[strongSwan] Zyxel zywall and strongswan roadwarrior ipsec/l2tp problem

Pasi Oja-Nisula pon at iki.fi
Sat Mar 26 15:47:02 CET 2016 

Hi,

Strongswan newbie here with Zyxel Zywall problem. We have the
mentioned device as vpn gateway at our work and I've been given ip
address, PSK, username and password. This should be a straightforward
ipsec/L2TP implementation for a roadwarrior with default settings all
the way. From Windows machine (same network, in fact same laptop) the
vpn connection works fine. The gateway also has some other
site-to-site tunnels which are also ok.

But from Linux and Strongswan I'm not getting very far at all.
Depending on ipsec.conf I get either NO_PROPOSAL_CHOSEN or
AUTHENTICATION_FAILED. I'm using Debian and I've tried with Strongswan
5.2.1 and 5.3.5 with same results.

FAQ mentions compress=no, which seems to have no effect in this case.
PSK has been checked dozens of times.

I'm trying to include all relevant information here. I'm behing NAT.
The public addresses are s.s.s.s for the server and c.c.c.c for
client. Hopefully the formatting doesn't break too bad. Thank you for
all pointers!

Pasi

Zyxel zywall config:
--------------------------------------------------------
isakmp policy WIZ_L2TP_VPN
 peer-ip 0.0.0.0 0.0.0.0
 local-ip interface wan1
 authentication pre-share
 encrypted-keystring $XXXXXXXXXXXXX$
 mode main
 transform-set 3des-sha 3des-md5 des-sha
 group2
 lifetime 86400
 dpd-interval 30
 xauth type server default deactivate
 peer-id type any
!

crypto map WIZ_L2TP_VPN
 ipsec-isakmp WIZ_L2TP_VPN
 encapsulation transport
 transform-set esp-3des-sha esp-3des-md5 esp-des-sha
 set security-association lifetime seconds 86400
 set pfs none
 scenario remote-access-server
 local-policy WIZ_L2TP_VPN_LOCAL
 remote-policy any
!
--------------------------------------------------------
ipsec.conf:
--------------------------------------------------------
config setup
        charondebug="ike 4, cfg 4, enc 1, chd 4, esp 4"

conn testconn
        keyexchange=ikev1
        compress=no
        type=transport
        authby=secret
        leftsourceip=%config
        right=s.s.s.s
        ike=3des-sha1-modp1024!
        esp=3des-sha1
        auto=add

--------------------------------------------------------

daemon.log:
--------------------------------------------------------
Mar 26 16:18:44 stretch charon: 04[IKE] initiating Main Mode IKE_SA
testconn[1] to s.s.s.s
Mar 26 16:18:44 stretch charon: 04[IKE] IKE_SA testconn[1] state
change: CREATED => CONNECTING
Mar 26 16:18:44 stretch charon: 04[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 26 16:18:44 stretch charon: 04[ENC] generating ID_PROT request 0 [
SA V V V V ]
Mar 26 16:18:44 stretch charon: 04[NET] sending packet: from
192.168.100.13[500] to s.s.s.s[500] (152 bytes)
Mar 26 16:18:44 stretch charon: 03[NET] received packet: from
s.s.s.s[500] to 192.168.100.13[500] (80 bytes)
Mar 26 16:18:44 stretch charon: 03[ENC] parsed ID_PROT response 0 [ SA ]
Mar 26 16:18:44 stretch charon: 03[CFG] selecting proposal:
Mar 26 16:18:44 stretch charon: 03[CFG]   proposal matches
Mar 26 16:18:44 stretch charon: 03[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 26 16:18:44 stretch charon: 03[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 26 16:18:44 stretch charon: 03[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 26 16:18:44 stretch charon: 03[IKE] reinitiating already active tasks
Mar 26 16:18:44 stretch charon: 03[IKE]   ISAKMP_VENDOR task
Mar 26 16:18:44 stretch charon: 03[IKE]   MAIN_MODE task
Mar 26 16:18:44 stretch charon: 03[ENC] generating ID_PROT request 0 [ KE No ]
Mar 26 16:18:44 stretch charon: 03[NET] sending packet: from
192.168.100.13[500] to s.s.s.s[500] (196 bytes)
Mar 26 16:18:44 stretch charon: 02[MGR] ignoring request with ID
3490416300, already processing
Mar 26 16:18:44 stretch charon: 01[NET] received packet: from
s.s.s.s[500] to 192.168.100.13[500] (91 bytes)
Mar 26 16:18:44 stretch charon: 01[ENC] parsed INFORMATIONAL_V1
request 3995612116 [ N(AUTH_FAILED) ]
Mar 26 16:18:44 stretch charon: 01[IKE] received AUTHENTICATION_FAILED
error notify
Mar 26 16:18:44 stretch charon: 01[IKE] IKE_SA testconn[1] state
change: CONNECTING => DESTROYING
--------------------------------------------------------

zywall log:
--------------------------------------------------------
996  2016-03-26 16:18:45 c.c.c.c:500     s.s.s.s:500
     info                ike                    IKE_LOG
     Recv Main Mode request from [c.c.c.c]
997  2016-03-26 16:18:45 c.c.c.c:500     s.s.s.s:500
     info                ike                    IKE_LOG
     The cookie pair is : 0xa4421ba76c4d4510 / 0xebe6832f5c065b3c [count=2]
998  2016-03-26 16:18:45 c.c.c.c:500     s.s.s.s:500
     info                ike                    IKE_LOG
     Recv:[SA][VID][VID][VID][VID]
999  2016-03-26 16:18:45 s.s.s.s:500     c.c.c.c:500
     info                ike                    IKE_LOG
     The cookie pair is : 0xebe6832f5c065b3c / 0xa4421ba76c4d4510 [count=3]
1000 2016-03-26 16:18:45 s.s.s.s:500     c.c.c.c:500
     info                ike                    IKE_LOG
     [SA] : No proposal chosen
1001 2016-03-26 16:18:45 s.s.s.s:500     c.c.c.c:500
     info                ike                    IKE_LOG
     Send:[SA]
1002 2016-03-26 16:18:45 c.c.c.c:500     s.s.s.s:500
     info                ike                    IKE_LOG
     Recv:[KE][NONCE]
1003 2016-03-26 16:18:45 s.s.s.s:500     c.c.c.c:500
     info                ike                    IKE_LOG
     Send:[NOTIFY:AUTHENTICATION_FAILED]
--------------------------------------------------------

More information about the Users mailing list