-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello,
Additionally to the setting in strongswan.conf, you need to enable aggressive mode in the conn by using aggressive=yes. And /please/ read the man pages for the config files and look on the website if you try to do things. Also, using aggressive mode is a /very/ bad idea. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 16.07.2015 um 04:23 schrieb Randy Wyatt: > You specifically said > when I forced to main mode by comment out > i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client > still send AG mode > > log of swan is > > 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32- > > The log provided matches what you stated. Cisco doesn't even recommend their > own ipsec client. This comes directly from Cisco support. It kept > bluescreening on Windows 7 64 for me. > > Please copy the entire mailing list in the response. > > Regards, > Randy > > On Wed, Jul 15, 2015 at 7:19 PM, Tom Hu <[email protected] > <mailto:[email protected]>> wrote: > > Randy > > my attached log did not comment out > i_dont_care_about_security_and_use_aggressive_mode_psk = yes " > > If I commented out it, the client kept trying AG mode and never giving up > > hmm, I did not have a way to disable AG mode and enable MM in the cisco > vpn client config. > > Thanks > > Tom > > On Wed, Jul 15, 2015 at 7:05 PM, Randy Wyatt <[email protected] > <mailto:[email protected]>> wrote: > > You commented the line > i_dont_care_about_security_and_use_aggressive_mode_psk = yes out of > strongswan.conf so aggressive mode is no longer supported. > > The line i_dont_care_about_security_and_use_aggressive_mode_psk = yes > must *not* be commented out. > > The client is expecting aggressive mode, but you disabled it on the > server. > > Does this clarify things? > > On Wed, Jul 15, 2015 at 7:02 PM, Tom Hu <[email protected] > <mailto:[email protected]>> wrote: > > Randy > > Thanks for replying > > I do not understand that "Strongswan didn't find a proposal to > match because it doesn't support aggressive mode" > BTW: Does strongswan not support AG mode? is it true? I did test > of cert, it uses MM mode > > the problem is got error "but none allows XAuthInitPSK > authentication using Aggressive Mode" > > and communication is stopped > > > Thanks > > Tom > > On Wed, Jul 15, 2015 at 5:13 PM, Randy Wyatt <[email protected] > <mailto:[email protected]>> wrote: > > I think the behavior is right, but someone more qualified > than me would have to comment. > > Strongswan didn't find a proposal to match because it doesn't > support aggressive mode. What is the problem here? > > On Wed, Jul 15, 2015 at 5:08 PM, Tom Hu > <[email protected] <mailto:[email protected]>> wrote: > > Hi ALL > > I used strongswan as GW and cisco vpn as client on > Windows 7 to test interoperbility using preshare key. > got the error "but none allows XAuthInitPSK > authentication using Aggressive Mode" > > the config of strongswan > > conn %default > ikelifetime=60m > rekeymargin=3m > keyingtries=1 > mobike=no > keyexchange=ikev1 > > include /etc/ipsec.cert.conf > > > conn cert > type=tunnel > auto=add > esp=aes128-sha1! > ike=aes128-sha1-modp1024! > left=192.168.11.55 > right=%any > leftauth=psk > rightauth=psk > rightauth2=xauth > rightdns=10.3.0.1 > leftsubnet=10.3.1.0/24 <http://10.3.1.0/24> > rightsourceip=10.3.0.0/28 <http://10.3.0.0/28> > > > > cisco vpn Client (not anyconnect) - using "group > authentication" > > stronswan.conf > charon { > cisco_unity = yes > i_dont_care_about_security_and_use_aggressive_mode_psk = > yes > plugins { > attr { > UNITY_SPLIT_INCLUDE=28676 > INTERNAL_IP4_ADDRESS=1 > INTERNAL_IP4_NETMASK=2 > INTERNAL_IP4_DNS=3 > UNITY_LOCAL_LAN=28678 > } > } > } > > when I forced to main mode by comment out > i_dont_care_about_security_and_use_aggressive_mode_psk = yes, the client > still send AG mode > > log of swan is > > 17:36:03 00[DMN] Starting IKE charon daemon (strongSwan > 5.2.2, Linux 2.6.32- > > 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, > x86_64) > 17:36:03 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > 17:36:03 00[CFG] loaded ca certificate "C=US, ST=CA, > L=San, O=IBM, OU=Dev, CN=CA1" from > > '/etc/ipsec.d/cacerts/ca.pem' > 17:36:03 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > 17:36:03 00[LIB] opening directory '/etc/ipsec.d/aacerts' > failed: No such file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading ocsp signer certificates from > '/etc/ipsec.d/ocspcerts' > 17:36:03 00[LIB] opening directory > '/etc/ipsec.d/ocspcerts' failed: No such file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading attribute certificates from > '/etc/ipsec.d/acerts' > 17:36:03 00[LIB] opening directory '/etc/ipsec.d/acerts' > failed: No such file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading crls from '/etc/ipsec.d/crls' > 17:36:03 00[LIB] opening directory '/etc/ipsec.d/crls' > failed: No such file or directory > 17:36:03 00[CFG] reading directory failed > 17:36:03 00[CFG] loading secrets from '/etc/ipsec.secrets' > 17:36:03 00[CFG] loaded IKE secret for %any > 17:36:03 00[CFG] loaded 1 RADIUS server configuration > 17:36:03 00[LIB] loaded plugins: charon aes des sha1 sha2 > md4 md5 pem pkcs1 gmp random nonce > > xauth-pam x509 revocation hmac xcbc stroke kernel-netlink > socket-default fips-prf eap-mschapv2 > > eap-md5 eap-tls eap-identity eap-radius updown > 17:36:03 00[LIB] unable to load 12 plugin features (12 > due to unmet dependencies) > 17:36:03 00[JOB] spawning 16 worker threads > 17:36:03 05[CFG] received stroke: add connection 'cert' > 17:36:03 05[CFG] adding virtual IP address pool > 10.3.0.0/28 <http://10.3.0.0/28> > 17:36:03 05[CFG] added configuration 'cert' > 17:36:28 07[NET] received packet: from > 192.168.11.10[53029] to 192.168.11.55[500] (865 bytes) > 17:36:28 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No > ID V V V V V ] > 17:36:28 07[IKE] received XAuth vendor ID > 17:36:28 07[IKE] received DPD vendor ID > 17:36:28 07[IKE] received FRAGMENTATION vendor ID > 17:36:28 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n > vendor ID > 17:36:28 07[IKE] received Cisco Unity vendor ID > 17:36:28 07[IKE] 192.168.11.10 is initiating a Aggressive > Mode IKE_SA > 17:36:28 07[CFG] looking for XAuthInitPSK peer configs > matching 192.168.11.55...192.168.11.10 > > [admin] > 17:36:28 07[IKE] found 1 matching config, but none allows > XAuthInitPSK authentication using > > Aggressive Mode > 17:36:28 07[ENC] generating INFORMATIONAL_V1 request > 1035333975 [ N(AUTH_FAILED) ] > 17:36:28 07[NET] sending packet: from 192.168.11.55[500] > to 192.168.11.10[53029] (56 bytes) > 17:36:33 08[NET] received packet: from > 192.168.11.10[53029] to 192.168.11.55[500] (865 bytes) > 17:36:33 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No > ID V V V V V ] > 17:36:33 08[IKE] received XAuth vendor ID > 17:36:33 08[IKE] received DPD vendor ID > 17:36:33 08[IKE] received FRAGMENTATION vendor ID > 17:36:33 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n > vendor ID > 17:36:33 08[IKE] received Cisco Unity vendor ID > 17:36:33 08[IKE] 192.168.11.10 is initiating a Aggressive > Mode IKE_SA > 17:36:33 08[CFG] looking for XAuthInitPSK peer configs > matching 192.168.11.55...192.168.11.10 > > [admin] > 17:36:33 08[IKE] found 1 matching config, but none allows > XAuthInitPSK authentication