[strongSwan] Strongswan as responder only

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 5 08:48:13 CEST 2017


Hi,

The problem has nothing to do with initiator or responder only configuration. 0% correlation or causality.

TSi needs to be encrypted. This is a bug or deliberate defect in the other peer's software and needs to be patched by them.
md5 is broken, as is modp1024. Don't use them.

Kind regards

Noel

On 05.09.2017 06:36, Balaji Thoguluva Bapulal wrote:
>
> Hello Strongswan users,
>
>  
>
> I have some basic question on how to enable a particular strongswan connection as responder only. Basically another peer (security gateway) will try to establish a IKE/IPsec connection towards strongswan in responder mode. I tried the following configuration and strongswan seems to report error.
>
>  
>
> config setup
>
>     charondebug=all
>
>  
>
> conn %default
>
>     keyingtries=1
>
>     keyexchange=ikev2
>
>     reauth=no
>
>  
>
> conn peering
>
>     left=172.16.20.51
>
>     leftfirewall=no
>
>     leftauth=psk
>
>     right=172.16.20.2
>
>     rightauth=psk
>
>     *auto=add*
>
>     esp=aes-sha1-modp1024
>
>     ike=aes-sha1-md5-modp1024
>
>     type=tunnel
>
>     rekey=yes
>
>  
>
>  
>
> /var/log/messages shows
>
>  
>
> Sep  5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads
>
> Sep  5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add connection 'peering'
>
> Sep  5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering'
>
> *Sep  5 00:21:36 acme95 charon-custom: 10[NET] received packet: from 172.16.20.51[500] to 172.16.20.2[500] (420 bytes)*
>
> *Sep  5 00:21:36 acme95 charon-custom: 10[ENC] payload type TRAFFIC_SELECTOR_INITIATOR was not encrypted*
>
> *Sep  5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads*
>
> *Sep  5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed*
>
> *Sep  5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with message ID 0 processing failed*
>
> * *
>
> Also I attempted to enable debug logging, but I do not see any more details beyond the above details.
>
> * *
>
> Thanks,
>
> Balaji
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/60da41f8/attachment-0001.sig>


More information about the Users mailing list