[strongSwan] Connecting a Zyxel client with PSK to strongswan
Thomas Egerer
hakke_007 at gmx.de
Fri Jan 22 10:29:25 CET 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CJ,
neither of your connections has a reasonable 'right' parameter [1],
so charon has to guess which connection to select. Based on what
the log says, it choses CertBased over the one you want (testzyxel).
Try adding 'right=207.8.183.25' to conn testzyxel. This should
let charon select the proper IKE/Peer config.
Cheers,
Thomas
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
On 01/22/2016 06:04 AM, CJ Fearnley wrote:
> Unfortunately, the Zyxel's cannot use a CA signed cert, so I'm forced to
> try to connect them with PSK despite our other ipsec clients using certs
> (Netgears).
>
> I have this configuration (Debian Jessie, Linux strongSwan
> U5.2.1/K3.16.0-4-amd64):
>
> config setup
> uniqueids=no
>
> conn %default
> mobike=no
> keyexchange=ikev1
> left=216.130.102.66
> leftsubnet=192.168.101.0/24
> auto=add
>
> conn CertBased
> leftid="C=US, ST=IL, L=Glenwood, O=[Private redacted], CN=[Private redacted], E=[Private redacted]"
> leftcert=[Private redacted],crt
> leftsendcert=always
> ike=3des-sha1-modp1024!
> esp=3des-sha1-modp1024!
> conn Netgear
> rightsubnet=192.168.190.0/24
> right=%any
> also=CertBased
>
> conn testzyxel
> rightsubnet=192.168.221.0/24
> leftsendcert=no
> authby=psk
> compress=no
> ikelifetime=8h
> lifetime=8h
> ike=aes256-sha256-modp1024!
> esp=aes256-sha256-modp1024!
>
> The Netgear connections work. The testzyxel connections fail.
>
> I've tried it with the ike= and esp= lines commented out too.
>
> When I set ike logging to level 2: ipsec stroke loglevel ike 2, I see this in
> the logs:
>
> Jan 21 23:04:25 cw1 charon: 10[IKE] 207.8.183.25 is initiating a Main Mode IKE_SA
> Jan 21 23:04:25 cw1 charon: 10[IKE] IKE_SA (unnamed)[19] state change: CREATED => CONNECTING
> Jan 21 23:04:25 cw1 charon: 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
> Jan 21 23:04:25 cw1 charon: 10[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Jan 21 23:04:25 cw1 charon: 10[IKE] no proposal found
>
> I have tried every combination of encryption & integrity algorigthms
> that I could think of. It always claims to be configured for
> 3DES_CBC/HMAC_SHA1_96 instead of AES_CBC_256/HMAC_SHA2_256_128. Can this
> be fixed?
>
> I consulted https://wiki.strongswan.org/projects/1/wiki/IKEv1CipherSuites
> and so I would think specifying aes256-sha256-modp1024 should work. Why isn't
> strongswan accepting it?
>
> In /etc/strongswan.d/charon.conf, I added the line
> # Plugins to load in the IKE daemon charon.
> load = openssl aes sha1 sha2 hmac x509
>
> I included the part of the configuration that uses certs to authenticate
> our Netgear clients. Could the ike= and esp= lines needed for the Netgears
> be blocking the testzyxel stanza from using aes256-sha256?
