Re: [strongSwan] IKE_SA_INIT response with notification data missing
Thanks Andreas, will take a look at it. Is there any reason why UDP checksum in the packet shows as wrong in the wireshark? -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Monday, April 16, 2018 5:04 AM To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapu...@oracle.com>; users@lists.strongswan.org Subject: Re: [strongSwan] IKE_SA_INIT response with notification data missing Hi Balaji, RFC 4739 "Multiple Authenticaton Exchanges in IKEv2" https://tools.ietf.org/html/rfc4739#section-3.1 defines the format of the MULTIPLE_AUTH_SUPPORT Notify Payload as 3.1. MULTIPLE_AUTH_SUPPORTED Notify Payload The MULTIPLE_AUTH_SUPPORTED notification is included in the IKE_SA_INIT response or the first IKE_AUTH request to indicate that the peer supports this specification. The Notify Message Type is MULTIPLE_AUTH_SUPPORTED (16404). The Protocol ID and SPI Size fields MUST be set to zero, and there is no data associated with this Notify type. So I don't understand why you expect notification data? Regards Andreas On 15.04.2018 04:42, Balaji Thoguluva Bapulal wrote: > Dear users, > > I am trying to establish a IKEv2/IPsec tunnel from a security gateway > towards strongswan with strongswan acting as a responder. In response > to IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT > response with a Notify payload of MULTIPLE_AUTH_SUPPORTED with > notification data missing. I have attached the wireshark. It would be > great if someone can explain why this behavior. > > [IKEv2]$ ipsec --version > > Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64 > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil, Switzerland > > See 'ipsec --copyright' for copyright information. > > The following is the configuration. > > config setup > > charondebug=all > > conn %default > > keyingtries=1 > > keyexchange=ikev2 > > reauth=no > > conn psk > > left=172.16.55.62 > > leftsourceip=%config% > > leftfirewall=no > > leftauth=psk > > leftsubnet=172.16.0.0/16 > > right=172.16.135.192 > > rightid=172.16.135.192 > > rightsubnet=172.16.0.0/16 > > rightauth=psk > > esp=3des-aes-sha1-md5-modp1024 > > ike=3des-sha1-md5-modp1024 > > auto=add > > type=tunnel > > Thanks, > > Balaji > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]==
Re: [strongSwan] IKE_SA_INIT response with notification data missing
Also the UDP checksum in the IKE_SA_INIT response shows incorrect in wireshark. From: Balaji Thoguluva Bapulal Sent: Saturday, April 14, 2018 10:42 PM To: users@lists.strongswan.org Subject: IKE_SA_INIT response with notification data missing Dear users, I am trying to establish a IKEv2/IPsec tunnel from a security gateway towards strongswan with strongswan acting as a responder. In response to IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT response with a Notify payload of MULTIPLE_AUTH_SUPPORTED with notification data missing. I have attached the wireshark. It would be great if someone can explain why this behavior. [IKEv2]$ ipsec --version Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. The following is the configuration. config setup charondebug=all conn %default keyingtries=1 keyexchange=ikev2 reauth=no conn psk left=172.16.55.62 leftsourceip=%config% leftfirewall=no leftauth=psk leftsubnet=172.16.0.0/16 right=172.16.135.192 rightid=172.16.135.192 rightsubnet=172.16.0.0/16 rightauth=psk esp=3des-aes-sha1-md5-modp1024 ike=3des-sha1-md5-modp1024 auto=add type=tunnel Thanks, Balaji
Re: [strongSwan] Strongswan as responder only
Hi Noel, # ipsec --version Linux strongSwan U5.0.2/K2.6.32-279.14.1.el6.x86_64 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. Thanks, Balaji -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Tuesday, September 05, 2017 12:43 PM To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapu...@oracle.com>; users@lists.strongswan.org Subject: Re: [strongSwan] Strongswan as responder only Hi, That is very weird. Where did you get strongSwan from and what distribution is that? Kind regards Noel On 05.09.2017 18:23, Balaji Thoguluva Bapulal wrote: > Hi Noel, > > Thanks for the quick response. I will ensure md5 and modp1024 is not used. > > Peer (Security Gateway) is sending the first IKE_SA_INIT message which does > not have TSi payload to the strongswan. Typically IKE_SA_INIT message does > not have TSi payload. Not sure why strongswan is reporting error about TSi > payload for received IKE_SA_INIT message. It is expected by strongswan to > send back IKE_SA_INIT response which also will not have TSi payload. Not sure > why strongswan is reporting about TSi payload. > > Attached is the wireshark of the message sent to the strongswan. > > Thanks, > Balaji > > -Original Message- > From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Tuesday, September 05, 2017 2:48 AM > To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapu...@oracle.com>; > users@lists.strongswan.org > Subject: Re: [strongSwan] Strongswan as responder only > > Hi, > > The problem has nothing to do with initiator or responder only configuration. > 0% correlation or causality. > > TSi needs to be encrypted. This is a bug or deliberate defect in the other > peer's software and needs to be patched by them. > md5 is broken, as is modp1024. Don't use them. > > Kind regards > > Noel > > On 05.09.2017 06:36, Balaji Thoguluva Bapulal wrote: >> >> Hello Strongswan users, >> >> >> >> I have some basic question on how to enable a particular strongswan >> connection as responder only. Basically another peer (security gateway) will >> try to establish a IKE/IPsec connection towards strongswan in responder >> mode. I tried the following configuration and strongswan seems to report >> error. >> >> >> >> config setup >> >> charondebug=all >> >> >> >> conn %default >> >> keyingtries=1 >> >> keyexchange=ikev2 >> >> reauth=no >> >> >> >> conn peering >> >> left=172.16.20.51 >> >> leftfirewall=no >> >> leftauth=psk >> >> right=172.16.20.2 >> >> rightauth=psk >> >> *auto=add* >> >> esp=aes-sha1-modp1024 >> >> ike=aes-sha1-md5-modp1024 >> >> type=tunnel >> >> rekey=yes >> >> >> >> >> >> /var/log/messages shows >> >> >> >> Sep 5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads >> >> Sep 5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add >> connection 'peering' >> >> Sep 5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering' >> >> *Sep 5 00:21:36 acme95 charon-custom: 10[NET] received packet: from >> 172.16.20.51[500] to 172.16.20.2[500] (420 bytes)* >> >> *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] payload type >> TRAFFIC_SELECTOR_INITIATOR was not encrypted* >> >> *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads* >> >> *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed* >> >> *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with >> message ID 0 processing failed* >> >> * * >> >> Also I attempted to enable debug logging, but I do not see any more details >> beyond the above details. >> >> * * >> >> Thanks, >> >> Balaji >> > >
Re: [strongSwan] Strongswan as responder only
Hi Noel, Thanks for the quick response. I will ensure md5 and modp1024 is not used. Peer (Security Gateway) is sending the first IKE_SA_INIT message which does not have TSi payload to the strongswan. Typically IKE_SA_INIT message does not have TSi payload. Not sure why strongswan is reporting error about TSi payload for received IKE_SA_INIT message. It is expected by strongswan to send back IKE_SA_INIT response which also will not have TSi payload. Not sure why strongswan is reporting about TSi payload. Attached is the wireshark of the message sent to the strongswan. Thanks, Balaji -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Tuesday, September 05, 2017 2:48 AM To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapu...@oracle.com>; users@lists.strongswan.org Subject: Re: [strongSwan] Strongswan as responder only Hi, The problem has nothing to do with initiator or responder only configuration. 0% correlation or causality. TSi needs to be encrypted. This is a bug or deliberate defect in the other peer's software and needs to be patched by them. md5 is broken, as is modp1024. Don't use them. Kind regards Noel On 05.09.2017 06:36, Balaji Thoguluva Bapulal wrote: > > Hello Strongswan users, > > > > I have some basic question on how to enable a particular strongswan > connection as responder only. Basically another peer (security gateway) will > try to establish a IKE/IPsec connection towards strongswan in responder mode. > I tried the following configuration and strongswan seems to report error. > > > > config setup > > charondebug=all > > > > conn %default > > keyingtries=1 > > keyexchange=ikev2 > > reauth=no > > > > conn peering > > left=172.16.20.51 > > leftfirewall=no > > leftauth=psk > > right=172.16.20.2 > > rightauth=psk > > *auto=add* > > esp=aes-sha1-modp1024 > > ike=aes-sha1-md5-modp1024 > > type=tunnel > > rekey=yes > > > > > > /var/log/messages shows > > > > Sep 5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads > > Sep 5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add connection > 'peering' > > Sep 5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering' > > *Sep 5 00:21:36 acme95 charon-custom: 10[NET] received packet: from > 172.16.20.51[500] to 172.16.20.2[500] (420 bytes)* > > *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] payload type > TRAFFIC_SELECTOR_INITIATOR was not encrypted* > > *Sep 5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads* > > *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed* > > *Sep 5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with > message ID 0 processing failed* > > * * > > Also I attempted to enable debug logging, but I do not see any more details > beyond the above details. > > * * > > Thanks, > > Balaji > Strongswan_Responder Description: Binary data
[strongSwan] Strongswan as responder only
Hello Strongswan users, I have some basic question on how to enable a particular strongswan connection as responder only. Basically another peer (security gateway) will try to establish a IKE/IPsec connection towards strongswan in responder mode. I tried the following configuration and strongswan seems to report error. config setup charondebug=all conn %default keyingtries=1 keyexchange=ikev2 reauth=no conn peering left=172.16.20.51 leftfirewall=no leftauth=psk right=172.16.20.2 rightauth=psk auto=add esp=aes-sha1-modp1024 ike=aes-sha1-md5-modp1024 type=tunnel rekey=yes /var/log/messages shows Sep 5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads Sep 5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add connection 'peering' Sep 5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering' Sep 5 00:21:36 acme95 charon-custom: 10[NET] received packet: from 172.16.20.51[500] to 172.16.20.2[500] (420 bytes) Sep 5 00:21:36 acme95 charon-custom: 10[ENC] payload type TRAFFIC_SELECTOR_INITIATOR was not encrypted Sep 5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads Sep 5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed Sep 5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with message ID 0 processing failed Also I attempted to enable debug logging, but I do not see any more details beyond the above details. Thanks, Balaji