[strongSwan] Fwd: Re: FritzBox to Strongswan

post at daniel-pomrehn.de post at daniel-pomrehn.de
Fri Nov 25 14:55:17 CET 2016 

Hi!

Am 2016-11-25 14:09, schrieb Mirko Parthey:
> On Fri, Nov 25, 2016 at 10:34:20AM +0100, post at daniel-pomrehn.de wrote:
>> I did some further google research and changed some settings. Now I 
>> get
>> another error:
>> sending packet: from 127.0.1.1[500] to 77.13.29.160[500] (1188 bytes)
>>   sending packet: from 127.0.1.1[500] to 77.13.29.160[500]
>>   error writing to socket: Invalid argument
> 
> I cannot answer this, maybe someone else can help.


Using your advices for configuration I am back at my first error:
Nov 25 14:53:25 srv charon: 03[NET] received packet: from 
93.129.48.108[500] to 138.201.84.186[500]
Nov 25 14:53:25 srv charon: 03[NET] waiting for data on sockets
Nov 25 14:53:25 srv charon: 08[NET] received packet: from 
93.129.48.108[500] to 138.201.84.186[500] (264 bytes)
Nov 25 14:53:25 srv charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V 
V V V ]
Nov 25 14:53:25 srv charon: 08[CFG] looking for an ike config for 
138.201.84.186...93.129.48.108
Nov 25 14:53:25 srv charon: 08[CFG] ike config match: 0 (138.201.84.186 
93.129.48.108 IKEv1)
Nov 25 14:53:25 srv charon: 08[IKE] no IKE config found for 
138.201.84.186...93.129.48.108, sending NO_PROPOSAL_CHOSEN
Nov 25 14:53:25 srv charon: 08[ENC] generating INFORMATIONAL_V1 request 
2285023278 [ N(NO_PROP) ]
Nov 25 14:53:25 srv charon: 08[NET] sending packet: from 
138.201.84.186[500] to 93.129.48.108[500] (40 bytes)
Nov 25 14:53:25 srv charon: 08[IKE] IKE_SA (unnamed)[1] state change: 
CREATED => DESTROYING
Nov 25 14:53:25 srv charon: 04[NET] sending packet: from 
138.201.84.186[500] to 93.129.48.108[500]


I tried to use keyexchange=ike, keyexchange=ikev1, keyexchange=ikev2 in 
configuration.
But the message still appears.


> 
>> Nov 25 10:30:59 srv charon: 09[IKE] initiating IKE_SA fritz2swan[1] to 
>> 77.13.29.160
> 
> strongSwan is the initiator here, and your config is set to Main Mode
> (the default).
> 
> With strongSwan as the initiator and FritzBox as the responder, only
> aggressive mode will work reliably. This mode is insecure because it 
> exposes
> the PSK to dictionary attacks. Maybe you could make strongSwan 
> responder-only
> and stay with main mode?  Remove right=dyn.fritzbox to go this route.
> Otherwise, if you want to use aggressive mode despite the risks, at 
> least use a
> long and randomly generated PSK.

I removed the right=dyn.fritzbox
Now the fritzbox is the initiator.
Thank you very much for your security advice!

> 
>> conn fritz2swan
>>         ike=aes128-sha-modp1024
>> 
>> It is a fritzbox 7490 with the latest Firmware 6.60
> 
> modp1024 does not provide enough security, modp2048 or more would be 
> better.
> 
> The FritzBox 7490 can be configured for modp2048 as follows:
> phase1ss = "dh14/aes/sha";
> 
>>         ikelifetime=4h
>>         keylife=1h
> 
> The FritzBox uses a lifetime of 1h for IKE and IPsec SAs.
> IKEv1 does not negotiate SA lifetimes, so I would recommend to
> set both to 1h in strongSwan too.


I changed the modp1024 to modp2048 and phase1ss, too.
lifetime is now 1h both.

> 
> Regards
> Mirko

More information about the Users mailing list