Hi,
I'm trying to configure Dynamic IPsec between Strongswan and Juniper MX with MS
Card but with no success the following is the Juniper configuration and
Strongswan's -ipsec.conf
Juniper:
set services service-set IPSEC-CLIENT-SERVICE-SET next-hop-service
inside-service-interface ms-0/2/0.1
set services service-set IPSEC-CLIENT-SERVICE-SET next-hop-service
outside-service-interface ms-0/2/0.2
set services service-set IPSEC-CLIENT-SERVICE-SET ipsec-vpn-options
local-gateway 10.7.7.2 <<<< interface connecting to the internet
set services service-set IPSEC-CLIENT-SERVICE-SET ipsec-vpn-options
ike-access-profile IPSEC-CLIENTS-GROUP-1
set services ipsec-vpn ipsec proposal DYNAMIC_IPSEC_PROPOSAL protocol esp
set services ipsec-vpn ipsec proposal DYNAMIC_IPSEC_PROPOSAL
authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal DYNAMIC_IPSEC_PROPOSAL
encryption-algorithm aes-256-cbc
set services ipsec-vpn ipsec policy DYNAMIC_IPSEC_POLICY
perfect-forward-secrecy keys group2
set services ipsec-vpn ipsec policy DYNAMIC_IPSEC_POLICY proposals
DYNAMIC_IPSEC_PROPOSAL
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL authentication-method
pre-shared-keys
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL dh-group group2
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL
authentication-algorithm sha-256
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL encryption-algorithm
aes-256-cbc
set services ipsec-vpn ike proposal IKE-PHASE1-PROPOSAL lifetime-seconds 28800
set services ipsec-vpn ike policy IKE-PHASE1-POLICY mode main
set services ipsec-vpn ike policy IKE-PHASE1-POLICY proposals
IKE-PHASE1-PROPOSAL
set services ipsec-vpn ike policy IKE-PHASE1-POLICY pre-shared-key ascii-text
"$9$IaNES"
set interfaces xe-0/0/0 unit 0 family inet address 172.16.1.1/24 <<<<<
connecting to LAN
set interfaces ms-0/2/0 unit 0 family inet
set interfaces ms-0/2/0 unit 1 dial-options ipsec-interface-id
IPSEC-INTERFACE-ID
set interfaces ms-0/2/0 unit 1 dial-options shared
set interfaces ms-0/2/0 unit 1 family inet
set interfaces ms-0/2/0 unit 1 service-domain inside
set interfaces ms-0/2/0 unit 2 family inet
set interfaces ms-0/2/0 unit 2 service-domain outside
set interfaces ge-1/0/0 unit 0 family inet address 10.7.7.2/30 <<<<< interface
connecting to the internet.
set routing-options static route 172.16.2.0/24 next-hop ms-0/2/0.1 <<<<
directing traffic going to the other LAN into the interface for encryption
set access profile IPSEC-CLIENTS-GROUP-1 client * ike allowed-proxy-pair local
172.16.1.0/24 remote 172.16.2.0/24 <<< interesting traffic, our LAN and peer's
LAN
set access profile IPSEC-CLIENTS-GROUP-1 client * ike ike-policy
IKE-PHASE1-POLICY
set access profile IPSEC-CLIENTS-GROUP-1 client * ike interface-id
IPSEC-INTERFACE-ID
Strongswan ipsec.conf:
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=1d
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
type=tunnel
reauth=no
# auth=esp
# esp=null-sha1!
# esp=aes256-sha256!
ike=aes128-sha1-modp1024
rekey=no
#lifetime=5h
mobike=no
#dpdaction=hold
dpdaction=clear
dpddelay=20s
conn test
left=%defaultroute
leftsubnet=172.16.1.0/24[gre]
leftid=@TE
# leftfirewall=yes #
right=14.90.19.22 << internet - static ip
rightsubnet=172.16.2.0/24[gre]
rightid=@LNS-Juniper
auto=add
Log on Linux-strongswan:
02[IKE] initiating IKE_SA mrv[1] to 14.90.19.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
sending packet: from 99.3.3.13[500] to 14.90.19.22[500] (956 bytes)
received packet: from 14.90.19.22[500] to 99.3.3.13[500] (380 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
received unknown vendor ID: 4a:13:1c:81:07:03:58:45:5c:57:28:f2:0e:95:45:2f
received unknown vendor ID:
7d:94:19:a6:53:10:ca:6f:2c:17:9d:92:15:52:9d:56generating IKE_AUTH request 1 [
IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY
sending packet: from 99.3.3.13[500] to 14.90.19.22 [500] (356 bytes
received packet: from 14.90.19.22 [500] to 99.3.3.13 [500] (36 bytes
payload type NOTIFY was not encrypted
could not decrypt payloads
integrity check failed
04[IKE] IKE_AUTH response with message ID 1 processing failed
Please Help!
Cheers
Yaniv.
[E-Banner]<http://mrv.com/contact-mrv-communications/?interest=Subscribe%20to%20Newsletter>
MRV Communications is a global supplier of packet and optical solutions that
power the world's largest networks. Our products combine innovative hardware
with intelligent software to make networks smarter, faster and more efficient.
The contents of this message, together with any attachments, are intended only
for the use of the person(s) to whom they are addressed and may contain
confidential and/or privileged information. If you are not the intended
recipient, immediately advise the sender, delete this message and any
attachments and note that any distribution, or copying of this message, or any
attachment, is prohibited.
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
