Hi andreas!

I've recreated my setup and, this time, i'm not even able to establish the 
tunnel.

On the cisco it fails with error: "Notify has no hash. Rejected."

I've attached the debug output of every device.

I really have no idea how to sort it up and google is not a so good friend 
today :)

Thanks a lot!

François Van Ingelgom -- PCSOL

PS: Debug-Cisco = debug crypto isakmp + debug crypto ipsec
Debug-Strongswan = cat /var/log/messages with klips and puto debug to all


 
*Mar  1 00:56:51.179: ISAKMP (0:0): received packet from 81.246.56.89 dport 500 
sport 500 Global (N) NEW SA
*Mar  1 00:56:51.179: ISAKMP: Created a peer struct for 81.246.56.89, peer port 
500
*Mar  1 00:56:51.179: ISAKMP: New peer created peer = 0x667A130C peer_handle = 
0x8000000F
*Mar  1 00:56:51.179: ISAKMP: Locking peer struct 0x667A130C, refcount 1 for 
crypto_isakmp_process_block
*Mar  1 00:56:51.179: ISAKMP: local port 500, remote port 500
*Mar  1 00:56:51.183: insert sa successfully sa = 6752CA58
*Mar  1 00:56:51.183: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:56:51.183: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

*Mar  1 00:56:51.183: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  1 00:56:51.183: ISAKMP:(0): processing vendor id payload
*Mar  1 00:56:51.183: ISAKMP:(0): vendor ID seems Unity/DPD but major 91 
mismatch
*Mar  1 00:56:51.183: ISAKMP:(0): processing vendor id payload
*Mar  1 00:56:51.183: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 
mismatch
*Mar  1 00:56:51.183: ISAKMP:(0): vendor ID is XAUTH
*Mar  1 00:56:51.183: ISAKMP:(0): processing vendor id payload
*Mar  1 00:56:51.183: ISAKMP:(0): vendor ID is DPD
*Mar  1 00:56:51.183: ISAKMP:(0):found peer pre-shared key matching 81.246.56.89
*Mar  1 00:56:51.183: ISAKMP:(0): local preshared key found
*Mar  1 00:56:51.183: ISAKMP : Scanning profiles for xauth ...
*Mar  1 00:56:51.183: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 
policy
*Mar  1 00:56:51.183: ISAKMP:      life type in seconds
*Mar  1 00:56:51.183: ISAKMP:      life duration (basic) of 28800
*Mar  1 00:56:51.183: ISAKMP:      encryption AES-CBC
*Mar  1 00:56:51.183: ISAKMP:      hash SHA
*Mar  1 00:56:51.187: ISAKMP:      keylength of 256
*Mar  1 00:56:51.187: ISAKMP:      auth pre-share
*Mar  1 00:56:51.187: ISAKMP:      default group 5
*Mar  1 00:56:51.187: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 00:56:51.187: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar  1 00:56:51.187: ISAKMP:(0):Acceptable atts:life: 0
*Mar  1 00:56:51.187: ISAKMP:(0):Basic life_in_seconds:28800
*Mar  1 00:56:51.187: ISAKMP:(0):Returning Actual lifetime: 28800
*Mar  1 00:56:51.187: ISAKMP:(0)::Started lifetime timer: 28800.

*Mar  1 00:56:51.187: ISAKMP:(0): processing vendor id payload
*Mar  1 00:56:51.187: ISAKMP:(0): vendor ID seems Unity/DPD but major 91 
mismatch
*Mar  1 00:56:51.187: ISAKMP:(0): processing vendor id payload
*Mar  1 00:56:51.187: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 
mismatch
*Mar  1 00:56:51.187: ISAKMP:(0): vendor ID is XAUTH
*Mar  1 00:56:51.187: ISAKMP:(0): processing vendor id payload
*Mar  1 00:56:51.187: ISAKMP:(0): vendor ID is DPD
*Mar  1 00:56:51.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, 
IKE_PROCESS_MAIN_MODE
*Mar  1 00:56:51.187: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

*Mar  1 00:56:51.187: ISAKMP:(0): sending packet to 81.246.56.89 my_port 500 
peer_port 500 (R) MM_SA_SETUP
*Mar  1 00:56:51.187: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  1 00:56:51.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:56:51.187: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

*Mar  1 00:56:51.195: ISAKMP (0:0): received packet from 81.246.56.89 dport 500 
sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:56:51.195: ISAKMP:(0):Notify has no hash. Rejected.
*Mar  1 00:56:51.195: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, 
IKE_INFO_NOTIFY:  state = IKE_R_MM2
*Mar  1 00:56:51.195: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 00:56:51.195: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM2 

*Mar  1 00:56:51.195: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational 
mode failed with peer at 81.246.56.89
May 12 15:06:01 ipsec charon: 00[KNL] received netlink error: Address family 
not supported by protocol (97) 
May 12 15:06:04 ipsec charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 
4.4.0) 
May 12 15:06:04 ipsec charon: 00[KNL] listening on interfaces: 
May 12 15:06:04 ipsec charon: 00[KNL]   eth0 
May 12 15:06:04 ipsec charon: 00[KNL]     81.246.56.89 
May 12 15:06:04 ipsec charon: 00[KNL]     fe80::20b:cdff:fe6e:62bc 
May 12 15:06:04 ipsec charon: 00[KNL] received netlink error: Address family 
not supported by protocol (97) 
May 12 15:06:04 ipsec charon: 00[KNL] unable to create IPv6 routing table rule 
May 12 15:06:04 ipsec charon: 00[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts' 
May 12 15:06:04 ipsec charon: 00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts' 
May 12 15:06:04 ipsec charon: 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts' 
May 12 15:06:04 ipsec charon: 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts' 
May 12 15:06:04 ipsec charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' 
May 12 15:06:04 ipsec charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' 
May 12 15:06:04 ipsec charon: 00[CFG]   loaded IKE secret for 81.246.56.89 %any 
May 12 15:06:04 ipsec charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 
random x509 pubkey pkcs1 pgp dnskey pem fips-prf xcbc hmac gmp attr 
kernel-netlink socket-raw stroke updown resolve  
May 12 15:06:04 ipsec charon: 00[JOB] spawning 16 worker threads 
May 12 15:06:04 ipsec charon: 04[CFG] received stroke: add connection 
'tunnelipsec' 
May 12 15:06:04 ipsec charon: 04[CFG] added configuration 'tunnelipsec' 
config setup
        klipsdebug=all
        plutodebug=all
        interfaces="ipsec0=eth0"
conn %default
        ikelifetime=28800
        keylife=28800
        keyingtries=%forever
        authby=secret
        auth=esp
        ike=aes256-sha1-modp1536!
        esp=aes256-sha1!
        pfs=yes
        dpdaction=hold
        dpddelay=60
        dpdtimeout=500

