Re: [strongSwan] Incorrect Phase II for Cisco IOS Transport VPN

[John Marrett]

With the assistance of Noel Kuntz (Thermi on #strongswan) and Cisco TAC
I've managed to resolve the problem.

The issue was that the Cisco device absolutely required the IPSec tunnel to
have the protocol limited to GRE (port 47).

The Cisco side of a functional tunnel is seen as follows in sh cry ips

   local  ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.2.0.96/255.255.255.255/47/0)

I had to configured my subnets as follows:

leftsubnet=%dynamic[47/%any]
rightsubnet=%dynamic[47/%any]

With this configuration in place I was able to successfully negotiate the
tunnel.

-JohnF

On Sun, Apr 19, 2015 at 8:34 PM, Miroslav Svoboda 
wrote:

> Hi John,
>
> I think it is not possible to use transport mode with local (left) address
> from private range, not routable over internet, unless the peer is in the
> same private network.
> I suggest to try a change to "left=%any", "rightsubnet=0.0.0.0/0",
> "leftsourceip=%config". You should not specify "leftsubnet", it has same
> effect as "leftsubnet=%dynamic". Also delete "type=transport" or change
> it to tunnel.
> If that did not help, please can you increase loglevel as described here
> 
> and provide the log?
> Especially emphasized lines in bold below are important, achieved with
> following settings in strongswan.d/charon-logging.conf:
> enc = 1
> job = 1
> cfg = 2
> ike = 4
> mgr = 4
> knl = 2
>
> Also attach output of "ipsec statusall" command.
>
> Log should look like this, even though this is from VPN server to which
> roadwarriors are connecting to:
> 2015-04-18 21:40:28 10[IKE]  IKE_SA roadwarrior[1] state
> change: CONNECTING => ESTABLISHED
> 2015-04-18 21:40:28 10[IKE]  scheduling reauthentication in
> 9746s
> 2015-04-18 21:40:28 10[IKE]  maximum IKE_SA lifetime 10286s
> 2015-04-18 21:40:28 10[IKE]  sending end entity cert "C=CZ,
> O=Aloha, CN=swan.aloha.com"
> 2015-04-18 21:40:28 10[IKE]  peer requested virtual IP %any
> 2015-04-18 21:40:28 10[CFG]  assigning new lease to 'C=CZ,
> O=Aloha, CN=GoodBoy'
> 2015-04-18 21:40:28 10[IKE]  assigning virtual IP
> 192.168.55.1 to peer 'C=CZ, O=Aloha, CN=GoodBoy'
> 2015-04-18 21:40:28 10[IKE]  peer requested virtual IP %any6
> 2015-04-18 21:40:28 10[IKE]  no virtual IP found for %any6
> requested by 'C=CZ, O=Aloha, CN=GoodBoy'
> 2015-04-18 21:40:28 10[IKE]  building INTERNAL_IP4_DNS
> attribute
> 2015-04-18 21:40:28 10[IKE]  building INTERNAL_IP4_DNS
> attribute
> *2015-04-18 21:40:28 10[CFG]  looking for a child config
> for 0.0.0.0/0  ::/0 === 0.0.0.0/0  ::/0*
> *2015-04-18 21:40:28 10[CFG]  proposing traffic selectors
> for us:*
> *2015-04-18 21:40:28 10[CFG]   0.0.0.0/0 *
> *2015-04-18 21:40:28 10[CFG]  proposing traffic selectors
> for other:*
> *2015-04-18 21:40:28 10[CFG]   192.168.55.1/32
> *
> 2015-04-18 21:40:28 10[CFG]candidate "roadwarrior" with
> prio 10+2
> 2015-04-18 21:40:28 10[CFG]  found matching child config
> "roadwarrior" with prio 12
> 2015-04-18 21:40:28 10[CFG]  selecting proposal:
> 2015-04-18 21:40:28 10[CFG]no acceptable
> ENCRYPTION_ALGORITHM found
> 2015-04-18 21:40:28 10[CFG]  selecting proposal:
> 2015-04-18 21:40:28 10[CFG]no acceptable
> INTEGRITY_ALGORITHM found
> 2015-04-18 21:40:28 10[CFG]  selecting proposal:
> 2015-04-18 21:40:28 10[CFG]no acceptable
> ENCRYPTION_ALGORITHM found
> 2015-04-18 21:40:28 10[CFG]  selecting proposal:
> 2015-04-18 21:40:28 10[CFG]proposal matches
> 2015-04-18 21:40:28 10[CFG]  received proposals:
> ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
> @
> 2015-04-18 21:40:28 10[CFG]  selected proposal:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 2015-04-18 21:40:28 10[KNL]  got SPI cff90361
> *2015-04-18 21:40:28 10[CFG]  selecting traffic selectors
> for us:*
> *2015-04-18 21:40:28 10[CFG]   config: 0.0.0.0/0
> , received: 0.0.0.0/0  => match:
> 0.0.0.0/0 *
> *2015-04-18 21:40:28 10[CFG]   config: 0.0.0.0/0
> , received: ::/0 => no match*
> *2015-04-18 21:40:28 10[CFG]  selecting traffic selectors
> for other:*
> *2015-04-18 21:40:28 10[CFG]   config: 192.168.55.1/32
> , received: 0.0.0.0/0  => match:
> 192.168.55.1/32 *
> *2015-04-18 21:40:28 10[CFG]   config: 192.168.55.1/32
> , received: ::/0 => no match*
> 2015-04-18 21:40:28 10[KNL]  adding SAD entry with SPI
> cff90361 and reqid {1}  (mark 0/0x)
> 2015-04-18 21:40:28 10[KNL]using encryption algorithm
> AES_

Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]

[Noel Kuntze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Stephen,

Your original configuration looks like l2tp/IPsec.
Your configuration was correct for that purpose.
Where this is going right now, is a general roadwarrior configuration for IKEv1.
Please check what is actually configured on the IOS device, so
we can solve this quickly.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 20.04.2015 um 11:01 schrieb Stephen Feyrer:
> Hi Miroslav,
> 
> Thank you.
> 
> We've made progress.  I haven't included the any of the log file as it is 
> very verbose (24488 lines - for ipsec up, statusall, down).  Please let me 
> know which sections to look at and I'll grab those.
> 
> As you can see below the transaction request below seems to be very laboured 
> but does result in a success statement.  Following that I have tried to test 
> with openl2tp to create the l2tp ppp tunnel.  Openl2tp seems create this 
> tunnel but ifconfig does not show any ppp interfaces.
> 
> The lines in the conn left/rightprotoport do not seem to affect the outcome 
> whether included or not.  The charondebug line when uncommented prevents any 
> output and I suspect that the syntax is wrong there.
> 
> 
> 
> code:
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
> #charondebug="ike 3, cfg 3, app 3, chd 3, dmn 3, net 3"
> 
> conn VPN-OFFICE-COM
> keyexchange=ikev1
> type=tunnel
> authby=secret
> ike=3des-sha1-modp1024
> rekey=no
> left=%any
> leftsourceip=%config
> #   leftprotoport=udp/l2tp
> right=vpn.office.com
> #   rightprotoport=udp/l2tp
> rightid=17.11.7.5
> rightsubnet=0.0.0.0/0
> auto=add
> 
> 
> # ipsec up VPN-OFFICE-COM
> initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
> parsed ID_PROT response 0 [ SA V V ]
> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> received FRAGMENTATION vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: [HIDDEN]
> received unknown vendor ID: [HIDDEN]
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA VPN-OFFICE-COM[1] established between 
> 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
> generating TRANSACTION request [HIDDEN] [ HASH CPRQ(ADDR DNS U_SPLITINC 
> U_LOCALLAN) ]
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> sending retransmit 1 of request message ID [HIDDEN], seq 4
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> sending retransmit 2 of request message ID [HIDDEN], seq 4
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> sending retransmit 3 of request message ID [HIDDEN], seq 4
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
> parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
> parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
> parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
> sending keep alive to 17.11.7.5[4500]
> sending retransmit 4 of request message ID [HIDDEN], seq 4
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
> parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]
> received DELETE for IKE_SA VPN-OFFICE-COM[1]
> deleting IKE_SA VPN-OFFICE-COM[1] between 
> 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
> initiating Main Mode IKE_SA VPN-OFFICE-COM[2] to 17.11.7.5
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
> connection 'VPN-OFFICE-COM' established successfully
> 
> 
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, x86_64):
> uptime: 112 seconds, since Apr 20 09:23:17 2015
> malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 2
> loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 

Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]

[Stephen Feyrer]

Hi Miroslav,

Thank you.

We've made progress.  I haven't included the any of the log file as it is  
very verbose (24488 lines - for ipsec up, statusall, down).  Please let me  
know which sections to look at and I'll grab those.


As you can see below the transaction request below seems to be very  
laboured but does result in a success statement.  Following that I have  
tried to test with openl2tp to create the l2tp ppp tunnel.  Openl2tp seems  
create this tunnel but ifconfig does not show any ppp interfaces.


The lines in the conn left/rightprotoport do not seem to affect the  
outcome whether included or not.  The charondebug line when uncommented  
prevents any output and I suspect that the syntax is wrong there.




code:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no
#charondebug="ike 3, cfg 3, app 3, chd 3, dmn 3, net 3"

conn VPN-OFFICE-COM
keyexchange=ikev1
type=tunnel
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%any
leftsourceip=%config
#   leftprotoport=udp/l2tp
right=vpn.office.com
#   rightprotoport=udp/l2tp
rightid=17.11.7.5
rightsubnet=0.0.0.0/0
auto=add


# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between  
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating TRANSACTION request [HIDDEN] [ HASH CPRQ(ADDR DNS U_SPLITINC  
U_LOCALLAN) ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 1 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 2 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 3 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
sending keep alive to 17.11.7.5[4500]
sending retransmit 4 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]
received DELETE for IKE_SA VPN-OFFICE-COM[1]
deleting IKE_SA VPN-OFFICE-COM[1] between  
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

initiating Main Mode IKE_SA VPN-OFFICE-COM[2] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
connection 'VPN-OFFICE-COM' established successfully


# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo,  
x86_64):

uptime: 112 seconds, since Apr 20 09:23:17 2015
malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,  
scheduled: 2
loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5  
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12  
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr  
kernel-netlink resolve socket-default socket-dynamic farp stroke vici  
updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym  
eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls  
xauth-generic xauth-eap xauth-pam dhcp lookip led unity

Listening IP addresses:
1.2.3.4
Connections:
VPN-OFFICE-COM: %any...vpn.office.com IKEv1
VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication
VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication
VPN-OFFICE-COM: child: dyn