[strongSwan] cisco vpn client fails to connect to rw-server on Strongswan-v5.3.0 - Please Help
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Tue Oct 27 19:53:45 CET 2015
Hi
I tried using Certificates for the IKEv1-Auth, and iam able to establish
the tunnel between the Cisco-VPN-Client(ver5.0 running on a Win7-pc) and
the Strongswan-v5.3.0 (running on a ubuntu-linux-box) successfully and
traffic thru the tunnel goes thru fine without any issues
But when i use the Group-Id and PSK for IKE-Auth on the Cisco-Client (and
on the Strongswan-v5.3.0 server), iam still facing the below issues...auth
failed. Is this a config issue or anything else?..
Please help with some advice
thanks & regards
rajiv
On Wed, Oct 14, 2015 at 10:34 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
wrote:
> Hi
>
>
> I have the following configuration on a ubuntu-14.x machine and iam trying
> to connect using a Cisco-VPN-Client-v5.x (the ipsec only client)
>
> and iam unable to get it to work now on the strongswan-v5.3.0 server
> (below)
>
>
> Iam getting the below errors as seen in the foreground output
>
> where am i going wrong and why is this not connecting
>
> iam using psk with group-name on the cisco-vpn-client
>
> This server config is supposed to cater to other cisco-clients too, such
> as the RV3XX/RV2xx/Rv1xx-series routers which have a Ezvpn client and also
> cisco-800 series routers
> configured as clients to this server
>
> please please please help. I thought this was a working config. Am i
> missing something?
>
> On the server - strongswan-v5.3.0
> ============================================
> root at suram-OptiPlex-7010:/usr/local/etc#
> root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.conf
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> strictcrlpolicy=no
> charondebug="ike 3, dmn 2, chd 3, knl 2, cfg 2, net 2, esp 2"
>
> conn %default
> ikelifetime=24h
> keylife=18h
> mobike=no
>
> conn groupName1
> aggressive=yes
> left=2.2.2.5
> leftsubnet=192.168.25.0/24,192.168.22.0/24
> right=%any
> leftid=2.2.2.5
> rightid=@group1
> rightsourceip=10.9.9.0/24
> leftauth=psk
> rightauth=psk
> rightauth2=xauth
> type=tunnel
> keyexchange=ikev1
> ike=3des-sha1-modp1024
> esp=3des-sha1
> xauth=server
> auto=add
> root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.secrets
> #/etc/ipsec.secrets - strongSwan IPsec secrets file
> 2.2.2.5 group1 : PSK "123456789"
> user1 : XAUTH "config123"
> root at suram-OptiPlex-7010:/usr/local/etc#
> =================================================================
>
> I need to use PSK based auth (with aggressive-mode) for many of the cisco
> clients being used in my organization...hence cannot avoid the use of
> PSK/Xauth/Aggressive combination...
>
> ======================================================
> root at suram-OptiPlex-7010:/usr/local/etc#
> root at suram-OptiPlex-7010:/usr/local/etc# ipsec start --nofork
> Starting weakSwan 5.3.0 IPsec [starter]...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux
> 3.11.0-26-generic, x86_64)
> 00[KNL] known interfaces and IP addresses:
> 00[KNL] lo
> 00[KNL] 127.0.0.1
> 00[KNL] ::1
> 00[KNL] eth0
> 00[KNL] 2.2.2.5
> 00[KNL] fe80::20a:f7ff:fe69:1029
> 00[KNL] eth1
> 00[KNL] 192.168.25.1
> 00[KNL] fe80::20a:f7ff:fe69:1082
> 00[KNL] eth2
> 00[KNL] 10.232.90.125
> 00[KNL] fe80::3617:ebff:fec0:267c
> 00[KNL] virbr0
> 00[KNL] 192.168.122.1
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for 2.2.2.5 group1
> 00[CFG] loaded EAP secret for user1
> 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed:
> No such file or directory
> 00[CFG] loaded 0 RADIUS server configurations
> 00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
> attr kernel-netlink resolve socket-default farp stroke updown eap-identity
> eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap xauth-noauth tnc-tnccs dhcp lookip error-notify unity
> 00[JOB] spawning 16 worker threads
> 03[NET] waiting for data on sockets
> charon (4206) started after 20 ms
> 02[CFG] received stroke: add connection 'groupName1'
