[strongSwan] Strong swan IKE issue.
Andrii Petrenko
aplsms at gmail.com
Mon Mar 19 15:46:45 CET 2018
Hello All,
I have an issue to set up VPN to Cisco ASA. Problem appeared on IKE side.
Log:
#------------------------------------------------------------------------------------
$ docker run -it --cap-add=NET_ADMIN --net=host -v $PWD/config/strongswan.conf:/etc/strongswan.conf -v $PWD/config/ipsec.conf:/etc/ipsec.conf -v $PWD/config/ipsec.secrets:/etc/ipsec.secrets -v $PWD/config/ipsec.d:/etc/ipsec.d --name=strongswan --rm strongswan
Starting strongSwan 5.6.2 IPsec [starter]...
ipsec_starter[1]: Starting strongSwan 5.6.2 IPsec [starter]...
# unknown keyword 'ikeylife'
ipsec_starter[1]: # unknown keyword 'ikeylife'
### 1 parsing error (0 fatal) ###
ipsec_starter[1]: ### 1 parsing error (0 fatal) ###
modprobe: can't change directory to '/lib/modules': No such file or directory
no netkey IPsec stack detected
ipsec_starter[1]: no netkey IPsec stack detected
modprobe: can't change directory to '/lib/modules': No such file or directory
no KLIPS IPsec stack detected
ipsec_starter[1]: no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
ipsec_starter[1]: no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for xx.xx.xx.xx
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters
00[JOB] spawning 16 worker threads
charon (12) started after 20 ms
ipsec_starter[1]: charon (12) started after 20 ms
05[CFG] received stroke: add connection 'remote-asa'
05[CFG] added configuration 'remote-asa'
07[CFG] received stroke: initiate 'remote-asa'
07[IKE] initiating Main Mode IKE_SA remote-asa[1] to xx.xx.xx.xx
07[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
07[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (272 bytes)
09[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (108 bytes)
09[ENC] parsed ID_PROT response 0 [ SA V ]
09[IKE] received NAT-T (RFC 3947) vendor ID
09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
09[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (308 bytes)
10[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (368 bytes)
10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
10[IKE] received Cisco Unity vendor ID
10[IKE] received DPD vendor ID
10[ENC] received unknown vendor ID: 78:96:0c:65:2b:d4:73:8d:af:cd:b5:00:63:a6:38:03
10[IKE] received XAuth vendor ID
10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
10[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (108 bytes)
11[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (76 bytes)
11[ENC] parsed ID_PROT response 0 [ ID HASH ]
11[IKE] IKE_SA remote-asa[1] established between 45.55.20.248[trueaccord]...xx.xx.xx.xx[xx.xx.xx.xx]
11[IKE] scheduling reauthentication in 86138s
11[IKE] maximum IKE_SA lifetime 86318s
11[ENC] generating QUICK_MODE request 4088404241 [ HASH SA No ID ID ]
11[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (188 bytes)
12[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (92 bytes)
12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
12[IKE] received NO_PROPOSAL_CHOSEN error notify
Status:
#------------------------------------------------------------------------------------
~/alpine-strongswan-vpn$ docker exec -it strongswan ipsec statusall remote-asa
Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64):
uptime: 3 seconds, since Mar 19 14:30:08 2018
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters
Listening IP addresses:
45.55.20.248
2604:a880:1:20::120:9001
172.17.0.1
Connections:
remote-asa: %any...xx.xx.xx.xx IKEv1
remote-asa: local: [trueaccord] uses pre-shared key authentication
remote-asa: remote: [xx.xx.xx.xx] uses pre-shared key authentication
remote-asa: child: dynamic === 148.171.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
no match
apl at stratus01:~/alpine-strongswan-vpn$ docker exec -it strongswan ipsec statusall remote-asa
Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64):
uptime: 2 seconds, since Mar 19 14:31:18 2018
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters
Listening IP addresses:
45.55.20.248
2604:a880:1:20::120:9001
172.17.0.1
Connections:
remote-asa: %any...xx.xx.xx.xx IKEv1
remote-asa: local: [trueaccord] uses pre-shared key authentication
remote-asa: remote: [xx.xx.xx.xx] uses pre-shared key authentication
remote-asa: child: dynamic === 148.171.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
remote-asa[1]: ESTABLISHED 2 seconds ago, 45.55.20.248[trueaccord]...xx.xx.xx.xx[xx.xx.xx.xx]
remote-asa[1]: IKEv1 SPIs: 563b49d3d678b72f_i* 8d51ab782bd5738d_r, pre-shared key reauthentication in 23 hours
remote-asa[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Config:
#------------------------------------------------------------------------------------
config setup
charondebug="dmni 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4, asn 4, enc 4, lib 4, esp 4, tls 4, tnc 4, imc 4, imv 4, pts 4"
# strictcrlpolicy=yes
conn %default
ikelifetime=86400
ikeylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
conn remote-asa
type=tunnel
#server, remote side
right=xx.xx.xx.xx
rightsubnet=178.171.0.0/16
rightid=xx.xx.xx.xx
#leftsubnet=10.78.47.0/24
leftid=trueaccord
leftfirewall=yes
auto=start
keyexchange=ikev1
ike=aes256-sha1-modp1536
esp=aes256-sha1!
ikelifetime=86400s
aggressive=no
lifebytes=4608000
lifetime=3600
I see the problem on IKE side, but don’t know how to debug and fix it.
Please help.
Thank you,
Andrii Petrenko
aplsms at gmail.com <mailto:aplsms at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/f2af41dc/attachment-0001.html>
More information about the Users
mailing list