You specifically said when I forced to main mode by comment out i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client still send AG mode
log of swan is 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32- The log provided matches what you stated. Cisco doesn't even recommend their own ipsec client. This comes directly from Cisco support. It kept bluescreening on Windows 7 64 for me. Please copy the entire mailing list in the response. Regards, Randy On Wed, Jul 15, 2015 at 7:19 PM, Tom Hu <[email protected]> wrote: > Randy > > my attached log did not comment out > i_dont_care_about_security_and_use_aggressive_mode_psk > = yes " > > If I commented out it, the client kept trying AG mode and never giving up > > hmm, I did not have a way to disable AG mode and enable MM in the cisco > vpn client config. > > Thanks > > Tom > > On Wed, Jul 15, 2015 at 7:05 PM, Randy Wyatt <[email protected]> wrote: > >> You commented the line i_dont_care_about_security_and_use_aggressive_mode_psk >> = yes out of strongswan.conf so aggressive mode is no longer supported. >> >> The line i_dont_care_about_security_and_use_aggressive_mode_psk = yes >> must *not* be commented out. >> >> The client is expecting aggressive mode, but you disabled it on the >> server. >> >> Does this clarify things? >> >> On Wed, Jul 15, 2015 at 7:02 PM, Tom Hu <[email protected]> wrote: >> >>> Randy >>> >>> Thanks for replying >>> >>> I do not understand that "Strongswan didn't find a proposal to match >>> because it doesn't support aggressive mode" >>> BTW: Does strongswan not support AG mode? is it true? I did test of >>> cert, it uses MM mode >>> >>> the problem is got error "but none allows XAuthInitPSK authentication >>> using Aggressive Mode" >>> >>> and communication is stopped >>> >>> >>> Thanks >>> >>> Tom >>> >>> On Wed, Jul 15, 2015 at 5:13 PM, Randy Wyatt <[email protected]> >>> wrote: >>> >>>> I think the behavior is right, but someone more qualified than me would >>>> have to comment. >>>> >>>> Strongswan didn't find a proposal to match because it doesn't support >>>> aggressive mode. What is the problem here? >>>> >>>> On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu <[email protected]> >>>> wrote: >>>> >>>>> Hi ALL >>>>> >>>>> I used strongswan as GW and cisco vpn as client on Windows 7 to test >>>>> interoperbility using preshare key. >>>>> got the error "but none allows XAuthInitPSK authentication using >>>>> Aggressive Mode" >>>>> >>>>> the config of strongswan >>>>> >>>>> conn %default >>>>> ikelifetime=60m >>>>> rekeymargin=3m >>>>> keyingtries=1 >>>>> mobike=no >>>>> keyexchange=ikev1 >>>>> >>>>> include /etc/ipsec.cert.conf >>>>> >>>>> >>>>> conn cert >>>>> type=tunnel >>>>> auto=add >>>>> esp=aes128-sha1! >>>>> ike=aes128-sha1-modp1024! >>>>> left=192.168.11.55 >>>>> right=%any >>>>> leftauth=psk >>>>> rightauth=psk >>>>> rightauth2=xauth >>>>> rightdns=10.3.0.1 >>>>> leftsubnet=10.3.1.0/24 >>>>> rightsourceip=10.3.0.0/28 >>>>> >>>>> >>>>> >>>>> cisco vpn Client (not anyconnect) - using "group authentication" >>>>> >>>>> stronswan.conf >>>>> charon { >>>>> cisco_unity = yes >>>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes >>>>> plugins { >>>>> attr { >>>>> UNITY_SPLIT_INCLUDE=28676 >>>>> INTERNAL_IP4_ADDRESS=1 >>>>> INTERNAL_IP4_NETMASK=2 >>>>> INTERNAL_IP4_DNS=3 >>>>> UNITY_LOCAL_LAN=28678 >>>>> } >>>>> } >>>>> } >>>>> >>>>> when I forced to main mode by comment out >>>>> i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client >>>>> still send AG mode >>>>> >>>>> log of swan is >>>>> >>>>> 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux >>>>> 2.6.32- >>>>> >>>>> 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64) >>>>> 17:36:03 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' >>>>> 17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM, >>>>> OU=Dev, CN=CA1" from >>>>> >>>>> '/etc/ipsec.d/cacerts/ca.pem' >>>>> 17:36:03 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' >>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No >>>>> such file or directory >>>>> 17:36:03 00[CFG] reading directory failed >>>>> 17:36:03 00[CFG] loading ocsp signer certificates from >>>>> '/etc/ipsec.d/ocspcerts' >>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No >>>>> such file or directory >>>>> 17:36:03 00[CFG] reading directory failed >>>>> 17:36:03 00[CFG] loading attribute certificates from >>>>> '/etc/ipsec.d/acerts' >>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No >>>>> such file or directory >>>>> 17:36:03 00[CFG] reading directory failed >>>>> 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls' >>>>> 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such >>>>> file or directory >>>>> 17:36:03 00[CFG] reading directory failed >>>>> 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets' >>>>> 17:36:03 00[CFG] loaded IKE secret for %any >>>>> 17:36:03 00[CFG] loaded 1 RADIUS server configuration >>>>> 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem >>>>> pkcs1 gmp random nonce >>>>> >>>>> xauth-pam x509 revocation hmac xcbc stroke kernel-netlink >>>>> socket-default fips-prf eap-mschapv2 >>>>> >>>>> eap-md5 eap-tls eap-identity eap-radius updown >>>>> 17:36:03 00[LIB] unable to load 12 plugin features (12 due to unmet >>>>> dependencies) >>>>> 17:36:03 00[JOB] spawning 16 worker threads >>>>> 17:36:03 05[CFG] received stroke: add connection 'cert' >>>>> 17:36:03 05[CFG] adding virtual IP address pool 10.3.0.0/28 >>>>> 17:36:03 05[CFG] added configuration 'cert' >>>>> 17:36:28 07[NET] received packet: from 192.168.11.10[53029] to >>>>> 192.168.11.55[500] (865 bytes) >>>>> 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] >>>>> 17:36:28 07[IKE] received XAuth vendor ID >>>>> 17:36:28 07[IKE] received DPD vendor ID >>>>> 17:36:28 07[IKE] received FRAGMENTATION vendor ID >>>>> 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >>>>> 17:36:28 07[IKE] received Cisco Unity vendor ID >>>>> 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA >>>>> 17:36:28 07[CFG] looking for XAuthInitPSK peer configs matching >>>>> 192.168.11.55...192.168.11.10 >>>>> >>>>> [admin] >>>>> 17:36:28 07[IKE] found 1 matching config, but none allows XAuthInitPSK >>>>> authentication using >>>>> >>>>> Aggressive Mode >>>>> 17:36:28 07[ENC] generating INFORMATIONAL_V1 request 1035333975 [ >>>>> N(AUTH_FAILED) ] >>>>> 17:36:28 07[NET] sending packet: from 192.168.11.55[500] to >>>>> 192.168.11.10[53029] (56 bytes) >>>>> 17:36:33 08[NET] received packet: from 192.168.11.10[53029] to >>>>> 192.168.11.55[500] (865 bytes) >>>>> 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] >>>>> 17:36:33 08[IKE] received XAuth vendor ID >>>>> 17:36:33 08[IKE] received DPD vendor ID >>>>> 17:36:33 08[IKE] received FRAGMENTATION vendor ID >>>>> 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >>>>> 17:36:33 08[IKE] received Cisco Unity vendor ID >>>>> 