Strongswan in my case is 192.168.100.8 and Win2003 is 192.168.100.1.
Win2003 produce correct IDi and wrong type IDr payload, which inside
get_ts() function incorrectly translated into endpoint address instead
of network.
Strongswan is the one who generates INFORMATIONAL to Win2003. And I
suppose it is INVALID-PAYLOAD-TYPE notification.
Here is notification payload:
11[ENC] generating NOTIFY_V1 payload finished
11[ENC] generated data for this payload => 16 bytes @ 0x7f061c00c234
11[ENC] 0: 00 00 00 10 00 00 00 01 03 04 00 01 2F A4 AD 83
............/...
On 06/14/2014 12:19 AM, Steve Baillargeon wrote:
Hi Alexander
It looks like the window endpoint when acting as responder is not properly
narrowing the TSi or TSr ( I suspect it is TSr).
I assume the address 192.168.100.1 belongs to window endpoint and it is trying
to use it for both IKE SA and Child SA which is not what you are looking for.
Can you confirm the strongSwan endpoint is sending an INFORMATIONAL request to
the window endpoint when it notices the response to Child SA setup includes an
incorrect TS?
Can you confirm the error notification that stronSwan is sending is
TS_UNACCEPTABLE?
Thanks
-Steve
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Alexander Sbitnev
Sent: June-13-14 9:25 AM
To: [email protected]
Subject: [strongSwan] strongswan and Win2003
Hi there!
I've stumble upon a problem while trying to create connection in between
strongswan and windows 2003 vanilla IKE.
Site-to-site with PSK auth. Strongswan version 5.1.1.
To me right now it looks like a bug on windows side, but my knowledge is
limited and there can be something I don't know.
So I will be happy with any comments on the situation. Is it known? Is it
something wrong in my config?
And at last, is it worth it to deal with Microsoft IKE? (I suppose it not, but
still some need to figure things out killing me :)
Problem happening on the second phase of IKE, only in the case if
win2003 peer act as a responder.
In the second packet of QUICK mode (generated on windows) there is two
ID_V1 payloads and only one of them in address form.
Second one (represent responding/win2003 side) is actually in FQDN form.
As a result "peer selected invalid traffic selectors" error occurring.
If windows side is acting as initiator everything works fine.
Here is dumps of decrypted payloads from QUICK mode packets generated on
win2003. Last 32 bytes is two ID payloads:
1) win2003 initiator, first packet of QM:
13[ENC] 0: 01 00 00 18 60 67 F4 FE 02 25 FA AE 35 52 38 D5
....`g...%..5R8.
13[ENC] 16: 11 83 3A E0 6A EA 50 DB 0A 00 00 34 00 00 00 01
..:.j.P....4....
13[ENC] 32: 00 00 00 01 00 00 00 28 01 03 04 01 3E 4E 47 82
.......(....>NG.
13[ENC] 48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04
................
13[ENC] 64: 00 00 07 08 80 04 F0 03 80 05 00 02 05 00 00 18
................
13[ENC] 80: 41 61 7A 9B B7 40 3D E5 FA 6C 02 97 66 48 66 D9
Aaz..@=..l..fHf.
13[ENC] 96: 78 98 DC 89 05 00 00 10 04 00 00 00 C0 A8 FE 00
x...............
13[ENC] 112: FF FF FF 00 00 00 00 10 04 00 00 00 AC 10 01 00 ................
13[ENC] 128: FF FF FF 00 00 00 00 00 ........
both IDs are in address form
2) win2003 responder, second packet of QM:
06[ENC] 0: 01 00 00 18 9B F4 3A B0 B5 08 11 09 0D 5D 75 A0
......:......]u.
06[ENC] 16: FE 8D F9 BB 93 19 0B C1 0A 00 00 34 00 00 00 01
...........4....
06[ENC] 32: 00 00 00 01 00 00 00 28 01 03 04 01 CE 94 11 DA
.......(........
06[ENC] 48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04
................
06[ENC] 64: 00 00 04 B0 80 04 F0 03 80 05 00 02 05 00 00 18
................
06[ENC] 80: 3E C4 53 86 66 7C DF C7 F3 D2 C5 8B 5C 0C A0 81
>.S.f|......\...
06[ENC] 96: 6F 4D 7D B4 05 00 00 10 04 00 00 00 AC 10 01 00
oM}.............
06[ENC] 112: FF FF FF 00 00 00 00 10 02 00 00 00 73 65 72 76 ............serv
06[ENC] 128: 32 30 30 33 00 00 00 00 2003....
second ID is in form of FQDN encoding "serv2003" as id
Just in case here is my config:
conn win2003
esp=3des-sha1!
ike=3des-sha1-modp2048!
left=192.168.100.1
leftsubnet=192.168.254.0/24
right=192.168.100.8
rightsubnet=172.16.1.0/24
authby=secret
auto=add
Approval handling log:
06[CFG] selecting proposal:
06[CFG] proposal matches
06[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
06[IKE] peer selected invalid traffic selectors: 172.16.1.0/24 for
172.16.1.0/24, 192.168.100.1/32 for 192.168.254.0/24 06[IKE] queueing
INFORMATIONAL task 06[IKE] activating new tasks
06[IKE] activating INFORMATIONAL task
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
