Re: [strongSwan] Cisco brings up the tunnel, but Linux not --- AH only
Hi,
if you observe AH packets this means that ESP is used for encryption
only (without optional ESP MAC) and authentication is done on top of ESP
via AH. You can achieve the same with strongSwan as an initiator if
you set
auth=ah
Best regards
Andreas
On 05/17/2011 05:31 PM, Zoltan wrote:
Hi Everyone,
The IPSEC traffic works fine between my strongSwan gateway
(and my clients) and the Cisco gateway/clients on the other side.
However, I cannot fully initiate it. It stops:
002 vtest #1: initiating Main Mode
104 vtest #1: STATE_MAIN_I1: initiate
106 vtest #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 vtest #1: ignoring Vendor ID payload [Cisco-Unity]
003 vtest #1: received Vendor ID payload [Dead Peer Detection]
003 vtest #1: ignoring Vendor ID payload [b1d915cbf5b7575752babd9fbc1f897a]
003 vtest #1: received Vendor ID payload [XAUTH]
108 vtest #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 vtest #1: Peer ID is ID_IPV4_ADDR: 'XXXa.b.c.dXXX'
002 vtest #1: ISAKMP SA established
004 vtest #1: STATE_MAIN_I4: ISAKMP SA established
002 vtest #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
112 vtest #2: STATE_QUICK_I1: initiate
010 vtest #2: STATE_QUICK_I1: retransmission; will wait 20s for response
...
010 vtest #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 vtest #2: max number of retransmissions (2) reached STATE_QUICK_I1. No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal
000 vtest #2: starting keying attempt 2 of at most 3, but releasing whack
===
My config works fine, if the otherside Cisco gateway (or its clients)
initiate the traffic. My ipsec.conf is very simple (No NAT).
What is strange for me is that on a router of our company I see
only AH packets, but no ESP, when the tunnel works fine.
(after some UDP 500 IKE traffic of course).
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=yes
charondebug=all
##plutodebug=controlmore natt parsing private
plutodebug=all
conn vtest
auto=add
keyexchange=ikev1
authby=psk
##auth=ah
#
left=M.N.O.125
leftsubnet=M.N.O.96/27
#
right=XXXa.b.c.dXXX
rightsubnet=10.14.140.0/24
#
ike=3des-md5-modp1024!
esp=3des-md5!
ikelifetime=86400
pfs=no
Can you help me to understand what happens?
(Omitting the strict !s from the config doesn't help.)
Regards
Zoltan
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cisco brings up the tunnel, but Linux not --- AH only
Hi Andreas,
Thank you for your answer. I switched on
auth=ah
and I see the AUTHENTICATE difference in the output:
initiating Quick Mode PSK+ENCRYPT+AUTHENTICATE+TUNNEL+UP,
but alas, it didn't help. Actually, I don't see any
change in the result (auth.log)
NO_PROPOSAL_CHOSEN
perhaps peer likes no proposal.
When the Cisco sets up the tunnel, it works fine.
My 'ipsec statusall shows something similar:
000 vtest: ...96/27===...125 ...249===10.44.206.0/24; erouted; eroute owner:
#2
000 vtest: ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 vtest: policy: PSK+ENCRYPT+AUTHENTICATE+TUNNEL; prio: 27,24; interface:
br1:125;
000 vtest: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 vtest: IKE proposal: 3DES_CBC/HMAC_MD5/MODP_1024
000 vtest: ESP/AH proposal: 3DES_CBC/HMAC_MD5/N/A
000 #2: vtest STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3191s; newest IPSEC; eroute owner
000 #2: vtest ah.4b39583@6...249 ah.3cb41d94@1125 esp.4c8152ef@...249
(713 bytes, 133s ago) esp.f0adaa0a@...125 (764 bytes, 132s ago); tunnel
000 #1: vtest STATE_MAIN_R3 (sent MR3, ISAKMP SA established)
Maybe this asymmetric working comes from some unusual
setting of the Cisco, and I won't be able to eliminate it
without their cooperation.
So, thank you again for your help!
Zoltan
=
Andreas Steffen andreas.stef...@strongswan.org, wrote:
Hi,
if you observe AH packets this means that ESP is used for encryption
only (without optional ESP MAC) and authentication is done on top of ESP
via AH. You can achieve the same with strongSwan as an initiator if
you set
auth=ah
Best regards
Andreas
On 05/17/2011 05:31 PM, Zoltan wrote:
Hi Everyone,
The IPSEC traffic works fine between my strongSwan gateway
(and my clients) and the Cisco gateway/clients on the other side.
However, I cannot fully initiate it. It stops:
002 vtest #1: initiating Main Mode
104 vtest #1: STATE_MAIN_I1: initiate
106 vtest #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 vtest #1: ignoring Vendor ID payload [Cisco-Unity]
003 vtest #1: received Vendor ID payload [Dead Peer Detection]
003 vtest #1: ignoring Vendor ID payload [b1d915cbf5b7575752babd9fbc1f897a]
003 vtest #1: received Vendor ID payload [XAUTH]
108 vtest #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 vtest #1: Peer ID is ID_IPV4_ADDR: 'XXXa.b.c.dXXX'
002 vtest #1: ISAKMP SA established
004 vtest #1: STATE_MAIN_I4: ISAKMP SA established
002 vtest #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
112 vtest #2: STATE_QUICK_I1: initiate
010 vtest #2: STATE_QUICK_I1: retransmission; will wait 20s for response
...