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive Mode IKE_SA >>>>> 17:36:33 08[CFG] looking for XAuthInitPSK peer configs matching >>>>> 192.168.11.55...192.168.11.10 >>>>> >>>>> [admin] >>>>> 17:36:33 08[IKE] found 1 matching config, but none allows XAuthInitPSK >>>>> authentication using Aggressive Mode >>>>> 17:36:33 08[ENC] generating INFORMATIONAL_V1 request 3136248912 [ >>>>> N(AUTH_FAILED) ] >>>>> 17:36:33 08[NET] sending packet: from 192.168.11.55[500] to >>>>> 192.168.11.10[53029] (56 bytes) >>>>> repeat....... >>>>> >>>>> >>>>> the client log is >>>>> >>>>> Cisco Systems VPN Client Version 5.0.07.0440 >>>>> Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. >>>>> Client Type(s): Windows, WinNT >>>>> Running on: 6.1.7600 >>>>> Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\ >>>>> >>>>> 1 09:07:02.435 07/15/15 Sev=Info/4 CM/0x63100002 >>>>> Begin connection process >>>>> >>>>> 2 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100004 >>>>> Establish secure connection >>>>> >>>>> 3 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100024 >>>>> Attempt connection with server "192.168.11.55" >>>>> >>>>> 4 09:07:02.465 07/15/15 Sev=Info/6 IKE/0x6300003B >>>>> Attempting to establish a connection with 192.168.11.55. >>>>> >>>>> 5 09:07:02.471 07/15/15 Sev=Info/4 IKE/0x63000001 >>>>> Starting IKE Phase 1 Negotiation >>>>> >>>>> 6 09:07:02.479 07/15/15 Sev=Info/4 IKE/0x63000013 >>>>> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), >>>>> VID(Frag), VID(Nat-T), VID >>>>> >>>>> (Unity)) to 192.168.11.55 >>>>> >>>>> 7 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700008 >>>>> IPSec driver successfully started >>>>> >>>>> 8 09:07:02.481 07/15/15 Sev=Info/4 IPSEC/0x63700014 >>>>> Deleted all keys >>>>> >>>>> 9 09:07:02.484 07/15/15 Sev=Info/5 IKE/0x6300002F >>>>> Received ISAKMP packet: peer = 192.168.11.55 >>>>> >>>>> 10 09:07:02.484 07/15/15 Sev=Warning/2 IKE/0xE300009B >>>>> Discarding incoming packet: Message is NOT encrypted >>>>> (PacketReceiver:422) >>>>> >>>>> 11 09:07:02.484 07/15/15 Sev=Info/4 IKE/0x63000014 >>>>> RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55 >>>>> >>>>> 12 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000021 >>>>> Retransmitting last packet! >>>>> >>>>> 13 09:07:07.658 07/15/15 Sev=Info/4 IKE/0x63000013 >>>>> SENDING >>> ISAKMP OAK AG (Retransmission) to 192.168.11.55 >>>>> >>>>> repeat >>>>> >>>>> I did comment out strongswan source file due >>>>> to receive error "payload type %N was not encrypted" first packet >>>>> for temporary workaround. >>>>> >>>>> diff -u -N >>>>> opensource/strongswan-5.2.2/src/libcharon/encoding/message.c >>>>> opensource/strongswan-5.2.2/src/libcharon/encoding/message.c >>>>> --- opensource/strongswan-5.2.2/src/libcharon/encoding/message.c >>>>> 2014-12-09 >>>>> 02:58:17.000000000 -0800 >>>>> +++ opensource/strongswan-5.2.2/src/libcharon/encoding/message.c >>>>> 2015-07-10 >>>>> 11:50:55.000000000 -0700 >>>>> @@ -2487,7 +2487,7 @@ >>>>> { >>>>> DBG1(DBG_ENC, "payload type %N was not encrypted", >>>>> payload_type_names, type); >>>>> - status = FAILED; >>>>> + //status = FAILED; >>>>> break; >>>>> } >>>>> } >>>>> >>>>> I have no idea why got this error >>>>> Any input, I am very appreciated >>>>> >>>>> Tom >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> [email protected] >>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>> >>>> >>>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
