[strongSwan] Migrating from OpenSwan/Fedora 13 to StrongSwan/CentOS 7.5

Kostya Vasilyev kman at fastmail.com
Wed Apr 10 16:58:06 CEST 2019


Hello,

On Wed, Apr 10, 2019, at 5:07 PM, guilsson at gmail.com wrote:
> Hello everyone,
> 
> I'm currently running OpenSwan 2.6.29 since 2010 to connect to a bank.
> It has been running for 9 years in a row.
> First 3 years in a Debian box and 6 years in Fedora 13. Just
> COPIED/PASTED from Debian to Fedora and worked.
> 
> But I need some others features in the operating system that Fedora 13
> doesn't have. I've decided to replace it with CentOS 7.5.
> I discovered that CentOS doesn't have OpenSwan. Just LIBRESWAN and STRONGSWAN.
> 
> The main issue is I don't have KNOWLEDGE about IPSEC. This machine has
> been running IPSec using a configuration file
> (ipsec.conf/ipsec.secrets) SUPPLIED by the bank. So, if I got some
> errors about auth, netkey, pfs, ike, quick mode, main mode, phase 1/2.
> etc I won't be able to fix it.
> 
> Having only LIBRESWAN and STRONGSWAN at CentOS 7.5, I tried first
> STRONGSWAN, expecting not having compatibility problems migrating from
> OpenSwan to STRNGSWAN.
> 
> But it not what I got.

I'm not an expert (putting it mildly) either but a few things in your very nicely detailed message kind of stick out for me.

1 - Firewall

On the surface, your new strongSwan is initiating a connection but gets not response.

That's clear based on your packet capture and strongSwan logs, there are no packets coming back from the bank.

Your firewall on the new machine should be set to allow:

Protocol UDP port 500
Protocol UDP port 4500
Protocol ESP

2 - Key exchange version

In strongSwan, keyexchange=ike means IKE v2, documented in [1].

In openSwan, given how old it is, it probably means IKE v1.

Also from your logs - I believe "Main mode" is a v1 thing and IKE_SA_INIT is an v2 thing.

Maybe the bank's computer is not responding because it only knows IKE v1.

And so for strongSwan I'd try setting keyexchange=ikev1

3 - Proposal / SA encryption defaults

Again given how old this whole setup is, the encryption settings used by the bank probably will not match the defaults in strongSwan - for IKEv1 it's ike = aes128-sha256-modp3072 and esp = aes128-sha256 as documented in [1].

If my points 1 and 2 allow your connection process get further along (i.e. at least you start getting packets back from the bank's computer), I'd try something like:

ike=aes128-sha1-modp1024,aes128-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024
esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5

The choice of ciphers is documented in [2].

If you can ask the bank what cipher settings they use it would help too.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
[2] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

-- K


More information about the Users mailing list