[strongSwan] upgrade from 4.5.2 to 5.2.1 breaks phase 2 authentication

CJ Fearnley cjf at LinuxForce.net
Tue Jul 10 15:20:02 CEST 2018


Your sha256 clue fixed the tonyhome connection. Thanks.

But although your suggestion of esp=3des-sha1-modp1024 overcame the
NO_PROPOSAL_CHOSEN hurdle, it still isn't working:

On the Strongswan side I see:

Jul 10 08:43:35 powerwall-34 charon: 08[NET] received packet: from 173.49.3.210[500] to 100.34.28.58[500] (292 bytes)
Jul 10 08:43:35 powerwall-34 charon: 08[ENC] parsed QUICK_MODE request 3817976272 [ HASH SA No KE ID ID ]
Jul 10 08:43:35 powerwall-34 charon: 08[ENC] generating QUICK_MODE response 3817976272 [ HASH SA No KE ID ID ]
Jul 10 08:43:35 powerwall-34 charon: 08[NET] sending packet: from 100.34.28.58[500] to 173.49.3.210[500] (308 bytes)
Jul 10 08:43:35 powerwall-34 charon: 09[NET] received packet: from 173.49.3.210[500] to 100.34.28.58[500] (68 bytes)
Jul 10 08:43:35 powerwall-34 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2665448588 [ HASH N(ATTR_UNSUP) ]
Jul 10 08:43:35 powerwall-34 charon: 09[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify
Jul 10 08:43:35 powerwall-34 charon: 09[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify
Jul 10 08:44:05 powerwall-34 charon: 11[NET] received packet: from 173.49.3.210[500] to 100.34.28.58[500] (292 bytes)
Jul 10 08:44:05 powerwall-34 charon: 11[ENC] parsed QUICK_MODE request 3678149875 [ HASH SA No KE ID ID ]
Jul 10 08:44:05 powerwall-34 charon: 11[ENC] generating QUICK_MODE response 3678149875 [ HASH SA No KE ID ID ]
Jul 10 08:44:05 powerwall-34 charon: 11[NET] sending packet: from 100.34.28.58[500] to 173.49.3.210[500] (308 bytes)
Jul 10 08:44:05 powerwall-34 charon: 15[NET] received packet: from 173.49.3.210[500] to 100.34.28.58[500] (68 bytes)
Jul 10 08:44:05 powerwall-34 charon: 15[ENC] parsed INFORMATIONAL_V1 request 2484051682 [ HASH N(ATTR_UNSUP) ]
Jul 10 08:44:05 powerwall-34 charon: 15[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify
Jul 10 08:44:05 powerwall-34 charon: 15[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify

Here is what the Netgear SRX5308 reports in its logs:

Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO:  an undead schedule has been deleted:
'quick_i1prep'.
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO:  an undead schedule has been deleted:
'isakmp_ph2resend'.
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] ERROR:  Phase2 negotiation failed for
100.34.28.58[500].
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Sending Informational Exchange: notify
payload[ATTRIBUTES-NOT-SUPPORTED]
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] ERROR:  mismatched ID was returned.
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Initiating new phase 2 negotiation:
173.49.3.210[0]<=>100.34.28.58[0]
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Configuration found for 100.34.28.58.
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Configuration found for 100.34.28.58.
Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Using IPsec SA configuration:
192.168.11.1/24<->192.168.100.1/24
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] INFO:  an undead schedule has been deleted:
'quick_i1prep'.
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] INFO:  an undead schedule has been deleted:
'isakmp_ph2resend'.
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] ERROR:  Phase2 negotiation failed for
100.34.28.58[500].
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Sending Informational Exchange: notify
payload[ATTRIBUTES-NOT-SUPPORTED]
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] ERROR:  mismatched ID was returned.
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Initiating new phase 2 negotiation:
173.49.3.210[0]<=>100.34.28.58[0]
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Configuration found for 100.34.28.58.
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Configuration found for 100.34.28.58.
Tue Jul 10 08:43:35 2018 (GMT -0400): [SRX5308] [IKE] INFO:  Using IPsec SA configuration:
192.168.11.1/24<->192.168.100.1/24

What should I try next?

On Tue, Jul 10, 2018 at 10:56:50AM +0200, Tobias Brunner wrote:
> Hi,
> 
> > Jul  9 19:24:05 powerwall-34 charon: 04[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> > Jul  9 19:24:05 powerwall-34 charon: 04[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> > Jul  9 19:24:05 powerwall-34 charon: 04[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
> > 
> > Why is Strongswan not offering MODP_1024 for a 3des-sha1 proposal?
> 
> Because as you can see, its default ESP proposals don't include any DH
> groups.  Configure esp=3des-sha1-modp1024 to match the client's
> proposal.  You can also read [1] for a description of IKEv1-related
> differences between 4.x and 5.x releases.
> 
> > Jul  9 19:22:57 powerwall-34 charon: 10[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
> > Jul  9 19:22:57 powerwall-34 charon: 10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> > Jul  9 19:22:57 powerwall-34 charon: 10[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
> 
> Same thing as above, but with sha256 instead of sha1.
> 
> > Also, I notice when charon starts up, it gives this informational message:
> > 
> > Jul  9 18:30:15 powerwall-34 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> > Jul  9 18:30:15 powerwall-34 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> > 
> > What might be wrong with the stock Debian strongswan packages that there
> > are unmet dependencies?
> 
> Nothing really wrong here, these plugin features are, for instance,
> related to DSA, which none of our crypto plugins supports (i.e. there
> will always be plugin features that can't be loaded).  You see more
> details if you increase the log level for lib to 2 or even 3, and the
> plugin features (including those that were not loaded) are listed in the
> output of `ipsec listplugins`.
> 
> Regards,
> Tobias
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf at LinuxForce.net          |   IT Projects & Systems Maintenance
http://www.LinuxForce.net   |   http://blog.remoteresponder.net


More information about the Users mailing list