-4421>>
>>>> > >     Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel:
>>>> 858-408-7554>>
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > > _______________________________________________
>>>> > > Users mailing list
>>>> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>> > > https://lists.strongswan.org/mailman/listinfo/users
>>>> >
>>>> >
>>>> >     _______________________________________________
>>>> >     Users mailing list
>>>> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>> >     https://lists.strongswan.org/mailman/listinfo/users
>>>> >
>>>> >
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v2
>>>>
>>>> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8
>>>> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy
>>>> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg
>>>> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4
>>>> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj
>>>> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX
>>>> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG
>>>> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x
>>>> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92
>>>> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW
>>>> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu
>>>> 7n7QSIDcWhrXQdAOhVuV
>>>> =RpI6
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> Randy W. Wyatt
>> rwwyatt01 at gmail.com
>> Home: 858-309-5303
>> Cell: 858-598-4421
>> Fax: 858-408-7554
>>
>
>


-- 
Randy W. Wyatt
rwwyatt01 at gmail.com
Home: 858-309-5303
Cell: 858-598-4421
Fax: 858-408-7554
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150605/302d9922/attachment-0001.html>

More information about the Users mailing list