>
> Here is the output of "ipsec listalgs":
>
> List of registered IKE algorithms:
>
> sudo ipsec listalgs
>
> List of registered IKE algorithms:
>
> encryption: AES_CBC[af-alg] DES_CBC[af-alg] DES_ECB[af-alg] 3DES_CBC[af-alg] AES_CTR[af-alg] CAMELLIA_CBC[af-alg]
> CAMELLIA_CTR[af-alg] CAST_CBC[af-alg] BLOWFISH_CBC[af-alg] SERPENT_CBC[af-alg] TWOFISH_CBC[af-alg]
> NULL[openssl] RC2_CBC[rc2]
> integrity: HMAC_SHA1_96[af-alg] HMAC_SHA1_128[af-alg] HMAC_SHA1_160[af-alg] HMAC_SHA2_256_96[af-alg]
> HMAC_SHA2_256_128[af-alg] HMAC_MD5_96[af-alg] HMAC_MD5_128[af-alg] HMAC_SHA2_256_256[af-alg]
> HMAC_SHA2_384_192[af-alg] HMAC_SHA2_384_384[af-alg] HMAC_SHA2_512_256[af-alg] HMAC_SHA2_512_512[af-alg]
> AES_XCBC_96[af-alg] CAMELLIA_XCBC_96[af-alg] AES_CMAC_96[cmac]
> aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm] CAMELLIA_CCM_8[ccm] CAMELLIA_CCM_12[ccm]
> CAMELLIA_CCM_16[ccm] AES_GCM_8[gcm] AES_GCM_12[gcm] AES_GCM_16[gcm]
> hasher: HASH_SHA1[af-alg] HASH_MD4[af-alg] HASH_MD5[af-alg] HASH_SHA224[af-alg] HASH_SHA256[af-alg]
> HASH_SHA384[af-alg] HASH_SHA512[af-alg]
> prf: PRF_HMAC_SHA1[af-alg] PRF_HMAC_SHA2_256[af-alg] PRF_HMAC_MD5[af-alg] PRF_HMAC_SHA2_384[af-alg]
> PRF_HMAC_SHA2_512[af-alg] PRF_AES128_XCBC[af-alg] PRF_CAMELLIA128_XCBC[af-alg] PRF_AES128_CMAC[cmac]
> PRF_KEYED_SHA1[openssl] PRF_FIPS_SHA1_160[fips-prf]
> dh-group: MODP_2048[gcrypt] MODP_2048_224[gcrypt] MODP_2048_256[gcrypt] MODP_1536[gcrypt] MODP_3072[gcrypt]
> MODP_4096[gcrypt] MODP_6144[gcrypt] MODP_8192[gcrypt] MODP_1024[gcrypt] MODP_1024_160[gcrypt]
> MODP_768[gcrypt] MODP_CUSTOM[gcrypt] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl]
> ECP_192[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl]
> random-gen: RNG_WEAK[gcrypt] RNG_STRONG[gcrypt] RNG_TRUE[gcrypt]
> nonce-gen: [nonce]
>
> Do I need to specify another plugin? Am I missing a Debian package that
> provides the aes256 encryption algorithm?
>
> As a last try I wondered if maybe I need to configure strongswan with 3des by
> adding the des plugin and trying with these line in and commented out:
> ike=3des-sha1-modp1024!
> esp=3des-sha1-modp1024!
>
> Of course, I wasn't thinking backward and it didn't work. Any suggestions?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWofZwAAoJEGK31ONirBTGs10P/21MpxdKYcT6hDXX2Qs/56dp
n4HEO+UJn1Y7zgGn0iu8/bRRWq6wQ4tXZFrszCrPPj3IquGBwzVBIcfQUP30fFCa
76YiVob9mbcwzlHvzyrHneLEgZW7fHW7VLzzCtIS+nPD/wh+/PRqUbu6aWasgFcE
O8NDMzeaWyue0yBkC0b2HiudATlDAYpNpV1r6H2JE5G25jP46vjpVfgHZtDqu7SJ
MwIqfYC5PagVkWk75J55guPbs6lZ5/UuKRmpN1KS3YbYZlNSKM0yR9tJ9TVcWQHV
HUAFToqKCm9EUANY+U5TLgDKAkMp9hmtpNewUgC9NUqDM130qv1VRCYrLTpFWXpc
wTU+n05PbhJUFZVl3UyNpLJ6D8o7RL5LPltVSWsPnL9AvIC7Pt0sQhZJDL90+Ps6
VyrpmFyiewIcHSGHiu2suF6LC4B9ZKOvU3XHEPZFv5zoRIhLNN1+WXdpKQH2/XdS
wKX4o+3WT9Qm40myiiRGs7H7kO3M3V3xTUOlzQMVQtCkZQ7Y9z1zh6MyZA3YAF9+
h68wtMnC2VQOu+MuXLgGw0tltITGM+T15B52GwlG6OvzHum3cKmI2ZVXG3y8m1HT
ypp6kvtJC5usQN2qa8If8PTtUufEmvCakw+a7DiPcdBrNVsDDBXakyiSqbrs1iQt
gsc46EUmSgyvoR7dwUQm
=GxjK
-----END PGP SIGNATURE-----
More information about the Users
mailing list