Hi,
I’m in the process of setting up a Libreswan 3.15 (netkey on 4.1.0-2-amd64) VPN
server for Mac OS 10.11 clients using PSK and IKEv1 XAUTH with Group Names.
I run in some strange problems. I hope someone can help me to understand this:
My connection configuration is:
config setup
protostack=netkey
oe=off
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,!192.168.10.0/24
nat_traversal=yes
nhelpers=0
klipsdebug=none
plutodebug=none
uniqueids=yes
dumpdir=/tmp/
conn %default
type=tunnel
left=192.168.10.11
authby=secret
compress=no
ikelifetime=86400s
rekeymargin=863s
keylife=86400s
keyingtries=%forever
pfs=no
dpddelay=60
dpdtimeout=180
conn xauth-aggr
rightaddresspool=192.168.12.135-192.168.12.240
right=%any
forceencaps=no
modecfgpull=yes
modecfgdns1=192.168.12.4
modecfgdomain=test.svenux.de
modecfgbanner=Test
leftsubnet=0.0.0.0/0
leftid=@Group1
leftxauthserver=yes
leftmodecfgserver=yes
xauthby=file
ike-frag=yes
aggrmode=no
auto=add
rekey=no
dpdaction=clear
This connection is working fine, as long I don’t set the a “Group Name” in the
Mac OS VPN configuration.
As soon I set the “Group Name” in Mac OS I also have to set aggrmode=yes
because of:
"initial Aggressive Mode message from 192.168.10.129 but no (wildcard)
connection has been configured with policy PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW"
After a connection reload Libreswan crashes as soon as I initiate a VPN
connection from Mac OS:
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
received Vendor ID payload [FRAGMENTATION 80000000]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
received Vendor ID payload [RFC 3947]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
received Vendor ID payload [XAUTH]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
received Vendor ID payload [Cisco-Unity]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695:
received Vendor ID payload [Dead Peer Detection]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: IKEv1
Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on
large scale by TLA's
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[1] 192.168.10.129 #1:
Aggressive mode peer ID is ID_KEY_ID: '@#0x7376656e7578'
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[1] 192.168.10.129 #1:
switched from "xauth-aggr"[1] 192.168.10.129 to "xauth-aggr"
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1:
deleting connection "xauth-aggr" instance with peer 192.168.10.129
{isakmp=#0/ipsec=#0}
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1:
responding to Aggressive Mode, state #1, connection "xauth-aggr" from
192.168.10.129
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1:
transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1:
STATE_AGGR_R1: sent AR1, expecting AI2
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from <invalid>:50695: ASSERTION
FAILED at /home/sysop/libreswan-3.15/programs/pluto/ikev1_aggr.c:207:
dh->pcrc_md != NULL
Sep 23 13:44:15 pm-kvm01 systemd[1]: ipsec.service: Main process exited,
code=killed, status=6/ABRT
Is there anything I forgot to set up or is there something wrong with my ipsec
configuration?
Any help is greatly appreciated.
Regards
Sven
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
