Hi andreas! I've recreated my setup and, this time, i'm not even able to establish the tunnel.
On the cisco it fails with error: "Notify has no hash. Rejected." I've attached the debug output of every device. I really have no idea how to sort it up and google is not a so good friend today :) Thanks a lot! François Van Ingelgom -- PCSOL PS: Debug-Cisco = debug crypto isakmp + debug crypto ipsec Debug-Strongswan = cat /var/log/messages with klips and puto debug to all
*Mar 1 00:56:51.179: ISAKMP (0:0): received packet from 81.246.56.89 dport 500 sport 500 Global (N) NEW SA *Mar 1 00:56:51.179: ISAKMP: Created a peer struct for 81.246.56.89, peer port 500 *Mar 1 00:56:51.179: ISAKMP: New peer created peer = 0x667A130C peer_handle = 0x8000000F *Mar 1 00:56:51.179: ISAKMP: Locking peer struct 0x667A130C, refcount 1 for crypto_isakmp_process_block *Mar 1 00:56:51.179: ISAKMP: local port 500, remote port 500 *Mar 1 00:56:51.183: insert sa successfully sa = 6752CA58 *Mar 1 00:56:51.183: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:56:51.183: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 *Mar 1 00:56:51.183: ISAKMP:(0): processing SA payload. message ID = 0 *Mar 1 00:56:51.183: ISAKMP:(0): processing vendor id payload *Mar 1 00:56:51.183: ISAKMP:(0): vendor ID seems Unity/DPD but major 91 mismatch *Mar 1 00:56:51.183: ISAKMP:(0): processing vendor id payload *Mar 1 00:56:51.183: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Mar 1 00:56:51.183: ISAKMP:(0): vendor ID is XAUTH *Mar 1 00:56:51.183: ISAKMP:(0): processing vendor id payload *Mar 1 00:56:51.183: ISAKMP:(0): vendor ID is DPD *Mar 1 00:56:51.183: ISAKMP:(0):found peer pre-shared key matching 81.246.56.89 *Mar 1 00:56:51.183: ISAKMP:(0): local preshared key found *Mar 1 00:56:51.183: ISAKMP : Scanning profiles for xauth ... *Mar 1 00:56:51.183: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy *Mar 1 00:56:51.183: ISAKMP: life type in seconds *Mar 1 00:56:51.183: ISAKMP: life duration (basic) of 28800 *Mar 1 00:56:51.183: ISAKMP: encryption AES-CBC *Mar 1 00:56:51.183: ISAKMP: hash SHA *Mar 1 00:56:51.187: ISAKMP: keylength of 256 *Mar 1 00:56:51.187: ISAKMP: auth pre-share *Mar 1 00:56:51.187: ISAKMP: default group 5 *Mar 1 00:56:51.187: ISAKMP:(0):atts are acceptable. Next payload is 0 *Mar 1 00:56:51.187: ISAKMP:(0):Acceptable atts:actual life: 0 *Mar 1 00:56:51.187: ISAKMP:(0):Acceptable atts:life: 0 *Mar 1 00:56:51.187: ISAKMP:(0):Basic life_in_seconds:28800 *Mar 1 00:56:51.187: ISAKMP:(0):Returning Actual lifetime: 28800 *Mar 1 00:56:51.187: ISAKMP:(0)::Started lifetime timer: 28800. *Mar 1 00:56:51.187: ISAKMP:(0): processing vendor id payload *Mar 1 00:56:51.187: ISAKMP:(0): vendor ID seems Unity/DPD but major 91 mismatch *Mar 1 00:56:51.187: ISAKMP:(0): processing vendor id payload *Mar 1 00:56:51.187: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Mar 1 00:56:51.187: ISAKMP:(0): vendor ID is XAUTH *Mar 1 00:56:51.187: ISAKMP:(0): processing vendor id payload *Mar 1 00:56:51.187: ISAKMP:(0): vendor ID is DPD *Mar 1 00:56:51.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:56:51.187: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Mar 1 00:56:51.187: ISAKMP:(0): sending packet to 81.246.56.89 my_port 500 peer_port 500 (R) MM_SA_SETUP *Mar 1 00:56:51.187: ISAKMP:(0):Sending an IKE IPv4 Packet. *Mar 1 00:56:51.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 1 00:56:51.187: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 *Mar 1 00:56:51.195: ISAKMP (0:0): received packet from 81.246.56.89 dport 500 sport 500 Global (R) MM_SA_SETUP *Mar 1 00:56:51.195: ISAKMP:(0):Notify has no hash. Rejected. *Mar 1 00:56:51.195: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_R_MM2 *Mar 1 00:56:51.195: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 1 00:56:51.195: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM2 *Mar 1 00:56:51.195: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 81.246.56.89
May 12 15:06:01 ipsec charon: 00[KNL] received netlink error: Address family not supported by protocol (97) May 12 15:06:04 ipsec charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0) May 12 15:06:04 ipsec charon: 00[KNL] listening on interfaces: May 12 15:06:04 ipsec charon: 00[KNL] eth0 May 12 15:06:04 ipsec charon: 00[KNL] 81.246.56.89 May 12 15:06:04 ipsec charon: 00[KNL] fe80::20b:cdff:fe6e:62bc May 12 15:06:04 ipsec charon: 00[KNL] received netlink error: Address family not supported by protocol (97) May 12 15:06:04 ipsec charon: 00[KNL] unable to create IPv6 routing table rule May 12 15:06:04 ipsec charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' May 12 15:06:04 ipsec charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' May 12 15:06:04 ipsec charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' May 12 15:06:04 ipsec charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' May 12 15:06:04 ipsec charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' May 12 15:06:04 ipsec charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' May 12 15:06:04 ipsec charon: 00[CFG] loaded IKE secret for 81.246.56.89 %any May 12 15:06:04 ipsec charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem fips-prf xcbc hmac gmp attr kernel-netlink socket-raw stroke updown resolve May 12 15:06:04 ipsec charon: 00[JOB] spawning 16 worker threads May 12 15:06:04 ipsec charon: 04[CFG] received stroke: add connection 'tunnelipsec' May 12 15:06:04 ipsec charon: 04[CFG] added configuration 'tunnelipsec'
config setup
klipsdebug=all
plutodebug=all
interfaces="ipsec0=eth0"
conn %default
ikelifetime=28800
keylife=28800
keyingtries=%forever
authby=secret
auth=esp
ike=aes256-sha1-modp1536!