conn tunnelipsec
        type=tunnel
        auto=start
        left=81.246.56.89
        leftnexthop=81.246.56.65
        leftsubnet=192.168.16.0/24
        right=81.246.56.91
        rightnexthop=81.246.56.65
        rightsubnet=192.168.15.0/24
Current configuration : 1283 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp key password address 81.246.56.89
!
!
crypto ipsec transform-set srssset esp-aes 256 esp-sha-hmac 
!
crypto map srssmap 1 ipsec-isakmp 
 set peer 81.246.56.89
 set security-association lifetime seconds 28800
 set transform-set srssset 
 set pfs group1
 match address 100
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 81.246.56.91 255.255.255.224
 duplex auto
 speed auto
 crypto map srssmap
!
interface FastEthernet0/1
 ip address 192.168.15.254 255.255.255.0
 duplex auto
 speed auto
!
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 81.246.56.65
!         
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!         
!
end


Le 11 mai 2010 à 17:34, Andreas Steffen a écrit :

> left = local and right = remote
> 
> is just our recommendation in order to help your orientation.
> strongSwan works equally well with left and right swapped.
> I was just wondering that remote end used private network
> addresses which are not routable.
> 
> Best regards
> 
> Andreas
> 
> On 05/11/2010 05:20 PM, François Van Ingelgom wrote:
>> In fact, no, the strongswan side is: left=81.246.56.89
>> 
>> The Cisco IOS:  right=192.168.1.218.
>> 
>> I'll try to recreate the configuration tomorrow with the two ends in
>> our 81.246.56.64/27 subnet.
>> 
>> From what i understood in ipsec.conf documentation left is the actual
>> local machine and right is the remote one, is that correct?
>> 
>> Thanks for your help, i'll post what you asked tomorrow.
>> 
>> François Van Ingelgom -- PCSOL
>> 
>> 
>> 
>> 
>> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit :
>> 
>>> Hello François,
>>> 
>>> I don't see anything special in your configuration file except that
>>> it looks like an Openswan configuration.
>>> 
>>> I assume that the strongSwan side is
>>> 
>>> right=192.168.1.218
>>> 
>>> which makes use of a port forwarding setup (NAT traversal seems not
>>> to be enabled) on the router
>>> 
>>> rightnexthop=192.168.1.1
>>> 
>>> in order to be reachable from the Internet and that
>>> 
>>> left=81.246.56.89
>>> 
>>> is the Cisco IOS box. In order to give you some help I would need
>>> the output of
>>> 
>>> ipsec statusall
>>> 
>>> and
>>> 
>>> ip -s xfrm state
>>> 
>>> ip -s xfrm policy
>>> 
>>> after the successful connection setup and after a failed ping.
>>> 
>>> Best regards
>>> 
>>> Andreas
>>> 
>>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote:
>>>> Hi everyone!
>>>> 
>>>> I'm trying to setup Strongswan (debian package) with a Cisco
>>>> router (IOS 12.4).
>>>> 
>>>> Both servers are on the same subnet (our public subnet) for
>>>> testing purposes.
>>>> 
>>>> Here is my ipsec.conf for strongswan:
>>>> 
>>>> version    2.0     # conforms to second version of ipsec.conf
>>>> specification
>>>> 
>>>> config setup interfaces="ipsec0=eth0" conn %default
>>>> ikelifetime=86400 keylife=3600 keyingtries=%forever
>>>> authby=secret auth=esp ike=aes128-sha1-modp1024!
>>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60
>>>> dpdtimeout=500
>>>> 
>>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89
>>>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24
>>>> right=192.168.1.218 rightnexthop=192.168.1.1
>>>> rightsubnet=192.168.18.0/24
>>>> 
>>>> include /etc/ipsec.d/examples/no_oe.conf
>>>> 
>>>> And here is my ipsec.secrets
>>>> 
>>>> 81.246.56.89: PSK "SecretTunnelPass"
>>>> 
>>>> I'm sorry, i don't have the cisco config right here but it's a
>>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128
>>>> and sha).
>>>> 
>>>> In fact, the connection can be established but when i try to ping
>>>> the other end, the cisco fails claiming that he has no route for
>>>> the network connected to the strongswan....
>>>> 
>>>> I really have no idea how to set it up, and i've been searching
>>>> for a very long time now :/
>>>> 
>>>> I anybody would have any idea, hints or anything, i'll greatly
>>>> appreciate :)
>>>> 
>>>> Thanks a lot
>>>> 
>>>> François Van Ingelgom -- PCSOL
>>>> 
> 
> ======================================================================
> Andreas Steffen                         [email protected]
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

<<inline: fvaningelgom.jpg>>


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to