[strongSwan] Trying to connect to PFsense appliance
Brent Clark
brentgclarklist at gmail.com
Mon Jun 6 11:52:47 CEST 2016
Thanks guys
It was the PSK.
Now to get the routing working.
:)
Thanks
Brent
On Mon, Jun 6, 2016 at 11:21 AM, Brent Clark <brentgclarklist at gmail.com>
wrote:
> Good day Guys
>
> I asked this previously, but I only got back to work today, so as sometime
> has passed, I thought I would ask again in a new thread, as I made some
> advancement, but still having issues.
>
> As per the subject, Im trying to connect to a Pfsense device.
>
> If someone could take alook at my setup it would be very much appreciated.
>
> Here is my configuration:
>
> root at sql01 ~ # ipsec start --debug-all --nofork
> Starting strongSwan 5.1.2 IPsec [starter]...
> Loading config setup
> Loading conn %default
> keyexchange=ikev1
> authby=secret
> Loading conn 'pfsense'
> left=my_ip_removed
> leftsourceip=%config
> leftfirewall=no
> right=my_vendor_removed
> rightsubnet=10.4.128.6/32
> ike=3des-sha1-modp1024!
> esp=3des-sha1!
> ikelifetime=86400s
> keylife=3600s
> auto=add
> found netkey IPsec stack
> Attempting to start charon...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux
> 3.13.0-77-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for my_ip_removed my_vendor_removed
> 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
> rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
> pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
> socket-default stroke updown eap-identity addrblock
> 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> 00[LIB] dropped capabilities, running as uid 0, gid 0
> 00[JOB] spawning 16 worker threads
> charon (19750) started after 20 ms
> 06[CFG] received stroke: add connection 'pfsense'
> 06[CFG] added configuration 'pfsense'
>
>
> The vendor gave me the following information. (This is a copy and paste
> from an excel spreadsheet. The first column is what my setting must be, and
> the second is what their settings are)
>
> Phase I Settings "IPSec Phase 1 Settings MUST match on both sides"
> Diffie-Helman Group 2 (Mod1024) 2 (Mod1024)
> Encryption Algorithm 3DES 3DES
> Hash Algorithm SHA-1 SHA-1
> NAT-T Disable Disable
> Lifetime (In Seconds) 86400 86400
> Phase II Settings "IPSec Phase 2 Settings.MUST match on both sides"
> Encapsulation ESP (encrypted) ESP (encrypted)
> Perfect Forward Secrecy (PFS) NO PFS NO PFS
> Encryption Algorithm 3DES 3DES
> Hash Algorithm SHA-1 SHA-1
> Lifetime (In Seconds) 3 3600
> Lifetime (In Kbytes) N/A N/A
>
>
> Here is some additional information.
>
> root at sql01 ~ # ipsec up pfsense
> initiating Main Mode IKE_SA pfsense[1] to my_vendor_removed
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from my_ip_removed[500] to my_vendor_removed[500] (156 bytes)
> received packet: from my_vendor_removed[500] to my_ip_removed[500] (156 bytes)
> parsed ID_PROT response 0 [ SA V V V V ]
> received XAuth vendor ID
> received DPD vendor ID
> received Cisco Unity vendor ID
> received NAT-T (RFC 3947) vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from my_ip_removed[500] to my_vendor_removed[500] (244 bytes)
> received packet: from my_vendor_removed[500] to my_ip_removed[500] (244 bytes)
> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
> remote host is behind NAT
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes)
> received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes)
> invalid HASH_V1 payload length, decryption failed?
> could not decrypt payloads
> message parsing failed
> ignore malformed INFORMATIONAL request
> INFORMATIONAL_V1 request with message ID 2508402058 processing failed
> sending retransmit 1 of request message ID 0, seq 3
> sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes)
> received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes)
> invalid HASH_V1 payload length, decryption failed?
> could not decrypt payloads
> message parsing failed
> ignore malformed INFORMATIONAL request
>
> -----------------------------------------------------------------------------
>
> root at removed ~ # tcpdump -i eth0 -n -s 0 -vv \(port 500 or port 4500\) and host remote_ip
> 11:10:23.854742 IP (tos 0x0, ttl 64, id 23908, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id]
> 11:11:05.845035 IP (tos 0x0, ttl 64, id 26186, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id]
> 11:12:21.427910 IP (tos 0x0, ttl 64, id 37217, offset 0, flags [DF], proto UDP (17), length 184)
> my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b19 -> 0x256f!] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->0000000000000000: phase 1 I ident:
> (sa: doi=ipsec situation=identity
> (p: #0 protoid=isakmp transform=1
> (t: #1 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))))
> (vid: len=8)
> (vid: len=16)
> (vid: len=16)
> (vid: len=16)
> 11:12:21.618104 IP (tos 0x28, ttl 50, id 48062, offset 0, flags [none], proto UDP (17), length 184)
> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R ident:
> (sa: doi=ipsec situation=identity
> (p: #0 protoid=isakmp transform=1
> (t: #1 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))))
> (vid: len=8)
> (vid: len=16)
> (vid: len=16)
> (vid: len=16)
> 11:12:21.620911 IP (tos 0x0, ttl 64, id 37227, offset 0, flags [DF], proto UDP (17), length 272)
> my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b71 -> 0x77bb!] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident:
> (ke: key len=128)
> (nonce: n len=32 data=(81292b820fbcb8983077...49d69c7dccb7e8909caa4592110487911f8c5bad))
> (pay20)
> (pay20)
> 11:12:21.811858 IP (tos 0x28, ttl 50, id 25607, offset 0, flags [none], proto UDP (17), length 272)
> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R ident:
> (ke: key len=128)
> (nonce: n len=32 data=(2f28c612791a99888ef3...a8a7c8b340152057bcefe35b50e7d7ad768cdae7))
> (pay20)
> (pay20)
> 11:12:21.814561 IP (tos 0x0, ttl 64, id 37263, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
> 11:12:22.004213 IP (tos 0x28, ttl 50, id 33638, offset 0, flags [none], proto UDP (17), length 96)
> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 72fe0776 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]
> 11:12:25.814848 IP (tos 0x0, ttl 64, id 38072, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
> 11:12:26.004450 IP (tos 0x28, ttl 50, id 24130, offset 0, flags [none], proto UDP (17), length 96)
> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid c81c162f cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]
> 11:12:33.015106 IP (tos 0x0, ttl 64, id 39418, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
> 11:12:33.204540 IP (tos 0x28, ttl 50, id 57519, offset 0, flags [none], proto UDP (17), length 96)
> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 6144b96e cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]
> 11:12:45.975394 IP (tos 0x0, ttl 64, id 40707, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
> 11:12:46.164873 IP (tos 0x28, ttl 50, id 34443, offset 0, flags [none], proto UDP (17), length 96)
> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 775b2adc cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]
> 11:13:09.303694 IP (tos 0x0, ttl 64, id 43955, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
> 11:13:51.294091 IP (tos 0x0, ttl 64, id 44938, offset 0, flags [DF], proto UDP (17), length 100)
> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]
> ^C
> 16 packets captured
> 16 packets received by filter
> 0 packets dropped by kernel
>
>
> Thanks if you can help me.
>
> Regards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160606/d00f3536/attachment.html>
More information about the Users
mailing list