[strongSwan] stuck at quick mode following xauth+modecfg
Justin Pryzby
pryzby at telsasoft.com
Mon Mar 28 18:19:00 CEST 2016
I'm converting ~10 "remote access" VPNs (modecfg client) to strongswan
(5.3.5-1ubuntu2). This one *has* worked with strongswan, but now gets stuck in
phase 2.
Switching back to the VPNC client this always connects just fine again. I can
provide tcpdumps by private mail.
Any ideas ? Thanks in advance.
Justin
cisco_unity = yes
reuse_ikesa = yes
$ sudo ipsec up thumb
initiating Aggressive Mode IKE_SA thumb[119573] to xxx.xx.xxxx.xxx
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (356 bytes)
received packet: from xxx.xx.xxxx.xxx[500] to 50.244.222.1[500] (436 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V V ]
received XAuth vendor ID
received Cisco Unity vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received DPD vendor ID
received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (108 bytes)
received packet: from xxx.xx.xxxx.xxx[500] to 50.244.222.1[500] (76 bytes)
parsed TRANSACTION request 2858442866 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2858442866 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (92 bytes)
received packet: from xxx.xx.xxxx.xxx[500] to 50.244.222.1[500] (76 bytes)
parsed TRANSACTION request 2568206584 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'telsasoft' (myself) successful
IKE_SA thumb[119573] established between 50.244.222.1[AVCI]...xxx.xx.xxxx.xxx[xxx.xx.xxxx.xxx]
scheduling reauthentication in -508s
maximum IKE_SA lifetime 32s
generating TRANSACTION response 2568206584 [ HASH CPA(X_STATUS) ]
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (76 bytes)
generating TRANSACTION request 1083947206 [ HASH CPRQ(ADDR ADDR6 DNS DNS6 U_SPLITINC U_LOCALLAN) ]
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (92 bytes)
received packet: from xxx.xx.xxxx.xxx[500] to 50.244.222.1[500] (92 bytes)
parsed TRANSACTION response 1083947206 [ HASH CPRP(ADDR DNS) ]
installing DNS server 172.16.9.6 via resolvconf
installing new virtual IP 192.168.34.43
generating QUICK_MODE request 3599190263 [ HASH SA No KE ID ID ]
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (316 bytes)
[...]
sending retransmit 1 of request message ID 3599190263, seq 4
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (316 bytes)
[...]
sending retransmit 2 of request message ID 3599190263, seq 4
sending packet: from 50.244.222.1[500] to xxx.xx.xxxx.xxx[500] (316 bytes)
[...]
$ sudo ipsec statusall |grep thumb
thumb: 50.244.222.1...xxx.xx.xxxx.xxx IKEv1 Aggressive, dpddelay=1s
thumb: local: [AVCI] uses pre-shared key authentication
thumb: local: [AVCI] uses XAuth authentication: any with XAuth identity 'telsasoft'
thumb: remote: [xxx.xx.xxxx.xxx] uses pre-shared key authentication
thumb: child: dynamic === 172.16.3.55/32 TUNNEL, dpdaction=clear
mgmt.thumb: child: dynamic === 10.99.5.20/32 TUNNEL, dpdaction=clear
thumb[119573]: ESTABLISHED 30 seconds ago, 50.244.222.1[AVCI]...xxx.xx.xxxx.xxx[xxx.xx.xxxx.xxx]
thumb[119573]: IKEv1 SPIs: cffc0cd5c54e57e2_i* 8905f364aad7886d_r, pre-shared key+XAuth reauthentication in 8 minutes
thumb[119573]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
thumb[119573]: Tasks active: QUICK_MODE
conn %default
auto=route
keyingtries=%forever
dpdaction=hold
closeaction=hold
#
left=50.244.222.1
#
authby=secret
compress=yes
keyexchange=ikev1
conn old-vpnc
left=50.244.222.1
#
leftsubnet= # Nothing/dynamic
modeconfig=pull
leftsourceip=%config4 #%modconfig6
leftauth=psk
rightauth=psk
leftauth2=xauth
xauth=client
#
keyexchange=ikev1
aggressive=yes
ikelifetime=2147483s
# vpnc does something like this, plus reserved, plus variations on
# keylengths:
# ike=aes-sha-1024,aes-md5-1024,aes-md5-1024,3des-sha-1024,3des-md5-1024,des-sha-1024,des-md5-1024
ike=aes256-sha-modp1024,aes256-md5-modp1024,aes192-sha-modp1024,aes192-md5-modp1024,aes128-sha-modp1024,aes128-md5-modp1024,3des-sha-modp1024,3des-md5-modp1024,des-sha-modp1024,des-md5-modp1024,aes256-sha-modp1024,aes256-md5-modp1024,aes192-sha-modp1024,aes192-md5-modp1024,aes128-sha-modp1024,aes128-md5-modp1024,3des-sha-modp1024,3des-md5-modp1024,des-sha-modp1024,des-md5-modp1024
# XXX: avoid 3des/md5:
#esp=aes-md5,aes-sha,aes-sha256,3des-md5,3des-sha,3des-sha256
#esp=aes-sha,aes-sha256,aes128-sha1,aes128-sha256
#-modp1024,3des-md5-modp1024
# We need to masquerade, not just ip add route .. src ..
# and we don't have a separate "tun" interface, so can't -j MASQUERADE ...
leftupdown="sh -xc 'exec >>/var/log/ipsec/updown.log 2>&1; echo; echo \"<<`date`\"; [ \"${PLUTO_VERB#up-}\" != \"$PLUTO_VERB\" ] && x=-I ; [ $? -eq 0 ] || x=-D; iptables -t nat $x POSTROUTING -d $PLUTO_PEER_CLIENT -o $PLUTO_INTERFACE -j SNAT --to $PLUTO_MY_SOURCEIP -m policy --dir out --pol none -m comment --comment \"ipsec:$PLUTO_CONNECTION\" '"
conn thumb
also=old-vpnc
auto=add # XXX
right=xxx.xx.xxxx.xxx
leftid=keyid:AVCI
xauth_identity=telsasoft
#
ike=aes256-sha-modp1024!
esp=aes256-sha-modp1024!
#
# This helps to avoid the QUICK_MODE task being queued for 10s of days,
# and the need to restart ipsec (and all tunnels) to restart just this
# connection..
ikelifetime=100s
lifetime=100s
keyingtries=3
#
dpdaction=clear
dpddelay=1s
dpdtimeout=9s
#
# Stuff that doesn't help:
#leftsourceip=%config4,%config6
#keyexchange=ikev2
#authby=xauthpsk
#rightauth=xauthpsk
#leftauth2=
#forceencaps = yes
#aggressive=no
rightsubnet=172.16.3.55
compress=no
# Also tried this instead of a 2nd SA:
# rightsubnet=172.16.3.55/32,rightsubnet=10.99.5.20
conn mgmt.thumb
also=thumb
rightsubnet=10.99.5.20
More information about the Users
mailing list