[strongSwan] Issue with authentication under IKEv1 + NAT + PSK

Watson Hewitt wathew10000 at outlook.com
Tue Dec 13 14:31:35 CET 2016


Jason Zhan sent this with a slightly different subject line (thereby creating a new thread):


--------------------


   If there  is NAT between  <Zyxel> and  <StrongSwan >,suggestion add below parameter in [ipsec.conf]

[ipsec.conf]
type=tunnel
aggressive=yes
forceencaps=yes

  by the way,most small  router use peer ID  when configure ipsec  ikev1 in graphical


--------------------


The only difference here from what I had is the suggestion "aggressive-yes", I think.  I hadn't explicitly specified type, but tunnel is the default. (Just now I set it explicitly and there was no clear change in behavior.)  Changing to aggressive mode is not compatible with the settings on the Zyxel.  The Zyxel does have the capability to handle aggressive mode (although I've never tried it), but making this configuration change on the router would have ripple effects into the other remote sites that are working.  I'd like to avoid that.


I'm afraid that I don't understand the final comment starting with "by the way..."


I'm hoping there's some configuration issue here that someone can spot and that can be easily fixed.  Changing configuration on the router - taking into account potential issues with other remote machines that are working with the current configuration - is probably a painful option.  The number of different machine types and software providers for which this is already working makes me think that it's a situation that StrongSwan does (or at least should) support if I can get some help sorting out the differences in parameter settings between the various "swans."

________________________________
From: Watson Hewitt
Sent: Monday, December 12, 2016 5:36:21 PM
To: Noel Kuntze; users at lists.strongswan.org
Subject: Re: [strongSwan] Issue with authentication under IKEv1 + NAT + PSK


Hi Noel-


I saw your note about NAT-T, and it matched my understanding for the docs. It seems that NAT-T information is not shared between the peers.  I tried adding forceencaps=yes and got the same apparent result.  I skipped the config and logs since the earlier thread had substantially similar configuration and got no reply.  Here's the most recent variation that I've tried (with IP numbers redacted).


ipsec.conf (StrongSwan on Linux):


config setup

   charondebug=ike 4, esp 4, enc 4, net 2


conn test

   aggressive=no

   keyexchange=ikev1

   forceencaps=yes

   ike=aes256-sha1-modp2048

   esp=aes128-sha1

   left=<StrongSwan Machine Local IP>

   leftsubnet=x.x.x.x/24

   leftauth=psk

   right=<Zyxel Public IP>

   rightsubnet=<Local Subnet Behind Zyxel>/24

   rightauth=psk

   auto=add


ipsec.secrets

<Zyxel Public IP> : PSK "abcd"


syslog:

Dec 12 20:02:59 lbox charon: 13[CFG] received stroke: initiate 'test'

Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_VENDOR task

Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_CERT_PRE task

Dec 12 20:02:59 lbox charon: 15[IKE] queueing MAIN_MODE task

Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_CERT_POST task

Dec 12 20:02:59 lbox charon: 15[IKE] queueing ISAKMP_NATD task

Dec 12 20:02:59 lbox charon: 15[IKE] queueing QUICK_MODE task

Dec 12 20:02:59 lbox charon: 15[IKE] activating new tasks

Dec 12 20:02:59 lbox charon: 15[IKE]  activating ISAKMP_VENDOR task

Dec 12 20:02:59 lbox charon: 15[IKE]  activating ISAKMP_CERT_PRE task

Dec 12 20:02:59 lbox charon: 15[IKE]  activating MAIN_MODE task

Dec 12 20:02:59 lbox charon: 15[IKE]  activating ISAKMP_CERT_POST task

Dec 12 20:02:59 lbox charon: 15[IKE]  activating ISAKMP_NATD task

Dec 12 20:02:59 lbox charon: 15[IKE] sending XAuth vendor ID

Dec 12 20:02:59 lbox charon: 15[IKE] sending DPD vendor ID

Dec 12 20:02:59 lbox charon: 15[IKE] sending NAT-T (RFC 3947) vendor ID

Dec 12 20:02:59 lbox charon: 15[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Dec 12 20:02:59 lbox charon: 15[IKE] initiating Main Mode IKE_SA test[1] to <Zyxel Public IP>

