On Wed, 01 Aug 2012 17:47:23 +0100, John Connett <[email protected]> wrote: > On Mon, 30 Jul 2012 13:37:02 +0100, John Connett > <[email protected]> wrote: >> On Thu, 26 Jul 2012 10:15:19 +0100, John Connett >> <[email protected]> wrote: >>> I am attempting to use strongSwan 4.5.3-5.4.1 on openSUSE 12.1 >>> (x86_64) to provide an endpoint to a Microsoft Azure Virtual Network >>> using the 90-day free trial preview (https://www.windowsazure.com). >I have turned up logger output and the following looks suspicious: > > 10[CFG] <2> looking for pre-shared key peer configs matching > 192.168.199.10...168.63.60.212[10.4.1.4] > 10[IKE] <2> no peer config found
The two logging messages above appear to have been emitted from the select_config function (in libcharon/sa/ikev1/phase1.c). The file path suggests that this is using IKEv1. Is this an artifact of the charon / pluto merge in strongSwan 5? Or is "keyexchange=ikev2" not sufficient to cause IKEv2 to be used? These two logging messages appear during the first exchange of IPSEC-NAT-T (UDP 4500) packets. The first, from right to left, has a Non-ESP Marker and an ENCRYPTED_V1 payload containing a ID_V1 payload (0x0A040104 - 10.4.1.4) and a HASH_V1 payload. The second, from left to right, also has a Non-ESP Marker and the significant content appears to be: 11[ENC] <2> generating INFORMATIONAL_V1 request 1149786693 [ HASH N(AUTH_FAILED) ] I fould further information about the Azure Virtual Network on MSDN (http://tinyurl.com/c6wkzxp). In particular, the IPSec settings they support are: IKE Phase I Parameters: Mode: Main mode Encryption: AES128 or 3DES Integrity: SHA1 Diffie-Hellman group: Group 2 (1024 bit) Authentication Method: Pre-shared key Security Association Lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: AES128 or 3DES Integrity: SHA1 Perfect Forward Secrecy: OFF Diffie-Hellman group: Group 2 (1024 bit) Time Rekeying: ON Security Association Lifetime: 3600 seconds Security Association Lifesize: 102400000 Kbytes I have modified my ipsec.conf to try to match these settings. However, I couldn't see a mechanism for turning Perfect Forward Secrecy off if a Diffie-Hellman group is specified? They also indicate that the rightsubnet should match the whole Azure network (TestNetwork 10.4.0.0/16) which contains CloudSubnet (10.4.2.0/24) and GatewaySubnet (10.4.1.0/24). There is also the following comment: Does your WatchGuard router have a command to set peer-id (or proxy-id) for IKE Phase 1 negotiation (I will be very surprised if it does not have such an option, : ))? Please use that command to set the peer-id/proxy-id to be 192.168.4.5. This address you see is actually the IP address of the Azure gateway (i.e. the peer of your WatchGuard router). For the Cisco/Juniper devices we officially support, none of them require such a setting to be explicitly declared, but we are also aware that some device may have such a requirement (and that's also the reason why we do not support these devices officially at this point). In my case, the private IP address of the Azure gateway appears to be 10.4.1.4 as supplied in the ID_V1 payload. I have tried adding it to the selectors in ipsec.secrets but with no obvious effect. Is there an equivalent strongSwan mechanism or setting? -- John Connett ==== /usr/local/etc/ipsec.conf======================================== # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # VPN connections conn Azure left=192.168.199.10 leftid=86.30.202.35 leftsourceip=%config leftsubnet=192.168.199.0/24 leftauth=psk lefthostaccess=yes right=168.63.60.212 rightsubnet=10.4.0.0/16 rightauth=psk forceencaps=yes keyexchange=ikev2 ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=8h esp=aes128-sha1-modp1024,3des-sha1-modp1024! lifetime=1h lifebytes=104857600000 auto=start ====================================================================== ==== /usr/local/etc/ipsec.secrets ==================================== 192.168.199.10 86.30.202.35 168.63.60.212 10.4.1.4 : PSK "<secret>" ====================================================================== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
