[strongSwan] Strongswan as responder only

Balaji Thoguluva Bapulal balaji.thoguluva.bapulal at oracle.com
Tue Sep 5 20:12:56 CEST 2017


Hi Noel,

# ipsec --version
Linux strongSwan U5.0.2/K2.6.32-279.14.1.el6.x86_64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

Thanks,
Balaji

-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting] 
Sent: Tuesday, September 05, 2017 12:43 PM
To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapulal at oracle.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan as responder only

Hi,

That is very weird. Where did you get strongSwan from and what distribution is that?

Kind regards

Noel

On 05.09.2017 18:23, Balaji Thoguluva Bapulal wrote:
> Hi Noel,
> 
> Thanks for the quick response. I will ensure md5 and modp1024 is not used.
> 
> Peer (Security Gateway) is sending the first IKE_SA_INIT message which does not have TSi payload to the strongswan. Typically IKE_SA_INIT message does not have TSi payload. Not sure why strongswan is reporting error about TSi payload for received IKE_SA_INIT message. It is expected by strongswan to send back IKE_SA_INIT response which also will not have TSi payload. Not sure why strongswan is reporting about TSi payload.
> 
> Attached is the wireshark of the message sent to the strongswan.
> 
> Thanks,
> Balaji
> 
> -----Original Message-----
> From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting] 
> Sent: Tuesday, September 05, 2017 2:48 AM
> To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapulal at oracle.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan as responder only
> 
> Hi,
> 
> The problem has nothing to do with initiator or responder only configuration. 0% correlation or causality.
> 
> TSi needs to be encrypted. This is a bug or deliberate defect in the other peer's software and needs to be patched by them.
> md5 is broken, as is modp1024. Don't use them.
> 
> Kind regards
> 
> Noel
> 
> On 05.09.2017 06:36, Balaji Thoguluva Bapulal wrote:
>>
>> Hello Strongswan users,
>>
>>  
>>
>> I have some basic question on how to enable a particular strongswan connection as responder only. Basically another peer (security gateway) will try to establish a IKE/IPsec connection towards strongswan in responder mode. I tried the following configuration and strongswan seems to report error.
>>
>>  
>>
>> config setup
>>
>>     charondebug=all
>>
>>  
>>
>> conn %default
>>
>>     keyingtries=1
>>
>>     keyexchange=ikev2
>>
>>     reauth=no
>>
>>  
>>
>> conn peering
>>
>>     left=172.16.20.51
>>
>>     leftfirewall=no
>>
>>     leftauth=psk
>>
>>     right=172.16.20.2
>>
>>     rightauth=psk
>>
>>     *auto=add*
>>
>>     esp=aes-sha1-modp1024
>>
>>     ike=aes-sha1-md5-modp1024
>>
>>     type=tunnel
>>
>>     rekey=yes
>>
>>  
>>
>>  
>>
>> /var/log/messages shows
>>
>>  
>>
>> Sep  5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads
>>
>> Sep  5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add connection 'peering'
>>
>> Sep  5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering'
>>
>> *Sep  5 00:21:36 acme95 charon-custom: 10[NET] received packet: from 172.16.20.51[500] to 172.16.20.2[500] (420 bytes)*
>>
>> *Sep  5 00:21:36 acme95 charon-custom: 10[ENC] payload type TRAFFIC_SELECTOR_INITIATOR was not encrypted*
>>
>> *Sep  5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads*
>>
>> *Sep  5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed*
>>
>> *Sep  5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with message ID 0 processing failed*
>>
>> * *
>>
>> Also I attempted to enable debug logging, but I do not see any more details beyond the above details.
>>
>> * *
>>
>> Thanks,
>>
>> Balaji
>>
> 
> 



More information about the Users mailing list