[strongSwan] Asymmetric PSK auth support for IKEv2 tunnel between Cisco-IOS Router and Strongswan

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Oct 4 13:22:12 CEST 2016 

Hi

Is this supported in Strongswan?

Iam using on some peers strongswan 5.0.4 and on some peers
strongswan-v5.2.1 and some strongswan 5.3.0...

Iam trying to establish site-to-site tunnels (using ikev2) to
Cisco-IOS-router

On the strongswan side iam configuring as below:
=======================================
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no
        charondebug="ike 1, dmn 1, chd 1, knl 1, cfg 1, net 1, esp 1, enc
1, lib 1, mgr 1"

conn %default
        ikelifetime=3h
        keylife=1h
        mobike=no

conn tociscortr1
        left=10.232.90.65
        leftsubnet=192.168.1.0/24
        right=2.2.2.123
        rightsubnet=192.168.22.0/24
        leftid=10.232.90.65
        rightid=2.2.2.123
        leftauth=psk
        rightauth=psk
        keyexchange=ikev2
        type=tunnel
        ike=aes128-sha-modp1024
        esp=aes128-sha
        auto=route

# /etc/ipsec.secrets - strongSwan IPsec secrets file
10.232.90.65 : PSK "test1234xyz"
2.2.2.123 : PSK "cisco123abc"
# i tried it with below config too...did not work
#2.2.2.123 10.232.90.65 : PSK "test1234xyz"
#10.232.90.65 2.2.2.123 : PSK "cisco123abc"
================================================

and on the Cisco-IOS-router, iam using the below config:

=====================
...
crypto ikev2 proposal IKEv2_PROPOSAL
 encryption aes-cbc-128
 integrity sha1
 group 2
!
crypto ikev2 policy IKEv2_POLICY
 proposal IKEv2_PROPOSAL
!
crypto ikev2 keyring IKEv2_KEYRING
 peer lsrdbgw1
  address 10.232.90.65
  identity address 10.232.90.65
  pre-shared-key local cisco123abc
  pre-shared-key remote test1234xyz
 !
!
!
crypto ikev2 profile IKEv2_PROFILE
 match identity remote address 10.232.90.65 255.255.255.255
 identity local address 2.2.2.123
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEv2_KEYRING
!
crypto ikev2 nat keepalive 10
crypto ikev2 dpd 30 5 periodic
!
!
!
crypto isakmp keepalive 30
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map IKEv2_MAP 1000 ipsec-isakmp
 set peer 10.232.90.65
 set transform-set TS1
 set ikev2-profile IKEv2_PROFILE
 match address s2stun1
...
...
=====================================

The authentication is failing

BUT, if i use the similar configs (with asymmetric PSKs) between 2
strongswan-peers, it works and the tunnel is UP and traffic is flowing thru
the tunnel

With Cisco-IOS, i have the below issues:

1. When Strongswan is the initiator:

=================================
on strongswan: we observe the following
Starting strongSwan 5.2.1 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux
3.13.0-24-generic, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 10.232.90.65
00[CFG]   loaded IKE secret for 2.2.2.123
00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No
such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm
gcm attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-noauth tnc-tnccs dhcp lookip error-notify
unity
00[LIB] unable to load 11 plugin features (10 due to unmet dependencies)
00[JOB] spawning 16 worker threads
charon (23723) started after 40 ms
11[CFG] received stroke: add connection 'tociscortr1'
11[CFG] added configuration 'tociscortr1'
12[CFG] received stroke: route 'tociscortr1'
'tociscortr1' routed

13[KNL] creating acquire job for policy 192.168.1.101/32[icmp/8] ===
192.168.22.2/32[icmp/8] with reqid {1}
13[IKE] initiating IKE_SA tociscortr1[1] to 2.2.2.123
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
13[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (1252
bytes)
11[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (336
bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP)
N(NATD_D_IP) ]
11[IKE] received Cisco Delete Reason vendor ID
11[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
11[IKE] authentication of '10.232.90.65' (myself) with pre-shared key
11[IKE] establishing CHILD_SA tociscortr1{1}
11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
TSr N(EAP_ONLY) ]
11[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (364 bytes)
12[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (76 bytes)
12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
12[IKE] received AUTHENTICATION_FAILED notify error
...
====================

On Cisco-IOS: we observe the following

*Oct  4 10:51:44.201: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To
10.232.90.65:500/From 2.2.2.123:500/VRF i0:f0]
Initiator SPI : C0A966B40882995D - Responder SPI : 5CEC64B4497CA6BB Message
id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Oct  4 10:51:44.201: IKEv2:(SESSION ID = 17,SA ID = 1):Completed SA init
exchange
*Oct  4 10:51:44.201: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (30
sec) to wait for auth message

*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet
[From 10.232.90.65:500/To 2.2.2.123:500/VRF i0:f0]
Initiator SPI : C0A966B40882995D - Responder SPI : 5CEC64B4497CA6BB Message
id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 IDi NOTIFY(INITIAL_CONTACT) IDr AUTH SA TSi TSr NOTIFY(Unknown - 16417)

