> Hello, > > I m currently using strongSwan to authenticate a Windows 7 client to > access my Linux Server. I use the Win7 "Windows Firewall with Advanced > Security" with the "Connection Security rules" features for the IPSEC > connection (Allow me to automaticaly authenticate the Win7 laptop when it > try to access the linux server without user action). This Win7 client seems > to only support IKEv1. > To have the minimum of network and server impact I authenticate the win7 > using transport mode and null encryption. > > I was previously in strongswan version 4.x.x and I have updated strongSwan > with the version 5.0.1. > Since the update I m not able anymore to connect my Win7 in transport mode > to the Linux server with strongswan 5.0.x. > The main mode phase is ok but the quick mode never finish and I have no > error message. I added in attachement file a pcap file from the win 7 side. >
> My WIN7 configuration return by "netsh advfirewall consec>show rule > name=WIN7_transport_103": > Rules Name: WIN7_transport_103 --------------------------------------------------------------------------------------------------------------- Enabled: Yes Profiles: Domain,proviate,puvlic Type: Static Mode: Transport Endpoint1: 192.168.1.2/32 Endpoint2: 192.168.1.103/32 Protocol: Any Action: RequireInRequireOut Auth1: ComputerPSK Auth1PSK: toto MainModeSecMethods: DHGroup2-3DES-MD5,DHGroup2-AES128-MD5 QuickModeSecMethods: ESP:MD5-None+60min+100000kb,...... OK. My strongSwan configuration is the following: > xxxxxxxxxxxxxxxxxxxx > root@corellia:/etc# more ipsec.conf > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > charondebug="ike 2, net 2" > uniqueids = yes > > conn %default > auth=esp > mobike=no > > conn WIN7_Transport > authby=psk > esp=null-md5! > ike=aes128-md5-modp1024,3des-md5-modp1024 > keyexchange=ikev1 > type=transport > left=192.168.1.103 > right=192.168.1.2 > auto=start > > #include /var/lib/strongswan/ipsec.conf.inc > xxxxxxxxxxxxxxxxxxxx > > > I have the following ipsec status: > xxxxxxxxxxxxxxxxxxxx > root@corellia:/etc# ipsec statusall > Status of IKE charon daemon (strongSwan 5.0.1, Linux 2.6.32-45-generic, > i686): > uptime: 14 minutes, since Mar 22 17:49:35 2013 > malloc: sbrk 135168, mmap 0, used 104336, free 30832 > worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, > scheduled: 16 > loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc > cmac hmac attr kernel-netlink resolve socket-default stroke updown > xauth-generic > Listening IP addresses: > 172.16.1.254 > 192.168.1.103 > Connections: > EFB: 192.168.1.103...192.168.1.2 IKEv1 > EFB: local: [192.168.1.103] uses pre-shared key authentication > EFB: remote: [192.168.1.2] uses pre-shared key authentication > EFB: child: dynamic === dynamic TRANSPORT > Security Associations (1 up, 0 connecting): > EFB[8]: ESTABLISHED 3 seconds ago, > 192.168.1.103[192.168.1.103]...192.168.1.2[192.168.1.2] > EFB[8]: IKEv1 SPIs: c911ffdc4c6bf201_i 1b1a18a730dff768_r*, > pre-shared key reauthentication in 2 hours > EFB[8]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > EFB[8]: Tasks passive: QUICK_MODE > xxxxxxxxxxxxxxxxxxxx > > > - I made some additionnal test and it work in tunnel mode with a similar > configuration (except the type). > - I updated my StrongSwan with the 5.0.2 release and with this version > nothing work... (tunnel or transport). > > I don't know if it is a bug in the IKEv1 implementation in the 5.0.x > release or an issue in my config and now I have no more idea and way > forward to get something that work. > > thanks in advance for your help or idea to resolve my issue. > > Regards, > > Mickael >
WIN7_to_Strongswan501_tun.pcapng
Description: Binary data
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
