[strongSwan] Strongswan as responder only
Balaji Thoguluva Bapulal
balaji.thoguluva.bapulal at oracle.com
Tue Sep 5 20:12:56 CEST 2017
Hi Noel,
# ipsec --version
Linux strongSwan U5.0.2/K2.6.32-279.14.1.el6.x86_64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
Thanks,
Balaji
-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
Sent: Tuesday, September 05, 2017 12:43 PM
To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapulal at oracle.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan as responder only
Hi,
That is very weird. Where did you get strongSwan from and what distribution is that?
Kind regards
Noel
On 05.09.2017 18:23, Balaji Thoguluva Bapulal wrote:
> Hi Noel,
>
> Thanks for the quick response. I will ensure md5 and modp1024 is not used.
>
> Peer (Security Gateway) is sending the first IKE_SA_INIT message which does not have TSi payload to the strongswan. Typically IKE_SA_INIT message does not have TSi payload. Not sure why strongswan is reporting error about TSi payload for received IKE_SA_INIT message. It is expected by strongswan to send back IKE_SA_INIT response which also will not have TSi payload. Not sure why strongswan is reporting about TSi payload.
>
> Attached is the wireshark of the message sent to the strongswan.
>
> Thanks,
> Balaji
>
> -----Original Message-----
> From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
> Sent: Tuesday, September 05, 2017 2:48 AM
> To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapulal at oracle.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan as responder only
>
> Hi,
>
> The problem has nothing to do with initiator or responder only configuration. 0% correlation or causality.
>
> TSi needs to be encrypted. This is a bug or deliberate defect in the other peer's software and needs to be patched by them.
> md5 is broken, as is modp1024. Don't use them.
>
> Kind regards
>
> Noel
>
> On 05.09.2017 06:36, Balaji Thoguluva Bapulal wrote:
>>
>> Hello Strongswan users,
>>
>>
>>
>> I have some basic question on how to enable a particular strongswan connection as responder only. Basically another peer (security gateway) will try to establish a IKE/IPsec connection towards strongswan in responder mode. I tried the following configuration and strongswan seems to report error.
>>
>>
>>
>> config setup
>>
>> charondebug=all
>>
>>
>>
>> conn %default
>>
>> keyingtries=1
>>
>> keyexchange=ikev2
>>
>> reauth=no
>>
>>
>>
>> conn peering
>>
>> left=172.16.20.51
>>
>> leftfirewall=no
>>
>> leftauth=psk
>>
>> right=172.16.20.2
>>
>> rightauth=psk
>>
>> *auto=add*
>>
>> esp=aes-sha1-modp1024
>>
>> ike=aes-sha1-md5-modp1024
>>
>> type=tunnel
>>
>> rekey=yes
>>
>>
>>
>>
>>
>> /var/log/messages shows
>>
>>
>>
>> Sep 5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads
>>
>> Sep 5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add connection 'peering'
>>
>> Sep 5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering'
>>
>> *Sep 5 00:21:36 acme95 charon-custom: 10[NET] received packet: from 172.16.20.51[500] to 172.16.20.2[500] (420 bytes)*
>>
>> *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] payload type TRAFFIC_SELECTOR_INITIATOR was not encrypted*
>>
>> *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads*
>>
>> *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed*
>>
>> *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with message ID 0 processing failed*
>>
>> * *
>>
>> Also I attempted to enable debug logging, but I do not see any more details beyond the above details.
>>
>> * *
>>
>> Thanks,
>>
>> Balaji
>>
>
>
More information about the Users
mailing list