*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to
wait for auth message
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Checking NAT
discovery
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):NAT not found
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Searching policy
based on peer's identity '10.232.90.65' of type 'IPv4 address'
*Oct  4 10:51:44.213: IKEv2:found matching IKEv2 profile 'IKEv2_PROFILE'
*Oct  4 10:51:44.213: IKEv2:% Getting preshared key from profile keyring
IKEv2_KEYRING
*Oct  4 10:51:44.213: IKEv2:% Matched peer block 'lsrdbgw1'
*Oct  4 10:51:44.213: IKEv2:Searching Policy with fvrf 0, local address
2.2.2.123
*Oct  4 10:51:44.213: IKEv2:Found Policy 'IKEv2_POLICY'
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Verify peer's policy
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Peer's policy
verified
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Get peer's
authentication method
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Peer's
authentication method is 'PSK'
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Get peer's
preshared key for 10.232.90.65
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Verify peer's
authentication data
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Use preshared key
for id 10.232.90.65, key len 11
*Oct  4 10:51:44.213: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2
authentication data
*Oct  4 10:51:44.213: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication
data generation PASSED
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):: Failed to
authenticate the IKE SA
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Verification of
peer's authentication data FAILED
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Sending
authentication failure notify
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for
encryption.
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)

*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To
10.232.90.65:500/From 2.2.2.123:500/VRF i0:f0]
Initiator SPI : C0A966B40882995D - Responder SPI : 5CEC64B4497CA6BB Message
id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Auth exchange failed
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):: Auth exchange
failed
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Abort exchange
*Oct  4 10:51:44.213: IKEv2:(SESSION ID = 17,SA ID = 1):Deleting SA
cisco2951-router#n

========================

2. If Cisco IOS Router is the Initiator

====================
On Cisco IOS:

The result is the same as in above but in the initiator's perspective...the
auth exchange still fails

BUT on Strongswan (the tunnel is shown to be UP and the observations are as
below....the traffic or the tunnel still is not thru though...

13[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (336
bytes)
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP)
N(NATD_D_IP) ]
13[IKE] received Cisco Delete Reason vendor ID
13[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
13[IKE] 2.2.2.123 is initiating an IKE_SA
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
13[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (312 bytes)
10[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (284
bytes)
10[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH SA TSi TSr N(INIT_CONTACT)
N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
10[CFG] looking for peer configs matching
10.232.90.65[%any]...2.2.2.123[2.2.2.123]
10[CFG] selected peer config 'tociscortr1'
10[IKE] authentication of '2.2.2.123' with pre-shared key successful
10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
10[IKE] authentication of '10.232.90.65' (myself) with pre-shared key
10[IKE] IKE_SA tociscortr1[1] established between
10.232.90.65[10.232.90.65]...2.2.2.123[2.2.2.123]
10[IKE] scheduling reauthentication in 10002s
10[IKE] maximum IKE_SA lifetime 10542s
10[IKE] CHILD_SA tociscortr1{1} established with SPIs cc36718d_i 96bc8ac5_o
and TS 192.168.1.0/24 === 192.168.22.0/24
10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
10[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (220 bytes)
04[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (336
bytes)
04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP)
N(NATD_D_IP) ]
04[IKE] received Cisco Delete Reason vendor ID
04[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
04[IKE] 2.2.2.123 is initiating an IKE_SA
04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
04[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (312 bytes)
15[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (252
bytes)
15[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH SA TSi TSr N(INIT_CONTACT)
N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
15[CFG] looking for peer configs matching
10.232.90.65[%any]...2.2.2.123[2.2.2.123]
15[CFG] selected peer config 'tociscortr1'
15[IKE] authentication of '2.2.2.123' with pre-shared key successful
15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
15[IKE] destroying duplicate IKE_SA for peer '2.2.2.123', received
INITIAL_CONTACT
15[IKE] authentication of '10.232.90.65' (myself) with pre-shared key
15[IKE] IKE_SA tociscortr1[2] established between
10.232.90.65[10.232.90.65]...2.2.2.123[2.2.2.123]
15[IKE] scheduling reauthentication in 10051s
15[IKE] maximum IKE_SA lifetime 10591s
15[IKE] CHILD_SA tociscortr1{1} established with SPIs cffdc48e_i 259b1890_o
and TS 192.168.1.0/24 === 192.168.22.0/24
15[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
15[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (220 bytes)
01[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (336
bytes)
01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP)
N(NATD_D_IP) ]
01[IKE] received Cisco Delete Reason vendor ID
01[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
01[IKE] 2.2.2.123 is initiating an IKE_SA
01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
01[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (312 bytes)
12[NET] received packet: from 2.2.2.123[500] to 10.232.90.65[500] (252
bytes)
12[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH SA TSi TSr N(INIT_CONTACT)
N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
12[CFG] looking for peer configs matching
10.232.90.65[%any]...2.2.2.123[2.2.2.123]
12[CFG] selected peer config 'tociscortr1'
12[IKE] authentication of '2.2.2.123' with pre-shared key successful
12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
12[IKE] destroying duplicate IKE_SA for peer '2.2.2.123', received
INITIAL_CONTACT
12[IKE] authentication of '10.232.90.65' (myself) with pre-shared key
12[IKE] IKE_SA tociscortr1[3] established between
10.232.90.65[10.232.90.65]...2.2.2.123[2.2.2.123]
12[IKE] scheduling reauthentication in 9856s
12[IKE] maximum IKE_SA lifetime 10396s
12[IKE] CHILD_SA tociscortr1{1} established with SPIs c4801100_i 77e68258_o
and TS 192.168.1.0/24 === 192.168.22.0/24
12[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
12[NET] sending packet: from 10.232.90.65[500] to 2.2.2.123[500] (220 bytes)

=========================

so...is it officially not supported in strongswan (or in cisco)???

can you please advice?

thanks & regards
Rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161004/9853882d/attachment-0001.html>

More information about the Users mailing list