[strongSwan] xauth forced in site-to-site

Alexandre DEPREZ alex at madrouter.com
Wed Jun 10 12:33:09 CEST 2015 

Hi,

Just to complete the thread, the IP of my strongswan machine was going
through a NAT process on the way to the peer, the source IP was changed and
being understood as a remote client by the peer.

no bug so far


On Fri, Jun 5, 2015 at 8:32 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:

> Increase your loglevel so we can see the initial messages of the
> connection.  We need to see all the ISAKMP exchange messages.
>
> On Fri, Jun 5, 2015 at 10:48 AM, Alexandre DEPREZ <alex at madrouter.com>
> wrote:
>
>> Here's everything I got
>>
>> Jun  5 18:44:32 x pluto[23543]: "tunnel-1" #686575: initiating Main Mode
>> to replace #686529
>> Jun  5 18:44:32 x pluto[23543]: "tunnel-1" #686575: ignoring Vendor ID
>> payload [FRAGMENTATION c0000000]
>> Jun  5 18:44:42 x pluto[23543]: "tunnel-1" #686575: Informational
>> Exchange message must be encrypted
>> Jun  5 18:45:02 x pluto[23543]: "tunnel-1" #686575: Informational
>> Exchange message must be encrypted
>> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686575: max number of
>> retransmissions (2) reached STATE_MAIN_I2
>> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686575: starting keying
>> attempt 49 of an unlimited number
>> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686617: initiating Main Mode
>> to replace #686575
>> Jun  5 18:45:42 x pluto[23543]: "tunnel-1" #686617: ignoring Vendor ID
>> payload [FRAGMENTATION c0000000]
>> Jun  5 18:45:52 x pluto[23543]: "tunnel-1" #686617: Informational
>> Exchange message must be encrypted
>> Jun  5 18:46:12 x pluto[23543]: "tunnel-1" #686617: Informational
>> Exchange message must be encrypted
>> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686617: max number of
>> retransmissions (2) reached STATE_MAIN_I2
>> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686617: starting keying
>> attempt 50 of an unlimited number
>> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686661: initiating Main Mode
>> to replace #686617
>> Jun  5 18:46:52 x pluto[23543]: "tunnel-1" #686661: ignoring Vendor ID
>> payload [FRAGMENTATION c0000000]
>> Jun  5 18:47:02 x pluto[23543]: "tunnel-1" #686661: Informational
>> Exchange message must be encrypted
>> Jun  5 18:47:22 x pluto[23543]: "tunnel-1" #686661: Informational
>> Exchange message must be encrypted
>>
>>
>> Continuously
>>
>>
>>
>> On Fri, Jun 5, 2015 at 7:44 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
>>
>>> Can you post your logfile ?
>>>
>>> The difference in configurations is the wiki has authby=secret in the
>>> default connection whereas you have it in the individual connection.
>>>
>>> Regards,
>>> Randy
>>>
>>> On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <alex at madrouter.com>
>>> wrote:
>>>
>>>> yes, true, they are for openswan, my bad.
>>>>
>>>> I do not have a hand on the other side. Can't tell
>>>>
>>>> On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <noel at familie-kuntze.de>
>>>> wrote:
>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA256
>>>>>
>>>>> Hello Alexandre,
>>>>>
>>>>> These options don't exist:
>>>>>         leftxauthclient=no
>>>>>         rightxauthserver=no
>>>>> You described using those in one of your last emails.
>>>>> What is the config on the other side?
>>>>>
>>>>> Mit freundlichen Grüßen/Kind Regards,
>>>>> Noel Kuntze
>>>>>
>>>>> GPG Key ID: 0x63EC6658
>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>>
>>>>> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ:
>>>>> > Randy,
>>>>> >
>>>>> > I'll change if there is no other possibilities.
>>>>> >
>>>>> > As for the link you gave me, thank you for it. I did a lot of
>>>>> digging in the documentation I could read. So far, nothing seems to work.
>>>>> >
>>>>> >
>>>>> > Noel,
>>>>> >
>>>>> > version 2.0
>>>>> >
>>>>> > config setup
>>>>> >         charonstart=no
>>>>> >         interfaces="%none"
>>>>> >         nat_traversal=no
>>>>> >
>>>>> > conn clear
>>>>> >         auto=ignore
>>>>> >
>>>>> > conn clear-or-private
>>>>> >         auto=ignore
>>>>> >
>>>>> > conn private-or-clear
>>>>> >         auto=ignore
>>>>> >
>>>>> > conn private
>>>>> >         auto=ignore
>>>>> >
>>>>> > conn block
>>>>> >         auto=ignore
>>>>> >
>>>>> > conn packetdefault
>>>>> >         auto=ignore
>>>>> >
>>>>> > conn %default
>>>>> >         keyexchange=ikev1
>>>>> >
>>>>> > conn tunnel-1
>>>>> >         left=a.a.a.a
>>>>> >         right=b.b.b.b
>>>>> >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
>>>>> >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
>>>>> >         leftsourceip=a.a.a.a
>>>>> >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>>>>> >         ikelifetime=86400s
>>>>> >         dpddelay=15s
>>>>> >         dpdtimeout=30s
>>>>> >         dpdaction=restart
>>>>> >         esp=aes256-sha1!
>>>>> >         keylife=3600s
>>>>> >         rekeymargin=540s
>>>>> >         type=tunnel
>>>>> >         authby=secret
>>>>> >         pfs=no
>>>>> >         compress=no
>>>>> >         auto=start
>>>>> >         keyingtries=%forever
>>>>> >
>>>>> >
>>>>> > Also, I didnt get the imaginary configuration option part ?
>>>>> >
>>>>> > Thanks
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <noel at familie-kuntze.de
>>>>> <mailto:noel at familie-kuntze.de>> wrote:
>>>>> >
>>>>> >
>>>>> > Hello Alexandre,
>>>>> >
>>>>> > Please stop trying to use some imaginary configuration options and
>>>>> stick to those
>>>>> > on the man page of ipsec.conf.
>>>>> >