010 vtest #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 vtest #2: max number of retransmissions (2) reached STATE_QUICK_I1. No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal
000 vtest #2: starting keying attempt 2 of at most 3, but releasing whack
===
My config works fine, if the otherside Cisco gateway (or its clients)
initiate the traffic. My ipsec.conf is very simple (No NAT).
What is strange for me is that on a router of our company I see
only AH packets, but no ESP, when the tunnel works fine.
(after some UDP 500 IKE traffic of course).
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=yes
charondebug=all
##plutodebug=controlmore natt parsing private
plutodebug=all
conn vtest
auto=add
keyexchange=ikev1
authby=psk
##auth=ah
#
left=M.N.O.125
leftsubnet=M.N.O.96/27
#
right=XXXa.b.c.dXXX
rightsubnet=10.14.140.0/24
#
ike=3des-md5-modp1024!
esp=3des-md5!
ikelifetime=86400
pfs=no
Can you help me to understand what happens?
(Omitting the strict !s from the config doesn't help.)
Regards
Zoltan
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cisco brings up the tunnel, but Linux not --- AH only
Hmmm,
000 vtest: ESP/AH proposal: 3DES_CBC/HMAC_MD5/N/A
I see that this is a configuration problem with the
rarely used AH option, dating back to Free/SWAN times.
As far as I remember strongSwan always proposes SHA-1
irrespective of the HMAC algorithm you define. In
your case, although you specify
auth=ah
esp=3des-md5
in ipsec.conf, esp=3des-sha1 will be proposed via IKE.
Regards
Andreas
On 05/18/2011 12:56 PM, Zoltan wrote:
Hi Andreas,
Thank you for your answer. I switched on
auth=ah
and I see the AUTHENTICATE difference in the output:
initiating Quick Mode PSK+ENCRYPT+AUTHENTICATE+TUNNEL+UP,
but alas, it didn't help. Actually, I don't see any
change in the result (auth.log)
NO_PROPOSAL_CHOSEN
perhaps peer likes no proposal.
When the Cisco sets up the tunnel, it works fine.
My 'ipsec statusall shows something similar:
000 vtest: ...96/27===...125 ...249===10.44.206.0/24; erouted; eroute
owner: #2
000 vtest: ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 vtest: policy: PSK+ENCRYPT+AUTHENTICATE+TUNNEL; prio: 27,24;
interface: br1:125;
000 vtest: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 vtest: IKE proposal: 3DES_CBC/HMAC_MD5/MODP_1024
000 vtest: ESP/AH proposal: 3DES_CBC/HMAC_MD5/N/A
000 #2: vtest STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3191s; newest IPSEC; eroute owner
000 #2: vtest ah.4b39583@6...249 ah.3cb41d94@1125 esp.4c8152ef@...249
(713 bytes, 133s ago) esp.f0adaa0a@...125 (764 bytes, 132s ago); tunnel
000 #1: vtest STATE_MAIN_R3 (sent MR3, ISAKMP SA established)
Maybe this asymmetric working comes from some unusual
setting of the Cisco, and I won't be able to eliminate it
without their cooperation.
So, thank you again for your help!
Zoltan
=
Andreas Steffenandreas.stef...@strongswan.org, wrote:
Hi,
if you observe AH packets this means that ESP is used for encryption
only (without optional ESP MAC) and authentication is done on top of ESP
via AH. You can achieve the same with strongSwan as an initiator if
you set
auth=ah
Best regards
Andreas
On 05/17/2011 05:31 PM, Zoltan wrote:
Hi Everyone,
The IPSEC traffic works fine between my strongSwan gateway
(and my clients) and the Cisco gateway/clients on the other side.
However, I cannot fully initiate it. It stops:
002 vtest #1: initiating Main Mode
104 vtest #1: STATE_MAIN_I1: initiate
106 vtest #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 vtest #1: ignoring Vendor ID payload [Cisco-Unity]
003 vtest #1: received Vendor ID payload [Dead Peer Detection]
003 vtest #1: ignoring Vendor ID payload [b1d915cbf5b7575752babd9fbc1f897a]
003 vtest #1: received Vendor ID payload [XAUTH]
108 vtest #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 vtest #1: Peer ID is ID_IPV4_ADDR: 'XXXa.b.c.dXXX'
002 vtest #1: ISAKMP SA established
004 vtest #1: STATE_MAIN_I4: ISAKMP SA established
002 vtest #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
112 vtest #2: STATE_QUICK_I1: initiate
010 vtest #2: STATE_QUICK_I1: retransmission; will wait 20s for response
...
010 vtest #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 vtest #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer likes
no proposal
000 vtest #2: starting keying attempt 2 of at most 3, but releasing whack
===
My config works fine, if the otherside Cisco gateway (or its clients)
initiate the traffic. My ipsec.conf is very simple (No NAT).
What is strange for me is that on a router of our company I see
only AH packets, but no ESP, when the tunnel works fine.
(after some UDP 500 IKE traffic of course).
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=yes
charondebug=all
##plutodebug=controlmore natt parsing private
plutodebug=all
conn vtest
auto=add
keyexchange=ikev1
authby=psk
##auth=ah
#
left=M.N.O.125
leftsubnet=M.N.O.96/27
#
right=XXXa.b.c.dXXX
rightsubnet=10.14.140.0/24
#
ike=3des-md5-modp1024!
esp=3des-md5!
ikelifetime=86400
pfs=no
Can you help me to understand what happens?
(Omitting the strict !s from the config doesn't help.)
Regards
Zoltan
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
