[strongSwan] Issue with authentication under IKEv1 + NAT + PSK
Watson Hewitt
wathew10000 at outlook.com
Tue Dec 13 02:36:21 CET 2016
Hi Noel-
I saw your note about NAT-T, and it matched my understanding for the docs. It seems that NAT-T information is not shared between the peers. I tried adding forceencaps=yes and got the same apparent result. I skipped the config and logs since the earlier thread had substantially similar configuration and got no reply. Here's the most recent variation that I've tried (with IP numbers redacted).
ipsec.conf (StrongSwan on Linux):
config setup
charondebug=ike 4, esp 4, enc 4, net 2
conn test
aggressive=no
keyexchange=ikev1
forceencaps=yes
ike=aes256-sha1-modp2048
esp=aes128-sha1
left=<StrongSwan Machine Local IP>
leftsubnet=x.x.x.x/24
leftauth=psk
right=<Zyxel Public IP>
rightsubnet=<Local Subnet Behind Zyxel>/24
rightauth=psk
auto=add
ipsec.secrets
<Zyxel Public IP> : PSK "abcd"
syslog:
Dec 12 20:02:59 lbox charon: 13[CFG] received stroke: initiate 'test'
Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_VENDOR task
Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_CERT_PRE task
Dec 12 20:02:59 lbox charon: 15[IKE] queueing MAIN_MODE task
Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_CERT_POST task
Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_NATD task
Dec 12 20:02:59 lbox charon: 15[IKE] queueing QUICK_MODE task
Dec 12 20:02:59 lbox charon: 15[IKE] activating new tasks
Dec 12 20:02:59 lbox charon: 15[IKE] activating ISAKMP_VENDOR task
Dec 12 20:02:59 lbox charon: 15[IKE] activating ISAKMP_CERT_PRE task
Dec 12 20:02:59 lbox charon: 15[IKE] activating MAIN_MODE task
Dec 12 20:02:59 lbox charon: 15[IKE] activating ISAKMP_CERT_POST task
Dec 12 20:02:59 lbox charon: 15[IKE] activating ISAKMP_NATD task
Dec 12 20:02:59 lbox charon: 15[IKE] sending XAuth vendor ID
Dec 12 20:02:59 lbox charon: 15[IKE] sending DPD vendor ID
Dec 12 20:02:59 lbox charon: 15[IKE] sending NAT-T (RFC 3947) vendor ID
Dec 12 20:02:59 lbox charon: 15[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 12 20:02:59 lbox charon: 15[IKE] initiating Main Mode IKE_SA test[1] to <Zyxel Public IP>
Dec 12 20:02:59 lbox charon: 15IKE IKE_SA test[1] state change: CREATED => CONNECTING
Dec 12 20:02:59 lbox charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V ]
Dec 12 20:02:59 lbox charon: 15[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (156 bytes)
Dec 12 20:02:59 lbox charon: 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]
Dec 12 20:02:59 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]
Dec 12 20:02:59 lbox charon: 09[NET] waiting for data on sockets
Dec 12 20:02:59 lbox charon: 16[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (84 bytes)
Dec 12 20:02:59 lbox charon: 16[ENC] parsed ID_PROT response 0 [ SA ]
Dec 12 20:02:59 lbox charon: 16[IKE] reinitiating already active tasks
Dec 12 20:02:59 lbox charon: 16[IKE] ISAKMP_VENDOR task
Dec 12 20:02:59 lbox charon: 16[IKE] MAIN_MODE task
Dec 12 20:02:59 lbox charon: 16[ENC] generating ID_PROTO request 0 [ KE No ]
Dec 12 20:02:59 lbox charon: 16[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (324 bytes)
Dec 12 20:02:59 lbox charon: Dec 12 20:02:59 lbox charon: 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]
Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]
Dec 12 20:03:00 lbox charon: 09[NET] waiting for data on sockets
Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (91 bytes)
Dec 12 20:03:00 lbox charon: 06[ENC] parsed INFORMATIONAL_V1 request 1921070197 [ N(AUTH_FAILED) ]
Dec 12 20:03:00 lbox charon: 06[IKE] received AUTHENTICATIN_FAILED error notify
Dec 12 20:03:00 lbox charon: 06[IKE] IKE_SA test[1] state change: CONNECTING => DESTROYING
On the Zyxel, my choices are to look at "All Logs" or "Debug Logs". They contain different information.
In "All Logs":
IKE The cookie pair is ...
IKE Recv Main Mode Request from [<StrongSwan Public IP>]
Recv:[SA][VID][VID][VID][VID]
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 2048 bit MODP;).
IKE The cookie pair is ....
IKE [SA]: No proposal chosen
IKE Send:[SA]
IKE Recv:[KE][NONCE]
IKE Send:[NOTIFY:AUTHENTICATION_FAILED]
In the "Debug Logs" I get a sequence as in my original message.
The Zyxel configures through a browser. It's not clear what information from that configuration should be sent nor how to send it in this format.
If I change the StrongSwan settings to use different encryption algorithms, I get a different error on both ends, so I'm convinced that the algorithms match. (In addition, I was using the same algorithms on the WORKING OpenSwan configuration.) I checked the PSK several times, and I'm confident that it matches.
________________________________
From: Noel Kuntze <noel at familie-kuntze.de>
Sent: Monday, December 12, 2016 3:27:48 PM
To: Watson Hewitt; users at lists.strongswan.org
Subject: Re: [strongSwan] Issue with authentication under IKEv1 + NAT + PSK
Hello Watson,
On 13.12.2016 00:24, Watson Hewitt wrote:
> My understanding from the docs is that StrongSwan does not support that config option anymore and that charon is supposed to handle this automatically and internally.
NAT-T is enabled and enforced when NAT is detected or forced to be used by using forceencaps=yes in ipsec.conf (similiar option in swanctl.conf).
Your email lacks information. We require logs and configs. You're probably doing something inherently wrong.
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161213/c10ed119/attachment.html>
More information about the Users
mailing list