[strongSwan] Strongswan as responder only
Balaji Thoguluva Bapulal
balaji.thoguluva.bapulal at oracle.com
Tue Sep 5 18:23:10 CEST 2017
Hi Noel,
Thanks for the quick response. I will ensure md5 and modp1024 is not used.
Peer (Security Gateway) is sending the first IKE_SA_INIT message which does not have TSi payload to the strongswan. Typically IKE_SA_INIT message does not have TSi payload. Not sure why strongswan is reporting error about TSi payload for received IKE_SA_INIT message. It is expected by strongswan to send back IKE_SA_INIT response which also will not have TSi payload. Not sure why strongswan is reporting about TSi payload.
Attached is the wireshark of the message sent to the strongswan.
Thanks,
Balaji
-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
Sent: Tuesday, September 05, 2017 2:48 AM
To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapulal at oracle.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan as responder only
Hi,
The problem has nothing to do with initiator or responder only configuration. 0% correlation or causality.
TSi needs to be encrypted. This is a bug or deliberate defect in the other peer's software and needs to be patched by them.
md5 is broken, as is modp1024. Don't use them.
Kind regards
Noel
On 05.09.2017 06:36, Balaji Thoguluva Bapulal wrote:
>
> Hello Strongswan users,
>
>
>
> I have some basic question on how to enable a particular strongswan connection as responder only. Basically another peer (security gateway) will try to establish a IKE/IPsec connection towards strongswan in responder mode. I tried the following configuration and strongswan seems to report error.
>
>
>
> config setup
>
> charondebug=all
>
>
>
> conn %default
>
> keyingtries=1
>
> keyexchange=ikev2
>
> reauth=no
>
>
>
> conn peering
>
> left=172.16.20.51
>
> leftfirewall=no
>
> leftauth=psk
>
> right=172.16.20.2
>
> rightauth=psk
>
> *auto=add*
>
> esp=aes-sha1-modp1024
>
> ike=aes-sha1-md5-modp1024
>
> type=tunnel
>
> rekey=yes
>
>
>
>
>
> /var/log/messages shows
>
>
>
> Sep 5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads
>
> Sep 5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add connection 'peering'
>
> Sep 5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering'
>
> *Sep 5 00:21:36 acme95 charon-custom: 10[NET] received packet: from 172.16.20.51[500] to 172.16.20.2[500] (420 bytes)*
>
> *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] payload type TRAFFIC_SELECTOR_INITIATOR was not encrypted*
>
> *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads*
>
> *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed*
>
> *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with message ID 0 processing failed*
>
> * *
>
> Also I attempted to enable debug logging, but I do not see any more details beyond the above details.
>
> * *
>
> Thanks,
>
> Balaji
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Strongswan_Responder
Type: application/octet-stream
Size: 28267 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/ce9123f2/attachment-0001.obj>
More information about the Users
mailing list