[strongSwan] cipher choice causing issue

Jamie Stuart jamie at onebillion.org
Wed Jul 5 13:03:14 CEST 2017 

Hi,

New user here. I’m having trouble with a Strongswan client/server connection, which I believe is due to the encryption algorithm choice.
Server is Ubuntu 17, Client LEDE trunk. Authentication happens, but I think client and server cannot agree on an algorithm? if I leave the ike and esp off the server config, it connects just fine. However, I also have another device (mac) which is using a specific set of ciphers, so I’d like to get the client working with the current server config. Any ideas?


***********************************************
server ipsec.conf:
***********************************************

config setup
  strictcrlpolicy=yes
  uniqueids=never

conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
  esp=aes256gcm16-sha256!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@VPN_SERVER_DOMAIN
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  eap_identity=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/24
  rightsendcert=never


***********************************************
client ipsec.conf:
***********************************************

#config setup
	# strictcrlpolicy=yes
	# uniqueids = no


conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn CONNECTION_NAME
    ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
    esp=aes256gcm16-sha256!
    right=VPN_SERVER_DOMAIN
    rightid=%VPN_SERVER_DOMAIN
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftauth=eap-mschapv2
    leftfirewall=yes
    eap_identity=VPN_CLIENT_IDENTITY
    auto=add


***********************************************
client algorithms
***********************************************

List of registered IKE algorithms:

  encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] RC2_CBC[rc2] CAST_CBC[openssl] BLOWFISH_CBC[openssl]
              NULL[openssl]
  integrity:  HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
              HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
              HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] HMAC_SHA2_256_96[af-alg]
              AES_XCBC_96[xcbc] AES_CMAC_96[cmac]
  aead:       AES_GCM_16[openssl] AES_GCM_12[openssl] AES_GCM_8[openssl] AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm]
  hasher:     HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD4[md4]
              HASH_MD5[md5] HASH_IDENTITY[curve25519]
  prf:        PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
              PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
              PRF_AES128_CMAC[cmac]
  xof:       
  dh-group:   ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl]
              ECP_384_BP[openssl] ECP_512_BP[openssl] ECP_224_BP[openssl] MODP_3072[openssl] MODP_4096[openssl]
              MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl]
              MODP_1536[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl]
              CURVE_25519[curve25519]
  random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]


***********************************************
client connection log
***********************************************

12[IKE] authentication of 'VPN_SERVER_DOMAIN' with RSA_EMSA_PKCS1_SHA2_384 successful
12[IKE] server requested EAP_IDENTITY (id 0x00), sending 'VPN_CLIENT_IDENTITY'
12[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
12[NET] sending packet: from 192.168.1.111[4500] to VPN_SERVER_IP[4500] (73 bytes)
13[NET] received packet: from VPN_SERVER_IP[4500] to 192.168.1.111[4500] (97 bytes)
13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
13[IKE] server requested EAP_MSCHAPV2 authentication (id 0x2E)
13[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
13[NET] sending packet: from 192.168.1.111[4500] to VPN_SERVER_IP[4500] (127 bytes)
14[NET] received packet: from VPN_SERVER_IP[4500] to 192.168.1.111[4500] (134 bytes)
14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
14[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
14[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
14[NET] sending packet: from 192.168.1.111[4500] to VPN_SERVER_IP[4500] (67 bytes)
15[NET] received packet: from VPN_SERVER_IP[4500] to 192.168.1.111[4500] (65 bytes)
15[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
15[IKE] authentication of '192.168.1.111' (myself) with EAP
15[ENC] generating IKE_AUTH request 5 [ AUTH ]
15[NET] sending packet: from 192.168.1.111[4500] to VPN_SERVER_IP[4500] (97 bytes)
16[NET] received packet: from VPN_SERVER_IP[4500] to 192.168.1.111[4500] (233 bytes)
16[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
16[IKE] authentication of 'VPN_SERVER_DOMAIN' with EAP successful
16[IKE] IKE_SA CONNECTION_NAME[1] established between 192.168.1.111[192.168.1.111]...VPN_SERVER_IP[VPN_SERVER_DOMAIN]
16[IKE] scheduling reauthentication in 3344s
16[IKE] maximum IKE_SA lifetime 3524s
16[IKE] installing DNS server 8.8.8.8 to /etc/resolv.conf
16[IKE] installing DNS server 8.8.4.4 to /etc/resolv.conf
16[IKE] installing new virtual IP 10.10.10.1
16[KNL] received netlink error: Function not implemented (89)
16[KNL] unable to add SAD entry with SPI c09ec43d (FAILED)
16[KNL] received netlink error: Function not implemented (89)
16[KNL] unable to add SAD entry with SPI ca9fa951 (FAILED)
16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[IKE] peer supports MOBIKE
16[IKE] sending DELETE for ESP CHILD_SA with SPI c09ec43d
16[ENC] generating INFORMATIONAL request 6 [ D ]
16[NET] sending packet: from 192.168.1.111[4500] to VPN_SERVER_IP[4500] (69 bytes)
07[NET] received packet: from VPN_SERVER_IP[4500] to 192.168.1.111[4500] (69 bytes)
07[ENC] parsed INFORMATIONAL response 6 [ D ]
07[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 out failed, not found
07[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 in failed, not found
07[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 fwd failed, not found
07[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 out failed, not found

More information about the Users mailing list