[strongSwan] Strongswan in AWS (NATed), connecting to Cisco 72xx, fails

Noel Kuntze noel at familie-kuntze.de
Sat May 16 08:24:01 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Florin,

Make sure your PSK is correct.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 15.05.2015 um 03:43 schrieb Florin Andrei:
> Latest Strongswan on CentOS 7, in AWS. The cloud is doing NAT for us, so our private IP on the Strongswan instance is not directly visible to the outside. I'm trying to connect to a Cisco 72xx box.
>
> Something seems to fail pretty early on. Are there any specific settings I need to be aware of for this scenario?
>
> See the config below. XXX.YYY.ZZZ.KKK is the private IP of my Strongswan instance (different from its public IP). AAA.BBB.CCC.DDD is the address of the Cisco appliance.
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=psk
>         keyexchange=ikev1
>
> conn us2them
>         left=%any
>     leftsubnet=our_stuff/27
>         leftid=XXX.YYY.ZZZ.KKK
>         right=AAA.BBB.CCC.DDD
>         rightsubnet=their_stuff/16
>         rightid=AAA.BBB.CCC.DDD
>         auto=start
>         ike = aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1-modp1536
>         esp = aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1-modp1536
>         ikelifetime = 24h
>         lifetime = 1h
>
> And logs:
>
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (308 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[NET] received packet: from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] invalid ID_V1 payload length, decryption failed?
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] could not decrypt payloads
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[IKE] message parsing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] generating INFORMATIONAL_V1 request 1961174309 [ HASH N(PLD_MAL) ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[IKE] ID_PROT request with message ID 0 processing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] sending retransmit 1 of request message ID 0, seq 3
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] sending packet: from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[NET] received packet: from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (156 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[ENC] invalid NOTIFY_V1 payload length, decryption failed?
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[ENC] could not decrypt payloads
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] message parsing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] ignore malformed INFORMATIONAL request
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] INFORMATIONAL_V1 request with message ID 0 processing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] sending retransmit 2 of request message ID 0, seq 3
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] sending packet: from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[NET] received packet: from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] invalid ID_V1 payload length, decryption failed?
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] could not decrypt payloads
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[IKE] message parsing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] generating INFORMATIONAL_V1 request 117938482 [ HASH N(PLD_MAL) ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[IKE] ID_PROT request with message ID 0 processing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[NET] received packet: from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] invalid ID_V1 payload length, decryption failed?
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] could not decrypt payloads
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[IKE] message parsing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] generating INFORMATIONAL_V1 request 2518869891 [ HASH N(PLD_MAL) ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[IKE] ID_PROT request with message ID 0 processing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] sending retransmit 3 of request message ID 0, seq 3
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] sending packet: from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] received packet: from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (372 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[JOB] deleting half open IKE_SA after timeout
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[ENC] parsed ID_PROT request 0 [ SA V V V ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] AAA.BBB.CCC.DDD is initiating a Main Mode IKE_SA
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[ENC] generating ID_PROT response 0 [ SA V V V ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (140 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] received packet: from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (368 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] parsed ID_PROT request 0 [ KE No V V V V NAT-D NAT-D ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received Cisco Unity vendor ID
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received DPD vendor ID
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] received unknown vendor ID: 7d:1a:ad:38:e2:99:95:01:e9:7e:9d:14:d5:a3:ed:ad
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received XAuth vendor ID
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] local host is behind NAT, sending keep alives
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (308 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] received packet: from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] invalid ID_V1 payload length, decryption failed?
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] could not decrypt payloads
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[IKE] message parsing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] generating INFORMATIONAL_V1 request 2298509626 [ HASH N(PLD_MAL) ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[IKE] ID_PROT request with message ID 0 processing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] received packet: from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] invalid ID_V1 payload length, decryption failed?
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] could not decrypt payloads
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] message parsing failed
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] generating INFORMATIONAL_V1 request 24529605 [ HASH N(PLD_MAL) ]
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] sending packet: from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
> May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] ID_PROT request with message ID 0 processing failed
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVVuKBAAoJEDg5KY9j7GZYQJsQAJP1Vd19HEPoVcAdb6aZ+PDY
xwQEr9ytspY2p5UDZyV7woQZbNC7029Kp4FMRp31fI4OcgLX4hramJsk6fWxqmrT
ncqnw8rqe3btdv3hMMftL6vrJN1EAU5tTP9EXYItLeM1iKgavOg9UCCQ57WMBfwO
IEuOsMVt1e93rBgHgEtlSt2d0NT3+8/gEOkfTY2kl8V6uyxcbX19tXZKNGqX0A+m
QDD+nv8BlsG5og3GS5y55ifjLwVO5BpfRlQXOgWxUVoI9zFHlOGuVQ6csmGBtHLN
KnzD03BbWOrq3R1cIzTWfbXfjlvoFMM4Gau5kD2LVcvDsz5jGXKiFS9ieovVpPK5
klNY5j1cVItuxSYfTV+1pZlQ4gU9/gbiEpqtydBEi1TdC1lWp+FFdWzxQtTiC/zk
wI3d7R8+GDqZmTtGrT2dKOlI7bAZ9oZxABIj+1im6D20bYr16lg0BRZZDxBOawOV
vlIHGleIyHOexfUArYMDrjDN4XVTwMVE2uSqJN44EE/CDFF2huz2cXTG3RqmFk44
a8t4am9ZBb3uOgaCoF28WdXzRLP7NnX44hCBZNiM7R6uFYp08zGANHroDmnBGBfb
2Y1/KexKB7hLeVsFh5FikQCcSLSEA+gupn6iG4gwPsTKbZnyziyvLi1U/L8AULIk
ugWOF/UYvGUhVzBukOE4
=6F8G
-----END PGP SIGNATURE-----



More information about the Users mailing list