Dec 12 20:02:59 lbox charon: 15IKE IKE_SA test[1] state change: CREATED => CONNECTING

Dec 12 20:02:59 lbox charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V ]

Dec 12 20:02:59 lbox charon: 15[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (156 bytes)

Dec 12 20:02:59 lbox charon: 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]

Dec 12 20:02:59 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]

Dec 12 20:02:59 lbox charon: 09[NET] waiting for data on sockets

Dec 12 20:02:59 lbox charon: 16[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (84 bytes)

Dec 12 20:02:59 lbox charon: 16[ENC] parsed ID_PROT response 0 [ SA ]

Dec 12 20:02:59 lbox charon: 16[IKE] reinitiating already active tasks

Dec 12 20:02:59 lbox charon: 16[IKE]   ISAKMP_VENDOR task

Dec 12 20:02:59 lbox charon: 16[IKE]   MAIN_MODE task

Dec 12 20:02:59 lbox charon: 16[ENC] generating ID_PROTO request 0 [ KE No ]

Dec 12 20:02:59 lbox charon: 16[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500] (324 bytes)

Dec 12 20:02:59 lbox charon: Dec 12 20:02:59 lbox charon: 10[NET] sending packet: from <StrongSwan Local IP>[500] to <Zyxel Public IP>[500]

Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500]

Dec 12 20:03:00 lbox charon: 09[NET] waiting for data on sockets

Dec 12 20:03:00 lbox charon: 09[NET] received packet: from <Zyxel Public IP>[500] to <StrongSwan Local IP>[500] (91 bytes)

Dec 12 20:03:00 lbox charon: 06[ENC] parsed INFORMATIONAL_V1 request 1921070197 [ N(AUTH_FAILED) ]

Dec 12 20:03:00 lbox charon: 06[IKE] received AUTHENTICATIN_FAILED error notify

Dec 12 20:03:00 lbox charon: 06[IKE] IKE_SA test[1] state change: CONNECTING => DESTROYING


On the Zyxel, my choices are to look at "All Logs" or "Debug Logs".  They contain different information.


In "All Logs":


IKE The cookie pair is ...

IKE Recv Main Mode Request from [<StrongSwan Public IP>]

Recv:[SA][VID][VID][VID][VID]

Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 2048 bit MODP;).

IKE The cookie pair is ....

IKE [SA]: No proposal chosen

IKE Send:[SA]

IKE Recv:[KE][NONCE]

IKE Send:[NOTIFY:AUTHENTICATION_FAILED]


In the "Debug Logs" I get a sequence as in my original message.


The Zyxel configures through a browser.  It's not clear what information from that configuration should be sent nor how to send it in this format.


If I change the StrongSwan settings to use different encryption algorithms, I get a different error on both ends, so I'm convinced that the algorithms match. (In addition, I was using the same algorithms on the WORKING OpenSwan configuration.)  I checked the PSK several times, and I'm confident that it matches.















________________________________
From: Noel Kuntze <noel at familie-kuntze.de>
Sent: Monday, December 12, 2016 3:27:48 PM
To: Watson Hewitt; users at lists.strongswan.org
Subject: Re: [strongSwan] Issue with authentication under IKEv1 + NAT + PSK

Hello Watson,

On 13.12.2016 00:24, Watson Hewitt wrote:
> My understanding from the docs is that StrongSwan does not support that config option anymore and that charon is supposed to handle this automatically and internally.

NAT-T is enabled and enforced when NAT is detected or forced to be used by using forceencaps=yes in ipsec.conf (similiar option in swanctl.conf).

Your email lacks information. We require logs and configs. You're probably doing something inherently wrong.

--

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161213/fb37c74d/attachment.html>


More information about the Users mailing list