[strongSwan] Strongswan in AWS (NATed), connecting to Cisco 72xx, fails
Florin Andrei
florin at andrei.myip.org
Fri May 15 03:43:03 CEST 2015
Latest Strongswan on CentOS 7, in AWS. The cloud is doing NAT for us, so
our private IP on the Strongswan instance is not directly visible to the
outside. I'm trying to connect to a Cisco 72xx box.
Something seems to fail pretty early on. Are there any specific settings
I need to be aware of for this scenario?
See the config below. XXX.YYY.ZZZ.KKK is the private IP of my Strongswan
instance (different from its public IP). AAA.BBB.CCC.DDD is the address
of the Cisco appliance.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
keyexchange=ikev1
conn us2them
left=%any
leftsubnet=our_stuff/27
leftid=XXX.YYY.ZZZ.KKK
right=AAA.BBB.CCC.DDD
rightsubnet=their_stuff/16
rightid=AAA.BBB.CCC.DDD
auto=start
ike =
aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1-modp1536
esp =
aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1-modp1536
ikelifetime = 24h
lifetime = 1h
And logs:
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] generating
ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (308 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[NET] received packet:
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] invalid ID_V1
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] could not decrypt
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[IKE] message parsing
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] generating
INFORMATIONAL_V1 request 1961174309 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[IKE] ID_PROT request
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] sending
retransmit 1 of request message ID 0, seq 3
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] sending packet:
from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[NET] received packet:
from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (156 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[ENC] invalid NOTIFY_V1
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[ENC] could not decrypt
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] message parsing
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] ignore malformed
INFORMATIONAL request
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] INFORMATIONAL_V1
request with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] sending
retransmit 2 of request message ID 0, seq 3
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] sending packet:
from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[NET] received packet:
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] invalid ID_V1
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] could not decrypt
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[IKE] message parsing
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] generating
INFORMATIONAL_V1 request 117938482 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[IKE] ID_PROT request
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[NET] received packet:
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] invalid ID_V1
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] could not decrypt
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[IKE] message parsing
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] generating
INFORMATIONAL_V1 request 2518869891 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[IKE] ID_PROT request
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] sending
retransmit 3 of request message ID 0, seq 3
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] sending packet:
from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] received packet:
from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (372 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[JOB] deleting half
open IKE_SA after timeout
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[ENC] parsed ID_PROT
request 0 [ SA V V V ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] AAA.BBB.CCC.DDD
is initiating a Main Mode IKE_SA
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[ENC] generating
ID_PROT response 0 [ SA V V V ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (140 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] received packet:
from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (368 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] parsed ID_PROT
request 0 [ KE No V V V V NAT-D NAT-D ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received Cisco
Unity vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received DPD
vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] received unknown
vendor ID: 7d:1a:ad:38:e2:99:95:01:e9:7e:9d:14:d5:a3:ed:ad
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received XAuth
vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] local host is
behind NAT, sending keep alives
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] generating
ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (308 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] received packet:
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] invalid ID_V1
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] could not decrypt
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[IKE] message parsing
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] generating
INFORMATIONAL_V1 request 2298509626 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[IKE] ID_PROT request
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] received packet:
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] invalid ID_V1
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] could not decrypt
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] message parsing
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] generating
INFORMATIONAL_V1 request 24529605 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] sending packet:
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] ID_PROT request
with message ID 0 processing failed
--
Florin Andrei
http://florin.myip.org/
More information about the Users
mailing list