[strongSwan] Dynamic IPsec between Strongswan and Juniper MX with MS Card doesnt work

Yaniv Michalovski ymichalovski at mrv.com
Mon Mar 20 18:08:30 CET 2017 

Hi,

I'm trying to configure Dynamic IPsec between Strongswan and Juniper MX with MS Card but with no success the following is the Juniper configuration and Strongswan's -ipsec.conf

Juniper:
set services service-set IPSEC-CLIENT-SERVICE-SET next-hop-service inside-service-interface ms-0/2/0.1
set services service-set IPSEC-CLIENT-SERVICE-SET next-hop-service outside-service-interface ms-0/2/0.2
set services service-set IPSEC-CLIENT-SERVICE-SET ipsec-vpn-options local-gateway 10.7.7.2   <<<< interface connecting to the internet
set services service-set IPSEC-CLIENT-SERVICE-SET ipsec-vpn-options ike-access-profile IPSEC-CLIENTS-GROUP-1
set services ipsec-vpn ipsec proposal DYNAMIC_IPSEC_PROPOSAL protocol esp
set services ipsec-vpn ipsec proposal DYNAMIC_IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal DYNAMIC_IPSEC_PROPOSAL encryption-algorithm aes-256-cbc
set services ipsec-vpn ipsec policy DYNAMIC_IPSEC_POLICY perfect-forward-secrecy keys group2
set services ipsec-vpn ipsec policy DYNAMIC_IPSEC_POLICY proposals DYNAMIC_IPSEC_PROPOSAL
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL authentication-method pre-shared-keys
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL dh-group group2
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL encryption-algorithm aes-256-cbc
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL lifetime-seconds 28800
set services ipsec-vpn ike policy IKE-PHASE1-POLICY mode main
set services ipsec-vpn ike policy IKE-PHASE1-POLICY proposals IKE-PHASE1-PROPOSAL
set services ipsec-vpn ike policy IKE-PHASE1-POLICY pre-shared-key ascii-text "$9$IaNES"
set interfaces xe-0/0/0 unit 0 family inet address 172.16.1.1/24  <<<<< connecting to LAN
set interfaces ms-0/2/0 unit 0 family inet
set interfaces ms-0/2/0 unit 1 dial-options ipsec-interface-id IPSEC-INTERFACE-ID
set interfaces ms-0/2/0 unit 1 dial-options shared
set interfaces ms-0/2/0 unit 1 family inet
set interfaces ms-0/2/0 unit 1 service-domain inside
set interfaces ms-0/2/0 unit 2 family inet
set interfaces ms-0/2/0 unit 2 service-domain outside
set interfaces ge-1/0/0 unit 0 family inet address 10.7.7.2/30  <<<<< interface connecting to the internet.
set routing-options static route 172.16.2.0/24 next-hop ms-0/2/0.1   <<<< directing traffic going to the other LAN into the interface for encryption
set access profile IPSEC-CLIENTS-GROUP-1 client * ike allowed-proxy-pair local 172.16.1.0/24 remote 172.16.2.0/24  <<< interesting traffic, our LAN and peer's LAN
set access profile IPSEC-CLIENTS-GROUP-1 client * ike ike-policy IKE-PHASE1-POLICY
set access profile IPSEC-CLIENTS-GROUP-1 client * ike interface-id IPSEC-INTERFACE-ID

Strongswan ipsec.conf:
config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        ikelifetime=1d
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        authby=secret
        type=tunnel
        reauth=no
#        auth=esp
#       esp=null-sha1!
#        esp=aes256-sha256!
       ike=aes128-sha1-modp1024
       rekey=no
        #lifetime=5h
        mobike=no
        #dpdaction=hold
        dpdaction=clear
        dpddelay=20s

conn test
        left=%defaultroute
        leftsubnet=172.16.1.0/24[gre]
        leftid=@TE
#       leftfirewall=yes #
        right=14.90.19.22                     <<  internet - static ip
        rightsubnet=172.16.2.0/24[gre]
        rightid=@LNS-Juniper
        auto=add


Log on Linux-strongswan:

02[IKE] initiating IKE_SA mrv[1] to 14.90.19.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 99.3.3.13[500] to 14.90.19.22[500] (956 bytes)
received packet: from 14.90.19.22[500] to 99.3.3.13[500] (380 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
received unknown vendor ID: 4a:13:1c:81:07:03:58:45:5c:57:28:f2:0e:95:45:2f
received unknown vendor ID: 7d:94:19:a6:53:10:ca:6f:2c:17:9d:92:15:52:9d:56generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY
sending packet: from 99.3.3.13[500] to 14.90.19.22 [500] (356 bytes
received packet: from 14.90.19.22 [500] to 99.3.3.13 [500] (36 bytes
payload type NOTIFY was not encrypted
could not decrypt payloads
integrity check failed
04[IKE] IKE_AUTH response with message ID 1 processing failed

Please Help!
Cheers

Yaniv.
[E-Banner]<http://mrv.com/contact-mrv-communications/?interest=Subscribe%20to%20Newsletter>


MRV Communications is a global supplier of packet and optical solutions that power the world's largest networks. Our products combine innovative hardware with intelligent software to make networks smarter, faster and more efficient.



The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170320/b6c5a304/attachment-0001.html>

More information about the Users mailing list