[strongSwan] Issue with authentication under IKEv1 + NAT + PSK

Watson Hewitt wathew10000 at outlook.com
Tue Dec 13 00:24:25 CET 2016 

I have a WORKING system that includes a Linux machine running OpenSwan as a client connecting to a Zyxel USG-20W router.  I want to upgrade the Linux distribution and that appears to require switching from OpenSwan to StrongSwan. I'm not able to make this work so far.  I found this thread in the archives where a user (Tom Jackson) apparently had similar trouble, but he ended up going the other way, from StrongSwan to OpenSwan so the resolution is no help.  Like Jackson's post, this is part of a larger system that already supports Windows machines with no apparent problems.


I did reproduce Tom Jackson's apparent problem.  I found additional log messages, however, that seem to indicate that there is an issue with the way that NAT-T is handled between StrongSwan and the Zyxel.  The relevant portions are below.  The client has 10.0.0.66 on its local network.  I replaced the public IPs with placeholders.


---- FAILED attempt from StrongSwan Linux client to Zyxel in the Zyxel logs -----

Message: Authentication failed (24)

Remove IKE peer <StrongSwan Pubic IP>:500 ID (null)

Local IKE peer <Zyxel Public IP>:500 ID (null)

----


---- SUCCESSFUL attempt from OpenSwan Linux client to Zyxel in the Zyxel logs ----

Remove IKE peer <OpenSwan Public IP>:4500 ID 10.0.0.66

Local IKE peer <Zyxel Public IP>:4500 ID 0.0.0.0 (ipv4)

... (Snipped bits where it complete negotiation of algorithms)

Remote Authentication Method: Pre-Shared key

Local Authentication Method: Pre-Shared key

IKEv1 SA [Responder, NAT-T] negotiation complete

It is recommended to use non-IP identities with NAT-T to avoid ID collisions

NAT-T initial contact notification with IP identity 1.0.0.66 (ip4)

IKE auth method Pre-shared keys, SA lifetime 3600

----


In the successful attempt, it's clear from the logs that the NAT situation was detected and handled.  It appears in the failed attempt that the NAT is not recognized.  In the (successful) OpenSwan case, I can explicitly configure "nat_traversal=yes" and that does the trick.  My understanding from the docs is that StrongSwan does not support that config option anymore and that charon is supposed to handle this automatically and internally.


Any suggestions?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161212/2b73bb0f/attachment-0001.html>

More information about the Users mailing list