> 02[CFG] conn groupName1
> 02[CFG] left=2.2.2.5
> 02[CFG] leftsubnet=192.168.25.0/24,192.168.22.0/24
> 02[CFG] leftauth=psk
> 02[CFG] leftid=2.2.2.5
> 02[CFG] right=%any
> 02[CFG] rightsourceip=10.9.9.0/24
> 02[CFG] rightauth=psk
> 02[CFG] rightauth2=xauth
> 02[CFG] rightid=@group1
> 02[CFG] ike=3des-sha1-modp1024
> 02[CFG] esp=3des-sha1
> 02[CFG] dpddelay=30
> 02[CFG] dpdtimeout=150
> 02[CFG] mediation=no
> 02[CFG] keyexchange=ikev1
> 02[CFG] adding virtual IP address pool 10.9.9.0/24
> 02[CFG] added configuration 'groupName1'
> 03[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500]
> 03[NET] waiting for data on sockets
> 08[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500] (822
> bytes)
> 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]
> 08[CFG] looking for an ike config for 2.2.2.5...172.29.1.31
> 08[CFG] candidate: 2.2.2.5...%any, prio 1052
> 08[CFG] found matching ike config: 2.2.2.5...%any with prio 1052
> 08[IKE] received XAuth vendor ID
> 08[IKE] received DPD vendor ID
> 08[IKE] received Cisco Unity vendor ID
> 08[IKE] 172.29.1.31 is initiating a Aggressive Mode IKE_SA
> 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 08[CFG] selecting proposal:
> 08[CFG] proposal matches
> 08[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> 08[CFG] configured proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
> IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
> 08[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> 08[CFG] looking for XAuthInitPSK peer configs matching
> 2.2.2.5...172.29.1.31[group1]
> 08[IKE] no peer config found
> 08[IKE] queueing INFORMATIONAL task
> 08[IKE] activating new tasks
> 08[IKE] activating INFORMATIONAL task
> 08[ENC] generating INFORMATIONAL_V1 request 1361888392 [ N(AUTH_FAILED) ]
> 08[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044] (56 bytes)
> 08[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
> 15[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044]
> 03[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500]
> 03[NET] waiting for data on sockets
> 02[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500] (822
> bytes)
> 02[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]
> 02[CFG] looking for an ike config for 2.2.2.5...172.29.1.31
> 02[CFG] candidate: 2.2.2.5...%any, prio 1052
> 02[CFG] found matching ike config: 2.2.2.5...%any with prio 1052
> 02[IKE] received XAuth vendor ID
> 02[IKE] received DPD vendor ID
> 02[IKE] received Cisco Unity vendor ID
> 02[IKE] 172.29.1.31 is initiating a Aggressive Mode IKE_SA
> 02[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
> 02[CFG] selecting proposal:
> 02[CFG] proposal matches
> 02[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> 02[CFG] configured proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
> IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
> 02[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> 02[CFG] looking for XAuthInitPSK peer configs matching
> 2.2.2.5...172.29.1.31[group1]
> 02[IKE] no peer config found
> 02[IKE] queueing INFORMATIONAL task
> 02[IKE] activating new tasks
> 02[IKE] activating INFORMATIONAL task
> 02[ENC] generating INFORMATIONAL_V1 request 4035822289 [ N(AUTH_FAILED) ]
> 02[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044] (56 bytes)
> 02[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
> 15[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044]
> ^C00[DMN] signal of type SIGINT received. Shutting down
> charon stopped after 200 ms
> ipsec starter stopped
> root at suram-OptiPlex-7010:/usr/local/etc#
> =======================================
>
> Can you please help. This is a critical requirement for me to setup this up
>
> I tried with other combinations for leftid (the rightid has to be
> groupname only used by all the remote cisco clients), but nothing seems to
> be working. Please help
>
> regards
> rajiv
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151028/83270317/attachment-0001.html>
More information about the Users
mailing list