Just to clarify, the client and the server mode has to agree. In your case, the client is sending aggressive, but the server doesn't support it. I actually use NCP-e for ikev1, and there is a setting for aggressive versus main mode.
Aggresive mode should only be used in a no other solution exists scenario. On Wed, Jul 15, 2015 at 7:05 PM, Randy Wyatt <[email protected]> wrote: > You commented the line i_dont_care_about_security_and_use_aggressive_mode_psk > = yes out of strongswan.conf so aggressive mode is no longer supported. > > The line i_dont_care_about_security_and_use_aggressive_mode_psk = yes > must *not* be commented out. > > The client is expecting aggressive mode, but you disabled it on the server. > > Does this clarify things? > > On Wed, Jul 15, 2015 at 7:02 PM, Tom Hu <[email protected]> wrote: > >> Randy >> >> Thanks for replying >> >> I do not understand that "Strongswan didn't find a proposal to match >> because it doesn't support aggressive mode" >> BTW: Does strongswan not support AG mode? is it true? I did test of cert, >> it uses MM mode >> >> the problem is got error "but none allows XAuthInitPSK authentication >> using Aggressive Mode" >> >> and communication is stopped >> >> >> Thanks >> >> Tom >> >> On Wed, Jul 15, 2015 at 5:13 PM, Randy Wyatt <[email protected]> wrote: >> >>> I think the behavior is right, but someone more qualified than me would >>> have to comment. >>> >>> Strongswan didn't find a proposal to match because it doesn't support >>> aggressive mode. What is the problem here? >>> >>> On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <[email protected]> >>> wrote: >>> >>>> Hi ALL >>>> >>>> I used strongswan as GW and cisco vpn as client on Windows 7 to test >>>> interoperbility using preshare key. >>>> got the error "but none allows XAuthInitPSK authentication using >>>> Aggressive Mode" >>>> >>>> the config of strongswan >>>> >>>> conn %default >>>> ikelifetime=60m >>>> rekeymargin=3m >>>> keyingtries=1 >>>> mobike=no >>>> keyexchange=ikev1 >>>> >>>> include /etc/ipsec.cert.conf >>>> >>>> >>>> conn cert >>>> type=tunnel >>>> auto=add >>>> esp=aes128-sha1! >>>> ike=aes128-sha1-modp1024! >>>> left=192.168.11.55 >>>> right=%any >>>> leftauth=psk >>>> rightauth=psk >>>> rightauth2=xauth >>>> rightdns=10.3.0.1 >>>> leftsubnet=10.3.1.0/24 >>>> rightsourceip=10.3.0.0/28 >>>> >>>> >>>> >>>> cisco vpn Client (not anyconnect) - using "group authentication" >>>> >>>> stronswan.conf >>>> charon { >>>> cisco_unity = yes >>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes >>>> plugins { >>>> attr { >>>> UNITY_SPLIT_INCLUDE=28676 >>>> INTERNAL_IP4_ADDRESS=1 >>>> INTERNAL_IP4_NETMASK=2 >>>> INTERNAL_IP4_DNS=3 >>>> UNITY_LOCAL_LAN=28678 >>>> } >>>> } >>>> } >>>> >>>> when I forced to main mode by comment out >>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client >>>> still send AG mode >>>> >>>> log of swan is >>>> >>>> 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux >>>> 2.6.32- >>>> >>>> 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64) >>>> 17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' >>>> 17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM, >>>> OU=Dev, CN=CA1" from >>>> >>>> '/etc/ipsec.d/cacerts/ca.pem' >>>> 17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' >>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No >>>> such file or directory >>>> 17:36:03 00[CFG] reading directory failed >>>> 17:36:03 00[CFG] loading ocsp signer certificates from >>>> '/etc/ipsec.d/ocspcerts' >>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No >>>> such file or directory >>>> 17:36:03 00[CFG] reading directory failed >>>> 17:36:03 00[CFG] loading attribute certificates from >>>> '/etc/ipsec.d/acerts' >>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No >>>> such file or directory >>>> 17:36:03 00[CFG] reading directory failed >>>> 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls' >>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such >>>> file or directory >>>> 17:36:03 00[CFG] reading directory failed >>>> 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets' >>>> 17:36:03 00[CFG] loaded IKE secret for %any >>>> 17:36:03 00[CFG] loaded 1 RADIUS server configuration >>>> 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem >>>> pkcs1 gmp random nonce >>>> >>>> xauth-pam x509 revocation hmac xcbc stroke kernel-netlink >>>> socket-default fips-prf eap-mschapv2 >>>> >>>> eap-md5 eap-tls eap-identity eap-radius updown >>>> 17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet >>>> dependencies) >>>> 17:36:03 00[JOB] spawning 16 worker threads >>>> 17:36:03 05[CFG] received stroke: add connection 'cert' >>>> 