[strongSwan] Simple Setup between Strongswan V4.6.4 and Strongswan V5.3.3 in IKEV1-Mode does not work

Michael Niehren michael at niehren.de
Thu Oct 1 16:50:52 CEST 2015 

Hi together,

i am very familiar with Strongswan V4 since year's and now i want
to upgrade to Strongswan V5.
First i tried to setup an Tunnel with X509-Certificates without any
success, so i tried to setup a simple PSK-Tunnel, also with no success.
The partners are one with Stronswan V4.6.4, the other with V5.3.3.

I hope someone could show me my fault.

First, the config of the V4.6.4
--------
config setup
         plutodebug=none
         uniqueids=yes
         nat_traversal=yes
         interfaces="%defaultroute"

conn %default
         keyexchange=ikev1
         keyingtries=1

conn testvpn
   auto=add
   authby=secret
   left=192.168.62.20
   leftsubnet=192.168.93.0/24
   right=%any
   rightsubnet=192.168.92.0/24
------

Second, the config of V5.3.3
---------
config setup
   charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, li
b 2"

conn %default
   keyingtries=1
   keyexchange=ikev1

conn testvpn
   auto=start
   authby=secret
   leftsubnet=192.168.92.0/24
   right=79.232.231.58
   rightsubnet=192.168.93.0/24
-------

As you can see, it is a very simple setup. I balanced the 2 ipsec.secret files, so the connection 
can start, but it don't.
Here is the Log on the V4.6.4 machine:
Oct  1 16:40:03 pluto[2575]: added connection description "testvpn"
Oct  1 16:40:15 pluto[2575]: packet from 79.232.238.176:61017: received Vendor ID payload [XAUTH]
Oct  1 16:40:15 pluto[2575]: packet from 79.232.238.176:61017: received Vendor ID payload [Dead Peer 
Detection]
Oct  1 16:40:15 pluto[2575]: packet from 79.232.238.176:61017: received Vendor ID payload [RFC 3947]
Oct  1 16:40:15 pluto[2575]: packet from 79.232.238.176:61017: ignoring Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n]
Oct  1 16:40:15 pluto[2575]: "testvpn"[1] 79.232.238.176:61017 #1: responding to Main Mode from 
unknown peer 79.232.238.176:61017
Oct  1 16:40:15 pluto[2575]: "testvpn"[1] 79.232.238.176:61017 #1: NAT-Traversal: Result using RFC 
3947: both are NATed
Oct  1 16:40:15 pluto[2575]: "testvpn"[1] 79.232.238.176:61017 #1: Informational Exchange message 
must be encrypted

that's all.
Charondebug on the V5.3.3 machine does not seem to work, i only got the following Log:
Oct  1 16:40:15 ipsec_starter[4317]: Starting strongSwan 5.3.3 IPsec [starter]...
Oct  1 16:40:15 ipsec_starter[4335]: charon (4336) started after 20 ms
Oct  1 16:40:15 charon: 09[IKE] initiating Main Mode IKE_SA testvpn[1] to 79.232.231.58

after starting the connection with
robo@/etc/ipsec.d/connections# ipsec start
Starting strongSwan 5.3.3 IPsec [starter]...

Hope for you help, best regards
   Michael

-- 
Michael Niehren              __   _       powered by
                             / /  (_)__  __ ____  __
                            / /__/ / _ \/ // /\ \/ /
                           /____/_/_//_/\_,_/ /_/\_\

More information about the Users mailing list