[strongSwan] Strong swan IKE issue.

Andrii Petrenko aplsms at gmail.com
Mon Mar 19 15:46:45 CET 2018 

Hello All,

I have an issue to set up VPN to Cisco ASA. Problem appeared on IKE side.

Log: 
#------------------------------------------------------------------------------------
$ docker run -it   --cap-add=NET_ADMIN   --net=host   -v $PWD/config/strongswan.conf:/etc/strongswan.conf   -v $PWD/config/ipsec.conf:/etc/ipsec.conf   -v $PWD/config/ipsec.secrets:/etc/ipsec.secrets   -v $PWD/config/ipsec.d:/etc/ipsec.d   --name=strongswan   --rm  strongswan
Starting strongSwan 5.6.2 IPsec [starter]...
ipsec_starter[1]: Starting strongSwan 5.6.2 IPsec [starter]...
# unknown keyword 'ikeylife'
ipsec_starter[1]: # unknown keyword 'ikeylife'
### 1 parsing error (0 fatal) ###
ipsec_starter[1]: ### 1 parsing error (0 fatal) ###
modprobe: can't change directory to '/lib/modules': No such file or directory
no netkey IPsec stack detected
ipsec_starter[1]: no netkey IPsec stack detected
modprobe: can't change directory to '/lib/modules': No such file or directory
no KLIPS IPsec stack detected
ipsec_starter[1]: no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
ipsec_starter[1]: no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for xx.xx.xx.xx
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters
00[JOB] spawning 16 worker threads
charon (12) started after 20 ms
ipsec_starter[1]: charon (12) started after 20 ms
05[CFG] received stroke: add connection 'remote-asa'
05[CFG] added configuration 'remote-asa'
07[CFG] received stroke: initiate 'remote-asa'
07[IKE] initiating Main Mode IKE_SA remote-asa[1] to xx.xx.xx.xx
07[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
07[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (272 bytes)
09[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (108 bytes)
09[ENC] parsed ID_PROT response 0 [ SA V ]
09[IKE] received NAT-T (RFC 3947) vendor ID
09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
09[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (308 bytes)
10[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (368 bytes)
10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
10[IKE] received Cisco Unity vendor ID
10[IKE] received DPD vendor ID
10[ENC] received unknown vendor ID: 78:96:0c:65:2b:d4:73:8d:af:cd:b5:00:63:a6:38:03
10[IKE] received XAuth vendor ID
10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
10[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (108 bytes)
11[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (76 bytes)
11[ENC] parsed ID_PROT response 0 [ ID HASH ]
11[IKE] IKE_SA remote-asa[1] established between 45.55.20.248[trueaccord]...xx.xx.xx.xx[xx.xx.xx.xx]
11[IKE] scheduling reauthentication in 86138s
11[IKE] maximum IKE_SA lifetime 86318s
11[ENC] generating QUICK_MODE request 4088404241 [ HASH SA No ID ID ]
11[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (188 bytes)
12[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (92 bytes)
12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
12[IKE] received NO_PROPOSAL_CHOSEN error notify


Status: 
#------------------------------------------------------------------------------------
~/alpine-strongswan-vpn$ docker exec -it strongswan ipsec statusall remote-asa
Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64):
  uptime: 3 seconds, since Mar 19 14:30:08 2018
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters
Listening IP addresses:
  45.55.20.248
  2604:a880:1:20::120:9001
  172.17.0.1
Connections:
        remote-asa:  %any...xx.xx.xx.xx  IKEv1
        remote-asa:   local:  [trueaccord] uses pre-shared key authentication
        remote-asa:   remote: [xx.xx.xx.xx] uses pre-shared key authentication
        remote-asa:   child:  dynamic === 148.171.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
  no match
apl at stratus01:~/alpine-strongswan-vpn$ docker exec -it strongswan ipsec statusall remote-asa
Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64):
  uptime: 2 seconds, since Mar 19 14:31:18 2018
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters
Listening IP addresses:
  45.55.20.248
  2604:a880:1:20::120:9001
  172.17.0.1
Connections:
        remote-asa:  %any...xx.xx.xx.xx  IKEv1
        remote-asa:   local:  [trueaccord] uses pre-shared key authentication
        remote-asa:   remote: [xx.xx.xx.xx] uses pre-shared key authentication
        remote-asa:   child:  dynamic === 148.171.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
        remote-asa[1]: ESTABLISHED 2 seconds ago, 45.55.20.248[trueaccord]...xx.xx.xx.xx[xx.xx.xx.xx]
        remote-asa[1]: IKEv1 SPIs: 563b49d3d678b72f_i* 8d51ab782bd5738d_r, pre-shared key reauthentication in 23 hours
        remote-asa[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536


Config:
#------------------------------------------------------------------------------------
config setup
    charondebug="dmni 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4, asn 4, enc 4, lib 4, esp 4, tls 4, tnc 4, imc 4, imv 4, pts 4"
#    strictcrlpolicy=yes

conn %default
    ikelifetime=86400
    ikeylife=60m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=secret
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!

conn remote-asa
    type=tunnel
    #server, remote side
    right=xx.xx.xx.xx
    rightsubnet=178.171.0.0/16
    rightid=xx.xx.xx.xx

    #leftsubnet=10.78.47.0/24
    leftid=trueaccord
    leftfirewall=yes

    auto=start
    keyexchange=ikev1

    ike=aes256-sha1-modp1536
    esp=aes256-sha1!
    ikelifetime=86400s
    aggressive=no
    lifebytes=4608000
    lifetime=3600


I see the problem on IKE side, but don’t know how to debug and fix it.
Please help.


Thank you,

Andrii Petrenko
aplsms at gmail.com <mailto:aplsms at gmail.com>	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/f2af41dc/attachment-0001.html>

More information about the Users mailing list