17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28 >>>> 17:36:03 05[CFG] added configuration 'cert' >>>> 17:36:28 07[NET] received packet: from 192.168.11.10[53029] to >>>> 192.168.11.55[500] (865 bytes) >>>> 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] >>>> 17:36:28 07[IKE] received XAuth vendor ID >>>> 17:36:28 07[IKE] received DPD vendor ID >>>> 17:36:28 07[IKE] received FRAGMENTATION vendor ID >>>> 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >>>> 17:36:28 07[IKE] received Cisco Unity vendor ID >>>> 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA >>>> 17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching >>>> 192.168.11.55...192.168.11.10 >>>> >>>> [admin] >>>> 17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK >>>> authentication using >>>> >>>> Aggressive Mode >>>> 17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [ >>>> N(AUTH_FAILED) ] >>>> 17:36:28 07[NET] sending packet: from 192.168.11.55[500] to >>>> 192.168.11.10[53029] (56 bytes) >>>> 17:36:33 08[NET] received packet: from 192.168.11.10[53029] to >>>> 192.168.11.55[500] (865 bytes) >>>> 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] >>>> 17:36:33 08[IKE] received XAuth vendor ID >>>> 17:36:33 08[IKE] received DPD vendor ID >>>> 17:36:33 08[IKE] received FRAGMENTATION vendor ID >>>> 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >>>> 17:36:33 08[IKE] received Cisco Unity vendor ID >>>> 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA >>>> 17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching >>>> 192.168.11.55...192.168.11.10 >>>> >>>> [admin] >>>> 17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK >>>> authentication using Aggressive Mode >>>> 17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 [ >>>> N(AUTH_FAILED) ] >>>> 17:36:33 08[NET] sending packet: from 192.168.11.55[500] to >>>> 192.168.11.10[53029] (56 bytes) >>>> repeat....... >>>> >>>> >>>> the client log is >>>> >>>> Cisco Systems VPN Client Version 5.0.07.0440 >>>> Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. >>>> Client Type(s): Windows, WinNT >>>> Running on: 6.1.7600 >>>> Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\ >>>> >>>> 1 09:07:02.435 07/15/15 Sev=Info/4 CM/0x63100002 >>>> Begin connection process >>>> >>>> 2 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100004 >>>> Establish secure connection >>>> >>>> 3 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100024 >>>> Attempt connection with server "192.168.11.55" >>>> >>>> 4 09:07:02.465 07/15/15 Sev=Info/6 IKE/0x6300003B >>>> Attempting to establish a connection with 192.168.11.55. >>>> >>>> 5 09:07:02.471 07/15/15 Sev=Info/4 IKE/0x63000001 >>>> Starting IKE Phase 1 Negotiation >>>> >>>> 6 09:07:02.479 07/15/15 Sev=Info/4 IKE/0x63000013 >>>> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), >>>> VID(Frag), VID(Nat-T), VID >>>> >>>> (Unity)) to 192.168.11.55 >>>> >>>> 7 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700008 >>>> IPSec driver successfully started >>>> >>>> 8 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700014 >>>> Deleted all keys >>>> >>>> 9 09:07:02.484 07/15/15 Sev=Info/5 IKE/0x6300002F >>>> Received ISAKMP packet: peer = 192.168.11.55 >>>> >>>> 10 09:07:02.484 07/15/15 Sev=Warning/2 IKE/0xE300009B >>>> Discarding incoming packet: Message is NOT encrypted >>>> (PacketReceiver:422) >>>> >>>> 11 09:07:02.484 07/15/15 Sev=Info/4 IKE/0x63000014 >>>> RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55 >>>> >>>> 12 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000021 >>>> Retransmitting last packet! >>>> >>>> 13 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000013 >>>> SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55 >>>> >>>> repeat >>>> >>>> I did comment out strongswan source file due >>>> to receive error "payload type %N was not encrypted" first packet >>>> for temporary workaround. >>>> >>>> diff -u -N opensource/strongswan-5.2.2/src/libcharon/encoding/message.c >>>> opensource/strongswan-5.2.2/src/libcharon/encoding/message.c >>>> --- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09 >>>> 02:58:17.000000000 -0800 >>>> +++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10 >>>> 11:50:55.000000000 -0700 >>>> @@ -2487,7 +2487,7 @@ >>>> { >>>> DBG1(DBG_ENC, "payload type %N was not encrypted", >>>> payload_type_names, type); >>>> - status = FAILED; >>>> + //status = FAILED; >>>> break; >>>> } >>>> } >>>> >>>> I have no idea why got this error >>>> Any input, I am very appreciated >>>> >>>> Tom >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> https://lists.strongswan.org/mailman/listinfo/users >>>> >>> >>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
