[strongSwan] QUICK_MODE never receives response from remote host

Matt Wright mwright at forteholdings.com
Thu Mar 12 22:13:23 CET 2020 

I've been trying to figure this one out for several hours, have googled a bunch of stuff, but gotten nowhere quick :(

I'm trying to setup a tunnel between a machine I control and a remote system controlled by someone else.  Previously to today we had this tunnel setup and running on our local Watchguard router, and it all seemed to be working correctly.  However moving forward I need to get this configuration working elsewhere, so enter strongswan.

as far as I can tell everything is setup correctly, however when initiating the connection, phase 1 seems to complete successfully, but as soon as QUICK_MODE starts, I get no response back from the remote host

it doesn't help matters, that this is the first time I'm really trying to do anything like this, and the information I've got from the remote host provider is somewhat... vague, so I've had to make educated guesses to even get to this point

Below are logs and configuration, and hopefully, someone will be able to shed some light on this.  As mentioned I've tried a whole bunch of different things, so the config is a bit of a mess.

----------------My Config---------------

conn VPN
        authby=psk #this specifies how the connection is authenticated
        auto=add
        #rightauth=psk
        #aggressive=yes
        type=tunnel #the type of connection
        left=66.60.177.3 #This is the public ip address of server A
        #leftsourceip=%config
        #modeconfig=pull
        leftsubnet=10.10.10.0/24 #This is the subnet/private ip of server A
        right=173.14.59.177 #This is the public ip address of server B/remote server
        rightsubnet=10.1.25.0/24 #This is the subnet/private ip of server B
        #rightsourceip=172.20.22.0
        #rightsubnet=172.20.22.0/24
        ike=aes128-sha1-modp1024! #Internet key exchange, type of encryption
        #ah=aes128-sha1-modp1024 #Internet key exchange, type of encryption
        #esp=aes128-sha1 #Internet key exchange, type of encryption
        esp=aes128-sha256-modp1024 #Internet key exchange, type of encryption
        #esp=aes128-sha1-modp1024 #Internet key exchange, type of encryption
        keyexchange=ikev1 #Internet key exchange version
        #pfs=yes
        #pfsgroup=modp1024
        #rightprotoport = udp/1801
        #rightikeport=1801

---------------------configuration information provided by the remote host---------------------
Public IP: 173.14.59.177
Local network: 10.1.25.0/24
Remote network: 172.20.22.0/24

Phase 1
key: preshare
DH Group: 2
encryption: AES 128
hash: SHA1

Phase 2
DH Group: 2 (pfs)
protocal: ESP
encryption: AES 128
hash: SHA1

Ports
TCP: 1801
UDP: 1801, 3527

--------------------- log-------------------------

initiating Main Mode IKE_SA VPN[1] to 173.14.59.177
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (156 bytes)
received packet: from 173.14.59.177[500] to 66.60.177.3[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received unknown vendor ID: 94:36:e8:d6:71:74:ef:9a:ed:06:8d:5a:d5:21:3f:18:7a:3f:8b:a6:00:00:00:16:00:00:06:1e
received DPD vendor ID
received unknown vendor ID: 48:65:61:72:74:42:65:61:74:5f:4e:6f:74:69:66:79:38:6b:01:00
generating ID_PROT request 0 [ KE No ]
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (196 bytes)
received packet: from 173.14.59.177[500] to 66.60.177.3[500] (196 bytes)
parsed ID_PROT response 0 [ KE No ]
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (76 bytes)
received packet: from 173.14.59.177[500] to 66.60.177.3[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA VPN[1] established between 66.60.177.3[66.60.177.3]...173.14.59.177[173.14.59.177]
scheduling reauthentication in 9941s
maximum IKE_SA lifetime 10481s
generating QUICK_MODE request 601747937 [ HASH SA No KE ID ID ]
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
sending retransmit 1 of request message ID 601747937, seq 4
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
sending retransmit 2 of request message ID 601747937, seq 4
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
sending retransmit 3 of request message ID 601747937, seq 4
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
sending retransmit 4 of request message ID 601747937, seq 4
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
sending retransmit 5 of request message ID 601747937, seq 4
sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
giving up after 5 retransmits
establishing connection 'VPN' failed

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200312/9efe7046/attachment.html>

More information about the Users mailing list