[strongSwan] Trying to connect to PFsense appliance

Brent Clark brentgclarklist at gmail.com
Mon Jun 6 11:21:21 CEST 2016 

Good day Guys

I asked this previously, but I only got back to work today, so as sometime
has passed, I thought I would ask again in a new thread, as I made some
advancement, but still having issues.

As per the subject, Im trying to connect to a Pfsense device.

If someone could take alook at my setup it would be very much appreciated.

Here is my configuration:

root at sql01 ~ # ipsec start --debug-all --nofork
Starting strongSwan 5.1.2 IPsec [starter]...
Loading config setup
Loading conn %default
  keyexchange=ikev1
  authby=secret
Loading conn 'pfsense'
  left=my_ip_removed
  leftsourceip=%config
  leftfirewall=no
  right=my_vendor_removed
  rightsubnet=10.4.128.6/32
  ike=3des-sha1-modp1024!
  esp=3des-sha1!
  ikelifetime=86400s
  keylife=3600s
  auto=add
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux
3.13.0-77-generic, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for my_ip_removed my_vendor_removed
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
socket-default stroke updown eap-identity addrblock
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (19750) started after 20 ms
06[CFG] received stroke: add connection 'pfsense'
06[CFG] added configuration 'pfsense'


The vendor gave me the following information. (This is a copy and paste
from an excel spreadsheet. The first column is what my setting must be, and
the second is what their settings are)

Phase I Settings			"IPSec Phase 1 Settings MUST match on both sides"
Diffie-Helman Group	2 (Mod1024)	2 (Mod1024)	
Encryption Algorithm	3DES	3DES	
Hash Algorithm	SHA-1	SHA-1	
NAT-T	Disable	Disable	
Lifetime (In Seconds)	86400	86400	
Phase II Settings			"IPSec Phase 2 Settings.MUST match on both sides"
Encapsulation	ESP (encrypted)	ESP (encrypted)	
Perfect Forward Secrecy (PFS)	NO PFS	NO PFS	
Encryption Algorithm	3DES	3DES	
Hash Algorithm	SHA-1	SHA-1	
Lifetime (In Seconds)	3	3600	
Lifetime (In Kbytes)	N/A	N/A


Here is some additional information.

root at sql01 ~ # ipsec up pfsense
initiating Main Mode IKE_SA pfsense[1] to my_vendor_removed
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from my_ip_removed[500] to my_vendor_removed[500] (156 bytes)
received packet: from my_vendor_removed[500] to my_ip_removed[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received Cisco Unity vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from my_ip_removed[500] to my_vendor_removed[500] (244 bytes)
received packet: from my_vendor_removed[500] to my_ip_removed[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH ]
sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes)
received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 2508402058 processing failed
sending retransmit 1 of request message ID 0, seq 3
sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes)
received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request

 -----------------------------------------------------------------------------

root at removed ~ # tcpdump -i eth0 -n -s 0 -vv \(port 500 or port 4500\)
and  host remote_ip
11:10:23.854742 IP (tos 0x0, ttl 64, id 23908, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id]
11:11:05.845035 IP (tos 0x0, ttl 64, id 26186, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id]
11:12:21.427910 IP (tos 0x0, ttl 64, id 37217, offset 0, flags [DF],
proto UDP (17), length 184)
    my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b19
-> 0x256f!] isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00015180))))
    (vid: len=8)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
11:12:21.618104 IP (tos 0x28, ttl 50, id 48062, offset 0, flags
[none], proto UDP (17), length 184)
    my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0
msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R
ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00015180))))
    (vid: len=8)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
11:12:21.620911 IP (tos 0x0, ttl 64, id 37227, offset 0, flags [DF],
proto UDP (17), length 272)
    my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b71
-> 0x77bb!] isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident:
    (ke: key len=128)
    (nonce: n len=32
data=(81292b820fbcb8983077...49d69c7dccb7e8909caa4592110487911f8c5bad))
    (pay20)
    (pay20)
11:12:21.811858 IP (tos 0x28, ttl 50, id 25607, offset 0, flags
[none], proto UDP (17), length 272)
    my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0
msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R
ident:
    (ke: key len=128)
    (nonce: n len=32
data=(2f28c612791a99888ef3...a8a7c8b340152057bcefe35b50e7d7ad768cdae7))
    (pay20)
    (pay20)
11:12:21.814561 IP (tos 0x0, ttl 64, id 37263, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
11:12:22.004213 IP (tos 0x28, ttl 50, id 33638, offset 0, flags
[none], proto UDP (17), length 96)
    my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0
msgid 72fe0776 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase
2/others R inf[E]: [encrypted hash]
11:12:25.814848 IP (tos 0x0, ttl 64, id 38072, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
11:12:26.004450 IP (tos 0x28, ttl 50, id 24130, offset 0, flags
[none], proto UDP (17), length 96)
    my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0
msgid c81c162f cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase
2/others R inf[E]: [encrypted hash]
11:12:33.015106 IP (tos 0x0, ttl 64, id 39418, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
11:12:33.204540 IP (tos 0x28, ttl 50, id 57519, offset 0, flags
[none], proto UDP (17), length 96)
    my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0
msgid 6144b96e cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase
2/others R inf[E]: [encrypted hash]
11:12:45.975394 IP (tos 0x0, ttl 64, id 40707, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
11:12:46.164873 IP (tos 0x28, ttl 50, id 34443, offset 0, flags
[none], proto UDP (17), length 96)
    my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0
msgid 775b2adc cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase
2/others R inf[E]: [encrypted hash]
11:13:09.303694 IP (tos 0x0, ttl 64, id 43955, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
11:13:51.294091 IP (tos 0x0, ttl 64, id 44938, offset 0, flags [DF],
proto UDP (17), length 100)
    my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5
-> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel


Thanks if you can help me.

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160606/656847af/attachment-0001.html>

More information about the Users mailing list