[strongSwan] KEY_ID encoding

Volodymyr Litovka doka.ua at gmx.com
Mon Sep 14 17:15:15 CEST 2020 

Hi Tobias,

this is what I see in logs:

b-test strongswan: 10[CFG] <25> looking for peer configs matching server-side[%any]...client-side[ciscoasa]
b-test charon-systemd[130481]: looking for peer configs matching server-side[%any]...client-side[ciscoasa]
b-test strongswan: 10[CFG] <25> peer config "ikev2-eap", ike match: 1052 (server-side...%any IKEv2)
b-test strongswan: 10[CFG] <25>   local id match: 1 (ID_ANY: )
b-test strongswan: 10[CFG] <25>   remote id match: 1 (ID_KEY_ID: 63:69:73:63:6f:61:73:61)
b-test strongswan: 10[CFG] <25>   candidate "ikev2-eap", match: 1/1/1052 (me/other/ike)
b-test strongswan: 10[CFG] <25> peer config "ikev2-psk-whl", ike match: 1052 (server-side...%any IKEv2)
b-test strongswan: 10[CFG] <25>   local id match: 1 (ID_ANY: )
b-test strongswan: 10[CFG] <25>   remote id match: 0 (ID_KEY_ID: 63:69:73:63:6f:61:73:61)
b-test strongswan: 10[CFG] <25> peer config "ikev2-psk-ciscoasa", ike match: 1052 (server-side...%any IKEv2)
b-test strongswan: 10[CFG] <25>   local id match: 1 (ID_ANY: )
b-test strongswan: 10[CFG] <25>   remote id match: 0 (ID_KEY_ID: 63:69:73:63:6f:61:73:61)
b-test strongswan: 10[CFG] <ikev2-eap|25> selected peer config 'ikev2-eap'

There are three connections:

connections {
   ikev2-eap {
     remote_addrs = %any
     local { ... }
     remote {
       auth = eap-radius
       id = %any
       eap_id = %any
     }
   }
   ikev2-whl {
     remote_addrs = x.x.x.x
     local { ... }
     remote {
       auth = psk
       id = x.x.x.x
     }
   }
  ikev2-cisoasa {
     remote_addrs = %any
     local { ... }
     remote {
       auth = psk
       id = @#636973636f617361
       # id = ciscoasa
       # id = @#ciscoasa
     }
   }
}

It seems, remote side sends ID_KEY_ID: 63:69:73:63:6f:61:73:61, but no
one of three IDs matches received ID.

On the other hand, when I switch to FQDN ID

connections {
  [ ... ]
  ikev2-cisoasa {
     remote_addrs = %any
     local { ... }
     remote {
       auth = psk
       id = ciscoasa
     }
   }
}

I see the correct behavior:

b-test strongswan: 08[CFG] <38> looking for peer configs matching server-side[%any]...client-side[ciscoasa]
b-test strongswan: 08[CFG] <38> peer config "ikev2-eap", ike match: 1052 (server-side...%any IKEv2)
b-test strongswan: 08[CFG] <38>   local id match: 1 (ID_ANY: )
b-test strongswan: 08[CFG] <38>   remote id match: 1 (ID_FQDN: 63:69:73:63:6f:61:73:61)
b-test strongswan: 08[CFG] <38>   candidate "ikev2-eap", match: 1/1/1052 (me/other/ike)
b-test strongswan: 08[CFG] <38> peer config "ikev2-psk-194_44_66_2", ike match: 1052 (server-side...%any IKEv2)
b-test strongswan: 08[CFG] <38>   local id match: 1 (ID_ANY: )
b-test strongswan: 08[CFG] <38>   remote id match: 0 (ID_FQDN: 63:69:73:63:6f:61:73:61)
b-test strongswan: 08[CFG] <38> peer config "ikev2-psk-ciscoasa", ike match: 1052 (server-side...%any IKEv2)
b-test strongswan: 08[CFG] <38>   local id match: 1 (ID_ANY: )
b-test strongswan: 08[CFG] <38>   remote id match: 20 (ID_FQDN: 63:69:73:63:6f:61:73:61)
b-test strongswan: 08[CFG] <38>   candidate "ikev2-psk-ciscoasa", match: 1/20/1052 (me/other/ike)
b-test strongswan: 08[CFG] <ikev2-psk-ciscoasa|38> selected peer config 'ikev2-psk-ciscoasa'

I will appreciate any suggestions on how to work around this issue.

Thank you.

On 14.09.2020 11:56, Tobias Brunner wrote:
> Hi Volodymyr,
>
>> do not work - StrongSwan do not consider this connection when choosing
>> between few.
> Increase the log level for cfg to 3 [1] to see details about the matched
> identities and read or send the log.
>
>> What is the right way to describe id for PSK connection where remote
>> part uses key-id type, e.g. on Cisco it is "crypto isakmp identity
>> key-id aa"?
> Don't know what Cisco will send if you do that, so no idea.  You'll see
> that in the log.
>
>> And which id need to be used in 'secrets' section to achieve the result?
>> Should it be
> It must match the identity value and type you configure in the remote
> section.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200914/22293024/attachment-0001.html>

More information about the Users mailing list