esp=aes256-sha1!
pfs=yes
dpdaction=hold
dpddelay=60
dpdtimeout=500
conn tunnelipsec
type=tunnel
auto=start
left=81.246.56.89
leftnexthop=81.246.56.65
leftsubnet=192.168.16.0/24
right=81.246.56.91
rightnexthop=81.246.56.65
rightsubnet=192.168.15.0/24
Current configuration : 1283 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable password cisco ! no aaa new-model memory-size iomem 5 ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 lifetime 28800 crypto isakmp key password address 81.246.56.89 ! ! crypto ipsec transform-set srssset esp-aes 256 esp-sha-hmac ! crypto map srssmap 1 ipsec-isakmp set peer 81.246.56.89 set security-association lifetime seconds 28800 set transform-set srssset set pfs group1 match address 100 ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 81.246.56.91 255.255.255.224 duplex auto speed auto crypto map srssmap ! interface FastEthernet0/1 ip address 192.168.15.254 255.255.255.0 duplex auto speed auto ! ! ip forward-protocol nd ip route 192.168.1.0 255.255.255.0 81.246.56.65 ! ! no ip http server no ip http secure-server ! access-list 100 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255 no cdp run ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! ! end
Le 11 mai 2010 à 17:34, Andreas Steffen a écrit : > left = local and right = remote > > is just our recommendation in order to help your orientation. > strongSwan works equally well with left and right swapped. > I was just wondering that remote end used private network > addresses which are not routable. > > Best regards > > Andreas > > On 05/11/2010 05:20 PM, François Van Ingelgom wrote: >> In fact, no, the strongswan side is: left=81.246.56.89 >> >> The Cisco IOS: right=192.168.1.218. >> >> I'll try to recreate the configuration tomorrow with the two ends in >> our 81.246.56.64/27 subnet. >> >> From what i understood in ipsec.conf documentation left is the actual >> local machine and right is the remote one, is that correct? >> >> Thanks for your help, i'll post what you asked tomorrow. >> >> François Van Ingelgom -- PCSOL >> >> >> >> >> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit : >> >>> Hello François, >>> >>> I don't see anything special in your configuration file except that >>> it looks like an Openswan configuration. >>> >>> I assume that the strongSwan side is >>> >>> right=192.168.1.218 >>> >>> which makes use of a port forwarding setup (NAT traversal seems not >>> to be enabled) on the router >>> >>> rightnexthop=192.168.1.1 >>> >>> in order to be reachable from the Internet and that >>> >>> left=81.246.56.89 >>> >>> is the Cisco IOS box. In order to give you some help I would need >>> the output of >>> >>> ipsec statusall >>> >>> and >>> >>> ip -s xfrm state >>> >>> ip -s xfrm policy >>> >>> after the successful connection setup and after a failed ping. >>> >>> Best regards >>> >>> Andreas >>> >>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote: >>>> Hi everyone! >>>> >>>> I'm trying to setup Strongswan (debian package) with a Cisco >>>> router (IOS 12.4). >>>> >>>> Both servers are on the same subnet (our public subnet) for >>>> testing purposes. >>>> >>>> Here is my ipsec.conf for strongswan: >>>> >>>> version 2.0 # conforms to second version of ipsec.conf >>>> specification >>>> >>>> config setup interfaces="ipsec0=eth0" conn %default >>>> ikelifetime=86400 keylife=3600 keyingtries=%forever >>>> authby=secret auth=esp ike=aes128-sha1-modp1024! >>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60 >>>> dpdtimeout=500 >>>> >>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89 >>>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24 >>>> right=192.168.1.218 rightnexthop=192.168.1.1 >>>> rightsubnet=192.168.18.0/24 >>>> >>>> include /etc/ipsec.d/examples/no_oe.conf >>>> >>>> And here is my ipsec.secrets >>>> >>>> 81.246.56.89: PSK "SecretTunnelPass" >>>> >>>> I'm sorry, i don't have the cisco config right here but it's a >>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128 >>>> and sha). >>>> >>>> In fact, the connection can be established but when i try to ping >>>> the other end, the cisco fails claiming that he has no route for >>>> the network connected to the strongswan.... >>>> >>>> I really have no idea how to set it up, and i've been searching >>>> for a very long time now :/ >>>> >>>> I anybody would have any idea, hints or anything, i'll greatly >>>> appreciate :) >>>> >>>> Thanks a lot >>>> >>>> François Van Ingelgom -- PCSOL >>>> > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]==
<<inline: fvaningelgom.jpg>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
