[strongSwan] Established but cannot ping with IKEv1 aggressive PSK+XAUTH

David Sautter david.sautter at web.de
Thu Aug 3 18:25:36 CEST 2017 

Hello all,

I'm trying to connect to my companies network. They have a Juniper 
SRX-100 as VPN Gateway, which is working fine as tested with other VPN 
clients. I'm using strongswan 5.5.3.

I'm using IKEv1 aggressive mode, PSK+XAUTH. The connection is 
established, but i cannot ping any member of the company network.

Ipsec log:

initiating Aggressive Mode IKE_SA company[2] to 10.0.0.1
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.204[500] to 10.0.0.1[500] (503 bytes)
received packet: from 10.0.0.1[500] to 192.168.1.204[500] (492 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received unknown vendor ID: 
69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (140 bytes)
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (92 bytes)
parsed TRANSACTION request 199491043 [ HASH CPRQ(X_USER X_PWD) ]
generating TRANSACTION response 199491043 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (108 bytes)
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (76 bytes)
parsed TRANSACTION request 3502630840 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'USER' (myself) successful
IKE_SA company[2] established between 
192.168.1.204[company at SRX100-local.de]...10.0.0.1[10.0.0.1]
scheduling reauthentication in 3402s
maximum IKE_SA lifetime 3582s
generating TRANSACTION response 3502630840 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (92 bytes)
generating QUICK_MODE request 2418923618 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (396 bytes)
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (124 bytes)
queueing TRANSACTION request as tasks still active
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (364 bytes)
parsed QUICK_MODE response 2418923618 [ HASH SA No KE ID ID ]
connection 'company' established successfully



ipsec.conf

config setup
     charondebug="ike 3, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev1


conn company
     left=%any
     leftid=company at SRX100-local.de
     leftauth=psk
     leftauth2=xauth
     right=subdomain.company.com
     rightsubnet=192.168.xx.0/24
     rightid=10.0.0.1
     rightauth=psk
     auto=add
     xauth_identity=USER
     esp=aes256-sha1-modp1536
         ike=aes256-sha2_256-modp1536
     aggressive=yes


I searched but did not found a solution to this problem. Did anybody 
ever have this problem?

I also postet on serverfault: 
https://serverfault.com/questions/864799/strongswan-vpn-successfull-but-cannot-ping-anything

I'd really appreciate some help or hint.

Thank you very much and best regards,

David Sautter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170803/9337a383/attachment.html>

More information about the Users mailing list