I think the behavior is right, but someone more qualified than me would have to comment.
Strongswan didn't find a proposal to match because it doesn't support aggressive mode. What is the problem here? On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <[email protected]> wrote: > Hi ALL > > I used strongswan as GW and cisco vpn as client on Windows 7 to test > interoperbility using preshare key. > got the error "but none allows XAuthInitPSK authentication using > Aggressive Mode" > > the config of strongswan > > conn %default > ikelifetime=60m > rekeymargin=3m > keyingtries=1 > mobike=no > keyexchange=ikev1 > > include /etc/ipsec.cert.conf > > > conn cert > type=tunnel > auto=add > esp=aes128-sha1! > ike=aes128-sha1-modp1024! > left=192.168.11.55 > right=%any > leftauth=psk > rightauth=psk > rightauth2=xauth > rightdns=10.3.0.1 > leftsubnet=10.3.1.0/24 > rightsourceip=10.3.0.0/28 > > > > cisco vpn Client (not anyconnect) - using "group authentication" > > stronswan.conf > charon { > cisco_unity = yes > i_dont_care_about_security_and_use_aggressive_mode_psk = yes > plugins { > attr { > UNITY_SPLIT_INCLUDE=28676 > INTERNAL_IP4_ADDRESS=1 > INTERNAL_IP4_NETMASK=2 > INTERNAL_IP4_DNS=3 > UNITY_LOCAL_LAN=28678 > } > } > } > > when I forced to main mode by comment out > i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client > still send AG mode > > log of swan is > > 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux > 2.6.32- > > 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64) > 17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > 17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM, > OU=Dev, CN=CA1" from > > '/etc/ipsec.d/cacerts/ca.pem' > 17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' > 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such > file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading ocsp signer certificates from > '/etc/ipsec.d/ocspcerts' > 17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No > such file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' > 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such > file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls' > 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such > file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets' > 17:36:03 00[CFG] loaded IKE secret for %any > 17:36:03 00[CFG] loaded 1 RADIUS server configuration > 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem > pkcs1 gmp random nonce > > xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default > fips-prf eap-mschapv2 > > eap-md5 eap-tls eap-identity eap-radius updown > 17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet > dependencies) > 17:36:03 00[JOB] spawning 16 worker threads > 17:36:03 05[CFG] received stroke: add connection 'cert' > 17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28 > 17:36:03 05[CFG] added configuration 'cert' > 17:36:28 07[NET] received packet: from 192.168.11.10[53029] to > 192.168.11.55[500] (865 bytes) > 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] > 17:36:28 07[IKE] received XAuth vendor ID > 17:36:28 07[IKE] received DPD vendor ID > 17:36:28 07[IKE] received FRAGMENTATION vendor ID > 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > 17:36:28 07[IKE] received Cisco Unity vendor ID > 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA > 17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching > 192.168.11.55...192.168.11.10 > > [admin] > 17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK > authentication using > > Aggressive Mode > 17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [ > N(AUTH_FAILED) ] > 17:36:28 07[NET] sending packet: from 192.168.11.55[500] to > 192.168.11.10[53029] (56 bytes) > 17:36:33 08[NET] received packet: from 192.168.11.10[53029] to > 192.168.11.55[500] (865 bytes) > 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] > 17:36:33 08[IKE] received XAuth vendor ID > 17:36:33 08[IKE] received DPD vendor ID > 17:36:33 08[IKE] received FRAGMENTATION vendor ID > 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > 17:36:33 08[IKE] received Cisco Unity vendor ID > 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA > 17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching > 192.168.11.55...192.168.11.10 > > [admin] > 17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK > authentication using Aggressive Mode > 17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 [ > N(AUTH_FAILED) ] > 17:36:33 08[NET] sending packet: from 192.168.11.55[500] to > 192.168.11.10[53029] (56 bytes) > repeat....... > > > the client log is > > Cisco Systems VPN Client Version 5.0.07.0440 > Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. > Client Type(s): Windows, WinNT > Running on: 6.1.7600 > Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\ > > 1 09:07:02.435 07/15/15 Sev=Info/4 CM/0x63100002 > Begin connection process > > 2 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100004 > Establish secure connection > > 3 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100024 > Attempt connection with server "192.168.11.55" > > 4 09:07:02.465 07/15/15 Sev=Info/6 IKE/0x6300003B > Attempting to establish a connection with 192.168.11.55. > > 5 09:07:02.471 07/15/15 Sev=Info/4 IKE/0x63000001 > Starting IKE Phase 1 Negotiation > > 6 09:07:02.479 07/15/15 Sev=Info/4 IKE/0x63000013 > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), > VID(Frag), VID(Nat-T), VID > > (Unity)) to 192.168.11.55 > > 7 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700008 > IPSec driver successfully started > > 8 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700014 > Deleted all keys > > 9 09:07:02.484 07/15/15 Sev=Info/5 IKE/0x6300002F > Received ISAKMP packet: peer = 192.168.11.55 > > 10 09:07:02.484 07/15/15 Sev=Warning/2 IKE/0xE300009B > Discarding incoming packet: Message is NOT encrypted (PacketReceiver:422) > > 11 09:07:02.484 07/15/15 Sev=Info/4 IKE/0x63000014 > RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55 > > 12 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000021 > Retransmitting last packet! > > 13 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000013 > SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55 > > repeat > > I did comment out strongswan source file due > to receive error "payload type %N was not encrypted" first packet > for temporary workaround. > > diff -u -N opensource/strongswan-5.2.2/src/libcharon/encoding/message.c > opensource/strongswan-5.2.2/src/libcharon/encoding/message.c > --- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09 > 02:58:17.000000000 -0800 > +++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10 > 11:50:55.000000000 -0700 > @@ -2487,7 +2487,7 @@ > { > DBG1(DBG_ENC, "payload type %N was not encrypted", > payload_type_names, type); > - status = FAILED; > + //status = FAILED; > break; > } > } > > I have no idea why got this error > Any input, I am very appreciated > > Tom > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