>>>>> > What is your complete ipsec.conf? Pay attention to conn %default, if
>>>>> you have that,
>>>>> > as it will beqeust its own options to _all_ other conns.
>>>>> >
>>>>> >
>>>>> >
>>>>> > Mit freundlichen Grüßen/Kind Regards,
>>>>> > Noel Kuntze
>>>>> >
>>>>> > GPG Key ID: 0x63EC6658
>>>>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>> >
>>>>> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
>>>>> > > Hi Randy,
>>>>> >
>>>>> > > I forgot to mention, i'm using this version:
>>>>> >
>>>>> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64
>>>>> >
>>>>> > > Here is it :
>>>>> >
>>>>> > > conn tunnel-1
>>>>> > >         left=a.a.a.a
>>>>> > >         right=b.b.b.b
>>>>> > >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> <
>>>>> http://10.252.243.128/28>
>>>>> > >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> <
>>>>> http://172.23.149.0/24>
>>>>> > >         leftsourceip=a.a.a.a
>>>>> > >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>>>>> > >         ikelifetime=86400s
>>>>> > >         dpddelay=15s
>>>>> > >         dpdtimeout=30s
>>>>> > >         dpdaction=restart
>>>>> > >         esp=aes256-sha1!
>>>>> > >         keylife=3600s
>>>>> > >         rekeymargin=540s
>>>>> > >         type=tunnel
>>>>> > >         authby=secret
>>>>> > >         pfs=no
>>>>> > >         compress=no
>>>>> > >         auto=start
>>>>> > >         keyingtries=%forever
>>>>> >
>>>>> > > I also tried to use
>>>>> >
>>>>> > >         leftxauthclient=no
>>>>> > >         rightxauthserver=no
>>>>> >
>>>>> > > No changes.
>>>>> >
>>>>> > > Thanks
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com
>>>>> <mailto:rwwyatt01 at gmail.com> <mailto:rwwyatt01 at gmail.com <mailto:
>>>>> rwwyatt01 at gmail.com>>> wrote:
>>>>> >
>>>>> > >     Please send a sanitized version of your configuration.  xauth
>>>>> should only be sent if you configured it to be sent.
>>>>> >
>>>>> > >     On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <
>>>>> alex at madrouter.com <mailto:alex at madrouter.com> <mailto:
>>>>> alex at madrouter.com <mailto:alex at madrouter.com>>> wrote:
>>>>> >
>>>>> > >         Hi,
>>>>> >
>>>>> > >         I'm using strongswan only for L2L VPN.
>>>>> >
>>>>> > >         It's been some times now, I can not be the initiator of
>>>>> the VPN because strongswan is always sending an XAUTH option in the phase 1
>>>>> establishment.
>>>>> >
>>>>> > >         When the other side is not configured to receive remote
>>>>> user, it's working but when it is, I'm receiving L2TP/IPsec or some other
>>>>> remote access vpn protocols.
>>>>> >
>>>>> > >         I can not wait for the other side to send me trafic in
>>>>> order to be the responder. I tried to recompile strongswan removing xauth,
>>>>> but it's not working.
>>>>> >
>>>>> > >         Is there any configuration command I can use to force
>>>>> strongswan not to send XAUTH ?
>>>>> >
>>>>> > >         Thanks
>>>>> >
>>>>> > >         Alex
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > >         _______________________________________________
>>>>> > >         Users mailing list
>>>>> > >         Users at lists.strongswan.org <mailto:
>>>>> Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org
>>>>> <mailto:Users at lists.strongswan.org>>
>>>>> > >         https://lists.strongswan.org/mailman/listinfo/users
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > >     --
>>>>> > >     Randy W. Wyatt
>>>>> > >     rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com> <mailto:
>>>>> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>>
>>>>> > >     Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel:
>>>>> 858-309-5303>>
>>>>> > >     Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel:
>>>>> 858-598-4421>>
>>>>> > >     Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel:
>>>>> 858-408-7554>>
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > > _______________________________________________
>>>>> > > Users mailing list
>>>>> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>> > > https://lists.strongswan.org/mailman/listinfo/users
>>>>> >
>>>>> >
>>>>> >     _______________________________________________
>>>>> >     Users mailing list
>>>>> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>> >     https://lists.strongswan.org/mailman/listinfo/users
>>>>> >
>>>>> >
>>>>>
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v2
>>>>>
>>>>> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8
>>>>> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy
>>>>> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg
>>>>> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4
>>>>> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj
>>>>> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX
>>>>> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG
>>>>> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x
>>>>> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92
>>>>> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW
>>>>> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu
>>>>> 7n7QSIDcWhrXQdAOhVuV
>>>>> =RpI6
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>>
>>>
>>> --
>>> Randy W. Wyatt
>>> rwwyatt01 at gmail.com
>>> Home: 858-309-5303
>>> Cell: 858-598-4421
>>> Fax: 858-408-7554
>>>
>>
>>
>
>
> --
> Randy W. Wyatt
> rwwyatt01 at gmail.com
> Home: 858-309-5303
> Cell: 858-598-4421
> Fax: 858-408-7554
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150610/b0efb459/attachment-0001.html>

More information about the Users mailing list