[strongSwan] cisco vpn client fails to connect to rw-server on Strongswan-v5.3.0 - Please Help
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Wed Oct 14 19:04:50 CEST 2015
Hi
I have the following configuration on a ubuntu-14.x machine and iam trying
to connect using a Cisco-VPN-Client-v5.x (the ipsec only client)
and iam unable to get it to work now on the strongswan-v5.3.0 server (below)
Iam getting the below errors as seen in the foreground output
where am i going wrong and why is this not connecting
iam using psk with group-name on the cisco-vpn-client
This server config is supposed to cater to other cisco-clients too, such as
the RV3XX/RV2xx/Rv1xx-series routers which have a Ezvpn client and also
cisco-800 series routers
configured as clients to this server
please please please help. I thought this was a working config. Am i
missing something?
On the server - strongswan-v5.3.0
============================================
root at suram-OptiPlex-7010:/usr/local/etc#
root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 3, dmn 2, chd 3, knl 2, cfg 2, net 2, esp 2"
conn %default
ikelifetime=24h
keylife=18h
mobike=no
conn groupName1
aggressive=yes
left=2.2.2.5
leftsubnet=192.168.25.0/24,192.168.22.0/24
right=%any
leftid=2.2.2.5
rightid=@group1
rightsourceip=10.9.9.0/24
leftauth=psk
rightauth=psk
rightauth2=xauth
type=tunnel
keyexchange=ikev1
ike=3des-sha1-modp1024
esp=3des-sha1
xauth=server
auto=add
root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.secrets
#/etc/ipsec.secrets - strongSwan IPsec secrets file
2.2.2.5 group1 : PSK "123456789"
user1 : XAUTH "config123"
root at suram-OptiPlex-7010:/usr/local/etc#
=================================================================
I need to use PSK based auth (with aggressive-mode) for many of the cisco
clients being used in my organization...hence cannot avoid the use of
PSK/Xauth/Aggressive combination...
======================================================
root at suram-OptiPlex-7010:/usr/local/etc#
root at suram-OptiPlex-7010:/usr/local/etc# ipsec start --nofork
Starting weakSwan 5.3.0 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux
3.11.0-26-generic, x86_64)
00[KNL] known interfaces and IP addresses:
00[KNL] lo
00[KNL] 127.0.0.1
00[KNL] ::1
00[KNL] eth0
00[KNL] 2.2.2.5
00[KNL] fe80::20a:f7ff:fe69:1029
00[KNL] eth1
00[KNL] 192.168.25.1
00[KNL] fe80::20a:f7ff:fe69:1082
00[KNL] eth2
00[KNL] 10.232.90.125
00[KNL] fe80::3617:ebff:fec0:267c
00[KNL] virbr0
00[KNL] 192.168.122.1
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded IKE secret for 2.2.2.5 group1
00[CFG] loaded EAP secret for user1
00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No
such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
attr kernel-netlink resolve socket-default farp stroke updown eap-identity
eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-noauth tnc-tnccs dhcp lookip error-notify unity
00[JOB] spawning 16 worker threads
03[NET] waiting for data on sockets
charon (4206) started after 20 ms
02[CFG] received stroke: add connection 'groupName1'
02[CFG] conn groupName1
02[CFG] left=2.2.2.5
02[CFG] leftsubnet=192.168.25.0/24,192.168.22.0/24
02[CFG] leftauth=psk
02[CFG] leftid=2.2.2.5
02[CFG] right=%any
02[CFG] rightsourceip=10.9.9.0/24
02[CFG] rightauth=psk
02[CFG] rightauth2=xauth
02[CFG] rightid=@group1
02[CFG] ike=3des-sha1-modp1024
02[CFG] esp=3des-sha1
02[CFG] dpddelay=30
02[CFG] dpdtimeout=150
02[CFG] mediation=no
02[CFG] keyexchange=ikev1
02[CFG] adding virtual IP address pool 10.9.9.0/24
02[CFG] added configuration 'groupName1'
03[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500]
03[NET] waiting for data on sockets
08[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500] (822 bytes)
08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]
08[CFG] looking for an ike config for 2.2.2.5...172.29.1.31
08[CFG] candidate: 2.2.2.5...%any, prio 1052
08[CFG] found matching ike config: 2.2.2.5...%any with prio 1052
08[IKE] received XAuth vendor ID
08[IKE] received DPD vendor ID
08[IKE] received Cisco Unity vendor ID
08[IKE] 172.29.1.31 is initiating a Aggressive Mode IKE_SA
08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG] proposal matches
08[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
08[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
08[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
08[CFG] looking for XAuthInitPSK peer configs matching
2.2.2.5...172.29.1.31[group1]
08[IKE] no peer config found
08[IKE] queueing INFORMATIONAL task
08[IKE] activating new tasks
08[IKE] activating INFORMATIONAL task
08[ENC] generating INFORMATIONAL_V1 request 1361888392 [ N(AUTH_FAILED) ]
08[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044] (56 bytes)
08[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
15[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044]
03[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500]
03[NET] waiting for data on sockets
02[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500] (822 bytes)
02[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]
02[CFG] looking for an ike config for 2.2.2.5...172.29.1.31
02[CFG] candidate: 2.2.2.5...%any, prio 1052
02[CFG] found matching ike config: 2.2.2.5...%any with prio 1052
02[IKE] received XAuth vendor ID
02[IKE] received DPD vendor ID
02[IKE] received Cisco Unity vendor ID
02[IKE] 172.29.1.31 is initiating a Aggressive Mode IKE_SA
02[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] no acceptable ENCRYPTION_ALGORITHM found
02[CFG] selecting proposal:
02[CFG] proposal matches
02[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
02[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
02[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
02[CFG] looking for XAuthInitPSK peer configs matching
2.2.2.5...172.29.1.31[group1]
02[IKE] no peer config found
02[IKE] queueing INFORMATIONAL task
02[IKE] activating new tasks
02[IKE] activating INFORMATIONAL task
02[ENC] generating INFORMATIONAL_V1 request 4035822289 [ N(AUTH_FAILED) ]
02[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044] (56 bytes)
02[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
15[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044]
^C00[DMN] signal of type SIGINT received. Shutting down
charon stopped after 200 ms
ipsec starter stopped
root at suram-OptiPlex-7010:/usr/local/etc#
=======================================
Can you please help. This is a critical requirement for me to setup this up
I tried with other combinations for leftid (the rightid has to be groupname
only used by all the remote cisco clients), but nothing seems to be
working. Please help
regards
rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151014/1959c19c/attachment-0001.html>
More information about the Users
mailing list