[strongSwan] Fwd: Possibility to remove some vendor ID payload in MM IKEv1?
-- Forwarded message -- From: 曹昊阳 <caohaoy...@gmail.com> Date: 2017-11-28 10:49 GMT+08:00 Subject: Possibility to remove some vendor ID payload in MM IKEv1? To: users-requ...@lists.strongswan.org Hi, There is some request that ask IPSec client to remove some payload like: XAUTH DPD Cisco Fragmentation NAT-T I found they are currently not able to be removed through disable some configuration. Could you help to add some configurable option to make it? Thanks -- Best Regards, -- Best Regards, Alex CAO Asia Pacific Enterprise Engineering & Development Center Shanghai Bell Alcatel Business Systems Co., Ltd. 7C1,Yindong Building,No.58 New Jinqiao Road,Pudong,Shanghai 201206,P.R.China Tel: (86 21) 50554522 Ext.4407 Fax: (86 21) 50307349 Mobile: 13651763412 E-mail:alex.a@alcatel-lucent.com,caohaoy...@gmail.com
[strongSwan] IKEv1 reauth problem is met when working with Aruba controller
Hi, I tried to make strongSwan work in road warrior mode with VPN server integrated in Aruba controller, the tunnel is established successfully and the communication is OK, but I found the tunnel is shut down after IKE re-authentication. After some study, I found between after msg MM6 strongSwan are waiting for the TRANSACTION for XAUTH request and Aruba never send it, after timeout strongSwan will re-launch a IKE MM but Aruba will also not answer it. >From the strongSwan's log, it shows *Nov 9 15:29:39 localhost charon: 07[IKE] reauthenticating IKE_SA str1[1]* *Nov 9 15:29:39 localhost charon: 07[IKE] installing new virtual IP 99.99.99.91* *Nov 9 15:29:39 localhost charon: 07[IKE] initiating Main Mode IKE_SA str1[3] to 10.4.30.200* *Nov 9 15:29:39 localhost charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]* *Nov 9 15:29:39 localhost charon: 07[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (240 bytes)* *Nov 9 15:29:39 localhost charon: 05[NET] received packet: from 10.4.30.200[500] to 30.1.1.22[500] (200 bytes)* *Nov 9 15:29:39 localhost charon: 05[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]* *Nov 9 15:29:39 localhost charon: 05[IKE] received FRAGMENTATION vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received DPD vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received XAuth vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received Cisco Unity vendor ID* *Nov 9 15:29:39 localhost charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]* *Nov 9 15:29:39 localhost charon: 05[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (372 bytes)* *Nov 9 15:29:39 localhost charon: 09[NET] received packet: from 10.4.30.200[500] to 30.1.1.22[500] (372 bytes)* *Nov 9 15:29:39 localhost charon: 09[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]* *Nov 9 15:29:39 localhost charon: 09[ENC] generating ID_PROT request 0 [ ID HASH ]* *Nov 9 15:29:39 localhost charon: 09[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (76 bytes)* *Nov 9 15:29:39 localhost charon: 10[NET] received packet: from 10.4.30.200[500] to 30.1.1.22[500] (76 bytes)* *Nov 9 15:29:39 localhost charon: 10[ENC] parsed ID_PROT response 0 [ ID HASH ]* *Nov 9 15:30:09 localhost charon: 13[JOB] peer did not initiate expected exchange, reestablishing IKE_SA* *Nov 9 15:30:09 localhost charon: 13[IKE] reinitiating IKE_SA str1[3]* *Nov 9 15:30:09 localhost charon: 13[IKE] initiating Main Mode IKE_SA str1[3] to 10.4.30.200* *Nov 9 15:30:09 localhost charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V V ]* *Nov 9 15:30:09 localhost charon: 13[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (240 bytes)* I checked this with Aruba support and their answer is that the reauth for XAUTH is not necessary and they only accept the reauthentication when msg MM5 includes INITIAL-CONTACT which I think is not a correct solution because it will result a new virtual IP address assigned to my VPN client. I searched google and seems there are some VPN client like the one in IOS/MACOS works well with Aruba solution and they will not mandatorily ask XAUTH authentication when doing IKE reauthentication, and I fully understand strongSwan insists redoing the authentication is because of the security consideration. https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients My request is that whether it is possible for strongSwan to provide a configurable option to allow skip XAUTH authentication during IKE reauthentication? Thanks in advance. -- Best Regards, Haoyang CAO
