[strongSwan] problem connecting to Kyocera printer

Harald Dunkel harald.dunkel at aixigo.de
Fri Jul 13 14:55:20 CEST 2018 

Hi folks,

I have to connect a Kyocera ECOSYS M8130 printer (running in a
foreign environment behind a NAT) to my local network via our road
warrior IPsec gateway. Strongswan 5.6.2. rightsourceip is %dhcp,
as for the road warriors.

The printer has built-in IKEv2 and IPsec support.

Problem: Authentication via PSK or certificate (not shown here)
succeeds, but then the printer and strongswan seem to disagree
about the further steps.

Logfile:

Jul 13 13:35:57 10[NET] <2100> received packet: from 192.168.142.13[52583] to 192.168.142.17[500] (432 bytes)
Jul 13 13:35:57 10[ENC] <2100> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 13 13:35:57 10[IKE] <2100> 192.168.142.13 is initiating an IKE_SA
Jul 13 13:35:57 10[IKE] <2100> remote host is behind NAT
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[ENC] <2100> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) V ]
Jul 13 13:35:57 10[NET] <2100> sending packet: from 192.168.142.17[500] to 192.168.142.13[52583] (585 bytes)
Jul 13 13:35:57 16[NET] <2100> received packet: from 192.168.142.13[60908] to 192.168.142.17[4500] (288 bytes)
Jul 13 13:35:57 16[ENC] <2100> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jul 13 13:35:57 16[CFG] <2100> looking for peer configs matching 192.168.142.17[gate.example.com]...192.168.142.13[prn17.red.example.de]
Jul 13 13:35:57 16[CFG] <prn17-ikev2|2100> selected peer config 'prn17-ikev2'
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> authentication of 'prn17.red.example.de' with pre-shared key successful
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> authentication of 'gate.example.com' (myself) with pre-shared key
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> IKE_SA prn17-ikev2[2100] established between 192.168.142.17[gate.example.com]...192.168.142.13[prn17.red.example.de]
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> scheduling reauthentication in 86135s
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> maximum IKE_SA lifetime 86315s
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> expected a virtual IP request, sending FAILED_CP_REQUIRED
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> traffic selectors 0.0.0.0/0 === 10.100.0.17/32 inacceptable
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> failed to establish CHILD_SA, keeping IKE_SA
Jul 13 13:35:57 16[ENC] <prn17-ikev2|2100> generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jul 13 13:35:57 16[NET] <prn17-ikev2|2100> sending packet: from 192.168.142.17[4500] to 192.168.142.13[60908] (160 bytes)
:
:
Jul 13 13:36:27 29[IKE] <prn17-ikev2|2100> sending DPD request
Jul 13 13:36:27 29[ENC] <prn17-ikev2|2100> generating INFORMATIONAL request 0 [ ]
Jul 13 13:36:27 29[NET] <prn17-ikev2|2100> sending packet: from 192.168.142.17[4500] to 192.168.142.13[60908] (80 bytes)
Jul 13 13:36:27 14[NET] <prn17-ikev2|2100> received packet: from 192.168.142.13[60908] to 192.168.142.17[4500] (80 bytes)
Jul 13 13:36:27 14[ENC] <prn17-ikev2|2100> parsed INFORMATIONAL response 0 [ ]
:


Please note the "expected a virtual IP request". Unfortunately the
printer does not provide any logging, AFAICT.


Every helpful comment is highly appreciated
Harri
-----------------------------------------------------------------------------
ipsec.conf:

conn %default
         # left=%any
         left            = gate.example.com
         fragmentation   = yes
         leftsubnet      = 172.16.96.0/19
         leftfirewall    = no
         ikelifetime     = 1d
         lifetime        = 8h
         rekey           = yes
         dpdaction       = none          # default: no dead peer detection
         dpddelay        = 30s           # default: 30s
         dpdtimeout      = 150s          # default: 150s, used for IKEv1 only

#
# IKEv2 using RSA authentication
conn IPSec-IKEv2
         keyexchange     = ikev2
         leftcert        = gate.example.com_3.pem
         also            = roadwarrior
         ike             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
         esp             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
         right           = %any
         rightca         = "C=DE, O=example, OU=Certificate Authority, CN=root-CA"
         rightauth       = pubkey
         rightsendcert   = ifasked
         rightsourceip   = %dhcp
         auto            = add

#
# connection to prn17
conn prn17-ikev2
         # left=%any
         left            = gate.example.com
         leftid          = @gate.example.com
         leftfirewall    = no
         right           = 5.145.142.13
         rightid         = @prn17.red.example.de
         rightsourceip   = %dhcp
         authby          = secret

         keyexchange     = ikev2
         ike             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
         esp             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
         ikelifetime     = 1d
         lifetime        = 1h
         rekey           = yes
         rekeymargin     = 3m
         keyingtries     = 1

         auto            = add
         dpdaction       = hold
         dpddelay        = 30s

More information about the Users mailing list