[strongSwan] Pluto Bug or Config Error? strongswan vs cisco

Wed, 08 Feb 2012 10:29:55 -0800 

Hello everyone, just joined the list.


I'm trying to establish a secured connection between a cisco router and a linux 
box running strongswan.


This is the TEST scenario:


CISCO 
-----------------------------------------------------------------------------------------
 LINUX
192.168.11.244                                                                  
192.168.11.235




----------------------------------------------------------------------------------------
Cisco configuration:



crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2  
crypto isakmp key teste123 address 192.168.11.235


crypto ipsec transform-set tset esp-3des esp-md5-hmac 


crypto ipsec profile ipsec
 set transform-set tset 


interface Tunnel0
 no ip address
 shutdown
 tunnel source 192.168.11.244
 tunnel destination 192.168.11.235
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec


----------------------------------------------------------------------------------------
Strongswan configuration:



config setup
        nat_traversal=yes
        plutodebug=all


conn host-host
        type=tunnel
        authby=secret
        left=192.168.11.235
        leftsubnet=%default
        right=192.168.11.244
        rightsubnet=%default
        auto=start
        esp=3des-md5-modp1024
        ike=3des-md5-modp1024
        keyexchange=ikev1

----------------------------------------------------------------------------------------


The result is that strongswan fails with this error and the connection is not 
established.



| find_client_connection starting with host-host
|   looking for 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
|   concrete checking against sr#0 192.168.11.235/32 -> 192.168.11.244/32
|   fc_try trying host-host:0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0 vs 
host-host:192.168.11.235/32:0/0 -> 192.168.11.244/32:0/0
|   fc_try concluding with none [0]
|   fc_try host-host gives none
|   checking hostpair 192.168.11.235/32 -> 192.168.11.244/32 is not found
|   concluding with d = none
"host-host" #3: cannot respond to IPsec SA request because no connection is 
known for 
0.0.0.0/0===192.168.11.235[192.168.11.235]...192.168.11.244[192.168.11.244]===0.0.0.0/0
"host-host" #3: sending encrypted notification INVALID_ID_INFORMATION to 
192.168.11.244:500





It seems to me that the CISCO doesn't fill those network fields on the SA 
request packet when it is in tunnel (VTI) mode. And it makes sense, since it's 
just configuring a tunnel, there are no subnets (left, right stuff).


I believe pluto is behaving improperly in this situation, but before I report a 
bug or try to fix it, it would be nice if someone could comment on this issue. 
I might have misconfigured cisco and/or strongswan.


By the way, racoon has no problem validating that 0.0.0.0/0 subnet.


Thanks,
Germano



_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to