Hi Martin, it might be that the gateway does not like strongSwan's authentication or crypto proposals. Pluto 4.x e.g. does not support IKEv1 Aggressive Mode.
Regards Andreas On 12/14/2012 02:38 PM, Martin Werthmöller wrote: > Hi Strongswan users, > > we like to setup a IPSec connection to a Telco Tec LiSS VPN Gateway. > We test the VPN connection with a windows client (NCP). Here, the > connection will be established immediately. > > As we run our strongSwan client, the connection establishment runs > into a timeout. > > 010 "liss" #3: STATE_MAIN_I1: retransmission; will wait 20s for response > > The pluto debug log shows no more information about this. > The Windows Client and the strongSwan client uses the same certificate > an connection settings (configfile beneath). > > We also capture the traffic of both connections establishments via > tcpdump. With our strongSwan client, the VPN gateway will no answer to > the first UDP packet from pluto. We examined the first packets of both > clients. > > Here we saw a difference at the Payload (Vendor ID (13) of both > packets. > > ** NCP client > > Type Payload: Vendor ID (13) : Unknown Vendor ID > Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03 > Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n > Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00 > Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the > IKE > Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) > Type Payload: Vendor ID (13) : Unknown Vendor ID > Type Payload: Vendor ID (13) : Unknown Vendor ID > Type Payload: Vendor ID (13) : Unknown Vendor ID > Type Payload: Vendor ID (13) : Microsoft L2TP/IPSec VPN Client > > > ** stronSwan client > > Type Payload: Vendor ID (13) : strongSwan > Type Payload: Vendor ID (13) : XAUTH > Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) > Type Payload: Vendor ID (13) : RFC 3947 Negotiation of Traversal in the IKE > Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03 > Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02 > Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n > Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00 > > > Beside the differences in "Unknown Vendor ID" and the "L2TP Client" > the strongSwan packet conatains the XAUTH "Flag". > > May this be the problem of the gateway timeouts? > > How could we disable the XAUT at the first packet? > > > Best regards, > Martin Werthmoeller > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