using Aggressive Mode > 17:36:33 08[ENC] generating INFORMATIONAL_V1 request > 3136248912 <tel:3136248912> [ N(AUTH_FAILED) ] > 17:36:33 08[NET] sending packet: from 192.168.11.55[500] > to 192.168.11.10[53029] (56 bytes) > repeat....... > > > the client log is > > Cisco Systems VPN Client Version 5.0.07.0440 > Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights > Reserved. > Client Type(s): Windows, WinNT > Running on: 6.1.7600 > Config file directory: C:\Program Files (x86)\Cisco > Systems\VPN Client\ > > 1 09:07:02.435 07/15/15 Sev=Info/4 CM/0x63100002 > Begin connection process > > 2 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100004 > Establish secure connection > > 3 09:07:02.461 07/15/15 Sev=Info/4 CM/0x63100024 > Attempt connection with server "192.168.11.55" > > 4 09:07:02.465 07/15/15 Sev=Info/6 > IKE/0x6300003B > Attempting to establish a connection with 192.168.11.55. > > 5 09:07:02.471 07/15/15 Sev=Info/4 > IKE/0x63000001 > Starting IKE Phase 1 Negotiation > > 6 09:07:02.479 07/15/15 Sev=Info/4 > IKE/0x63000013 > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), > VID(dpd), VID(Frag), VID(Nat-T), VID > > (Unity)) to 192.168.11.55 > > 7 09:07:02.481 07/15/15 Sev=Info/4 > IPSEC/0x63700008 > IPSec driver successfully started > > 8 09:07:02.481 07/15/15 Sev=Info/4 > IPSEC/0x63700014 > Deleted all keys > > 9 09:07:02.484 07/15/15 Sev=Info/5 > IKE/0x6300002F > Received ISAKMP packet: peer = 192.168.11.55 > > 10 09:07:02.484 07/15/15 Sev=Warning/2 > IKE/0xE300009B > Discarding incoming packet: Message is NOT encrypted > (PacketReceiver:422) > > 11 09:07:02.484 07/15/15 Sev=Info/4 > IKE/0x63000014 > RECEIVING <<< ISAKMP OAK INFO (Dropped) from 192.168.11.55 > > 12 09:07:07.658 07/15/15 Sev=Info/4 > IKE/0x63000021 > Retransmitting last packet! > > 13 09:07:07.658 07/15/15 Sev=Info/4 > IKE/0x63000013 > SENDING >>> ISAKMP OAK AG (Retransmission) to > 192.168.11.55 > > repeat > > I did comment out strongswan source file due > to receive error "payload type %N was not encrypted" > first packet > for temporary workaround. > > diff -u -N > opensource/strongswan-5.2.2/src/libcharon/encoding/message.c > opensource/strongswan-5.2.2/src/libcharon/encoding/message.c > --- > opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2014-12-09 > 02:58:17.000000000 -0800 > +++ > opensource/strongswan-5.2.2/src/libcharon/encoding/message.c 2015-07-10 > 11:50:55.000000000 -0700 > @@ -2487,7 +2487,7 @@ > { > DBG1(DBG_ENC, "payload type %N was not > encrypted", > payload_type_names, type); > - status = FAILED; > + //status = FAILED; > break; > } > } > > I have no idea why got this error > Any input, I am very appreciated > > Tom > > _______________________________________________ > Users mailing list > [email protected] > <mailto:[email protected]> > https://lists.strongswan.org/mailman/listinfo/users > > > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVpxZ9AAoJEDg5KY9j7GZYkVEP/2iCwzZ/1wlsbpQCVXHLEV5D e6EKpLgCjAhRM1Ha83xICayW9Hq8LBmMnqCBPWek1GEtT8Zfu2qrWBFhBPiUtLkt 0LaRfxD/+Kdi9uQjssYOIhfKO0G1AuI7eo4seN0lGxjaaF8yls7YXjy2btwb88qU hu6yVabK8Lwl8nE9nOZ3pIGoDAbqdcB5Pj9KwYfoC0FQ1cxVyGIK+/1yPmZrhlTo Z9kC9khiL3o1Dm2TP7k6ZyM6KAlWMU/Nph8NCTsnpW0V3c6X+d6hlDUX2xOga1Q5 mgn5Vm0Evw5UFLS0eeLkumU9BCPApOBnfxxn6b/j3C7sz4FtR2p5+orug3ezYbfi asnK/C9CN1WRl7/aAut14i0IWoyKU8gzO5EJHU/3sl2FXQuNusz9Yk+xbaupUpTc 8M31tYzbvZrrspiS+5iHxBfFNZiKsPkWZ1JhxnpqFatfuEGyS9l2cUKAacg5W2GO KTxAXCqwbTKF08vXSa89HZScEWvTu8bbZ3m3c9z+12s22H5tfFAb8KCUuna48M+y smfr64g+hX2+rQhN6EiHix7TJAt/LTX15KAz6tOxcnudn6RsB5JSvh3RcYS8brm+ i7L9Kx4OWtb4y9ecZS/luB+ubDyzeGZAe9x4ag0IiKvhlR0hwtku0EqpsVr7pkK/ 2q9yrIfIe9loA7wsmZZz =84Ju -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
