[strongSwan] no shared keys found error

Edvinas K edvinas.email at gmail.com
Wed Feb 21 18:12:48 CET 2018 

email

Hello,

I'm trying to connect route-based IPSec VPN to Cisco device (ISR) and i'm
getting some errors. Configured everything as written in ROUTE-BASED-VPN
page. But i'm especially not sure about ipsec.conf configuration as it's
not included in that  page.

>From cisco side i see these errors:

Feb 21 16:15:09.292: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Informational mode failed with peer at 39.107.111.111

the strongSwan (centos) box says this:

Feb 22 00:59:17 localhost charon: 14[NET] received packet: from
37.157.222.222[500] to 10.67.0.24[500] (164 bytes)
Feb 22 00:59:17 localhost charon: 14[ENC] parsed ID_PROT request 0 [ SA V V
V V ]
Feb 22 00:59:17 localhost charon: 14[IKE] received NAT-T (RFC 3947) vendor
ID
Feb 22 00:59:17 localhost charon: 14[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 22 00:59:17 localhost charon: 14[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 22 00:59:17 localhost charon: 14[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 22 00:59:17 localhost charon: 14[IKE] 37.157.222.222 is initiating a
Main Mode IKE_SA
Feb 22 00:59:17 localhost charon: 14[ENC] generating ID_PROT response 0 [
SA V V V ]
Feb 22 00:59:17 localhost charon: 14[NET] sending packet: from
10.67.0.24[500] to 37.157.222.222[500] (136 bytes)
Feb 22 00:59:17 localhost charon: 09[NET] received packet: from
37.157.222.222[500] to 10.67.0.24[500] (284 bytes)
Feb 22 00:59:17 localhost charon: 09[ENC] parsed ID_PROT request 0 [ KE No
V V V NAT-D NAT-D ]
Feb 22 00:59:17 localhost charon: 09[IKE] received DPD vendor ID
Feb 22 00:59:17 localhost charon: 09[ENC] received unknown vendor ID:
2a:76:9d:f8:39:bf:5d:8a:06:25:60:0f:25:2c:99:36
Feb 22 00:59:17 localhost charon: 09[IKE] received XAuth vendor ID
Feb 22 00:59:17 localhost charon: 09[IKE] local host is behind NAT, sending
keep alives
Feb 22 00:59:17 localhost charon: 09[IKE] no shared key found for
'39.107.111.111'[10.67.0.24] - '37.157.222.222'[37.157.222.222]
Feb 22 00:59:17 localhost charon: 09[IKE] no shared key found for
10.67.0.24 - 37.157.222.222
Feb 22 00:59:17 localhost charon: 09[ENC] generating INFORMATIONAL_V1
request 3620154422 [ N(INVAL_KE) ]
Feb 22 00:59:17 localhost charon: 09[NET] sending packet: from
10.67.0.24[500] to 37.157.222.222[500] (56 bytes)

the configuration is as follows:

route based part:

1) ip tunnel add vti266 local 10.130.11.218 remote 10.130.11.217 mode vti
key 66
2) ip link set vti266 up
3) sysctl -w net.ipv4.conf.vti266.disable_policy=1
4) ip route add 10.0.0.0/8 dev vti266
5) /etc/strongswan/strongswan.d/charon.conf <> install_routes = no
6) /etc/strongswan/swanctl/swanctl.conf <> local_ts = 0.0.0.0/0  remote_ts
= 0.0.0.0/0
7) /etc/strongswan/swanctl/swanctl.conf <> mark_in = 66 mark_out = 66

ipsec part:

ipsec.conf:

conn %default
  ikelifetime=1800m
  rekeymargin=3m
  keyingtries=%forever
  keyexchange=ikev1
  authby=psk
  dpdaction=restart
  dpddelay=30

conn remote-site
  left=%defaultroute
  leftsubnet=10.0.0.0/8
  leftid=39.107.111.111
  leftfirewall=yes
  right=%any
  rightsubnet=0.0.0.0/0
  rightid=37.157.222.222
  auto=start
  ike=aes128-sha1-modp1536
  esp=aes128-sha1


[root at iZ2zegipf37wcfbz6wafz0Z ~]# cat /etc/strongswan/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file
39.107.111.111 37.157.222.222 : PSK "key_to_alibaba66!@"

Cisco part is here:


crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 1800
crypto isakmp key key_to_alibaba66!@ address 39.107.111.111
 crypto isakmp keepalive 10 10

crypto ipsec security-association replay window-size 128


crypto ipsec transform-set ALIBABA_AES_SHA_TRANSFORM_SET esp-aes
esp-sha-hmac
 mode tunnel


$ crypto ipsec df-bit clear
!
crypto ipsec profile ALIBABA_AES_SHA_IPSEC_PROFILE
 set transform-set ALIBABA_AES_SHA_TRANSFORM_SET
 set pfs group2


 interface Tunnel266
 description ITXRTRO1-Alibaba_test
 ip address 10.130.11.217 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source ip 37.157.222.222
 tunnel destination 39.107.111.111
 tunnel path-mtu-discovery
 tunnel protection ipsec profile ALIBABA_AES_SHA_IPSEC_PROFILE


what could be wrong ? thank you for any input
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180221/6a8409a4/attachment-0001.html>

More information about the Users mailing list