[strongSwan] problem connecting to Kyocera printer

Harald Dunkel Fri, 13 Jul 2018 05:55:48 -0700

Hi folks,

I have to connect a Kyocera ECOSYS M8130 printer (running in a
foreign environment behind a NAT) to my local network via our road
warrior IPsec gateway. Strongswan 5.6.2. rightsourceip is %dhcp,
as for the road warriors.


The printer has built-in IKEv2 and IPsec support.

Problem: Authentication via PSK or certificate (not shown here)
succeeds, but then the printer and strongswan seem to disagree
about the further steps.

Logfile:

Jul 13 13:35:57 10[NET] <2100> received packet: from 192.168.142.13[52583] to 
192.168.142.17[500] (432 bytes)
Jul 13 13:35:57 10[ENC] <2100> parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
Jul 13 13:35:57 10[IKE] <2100> 192.168.142.13 is initiating an IKE_SA
Jul 13 13:35:57 10[IKE] <2100> remote host is behind NAT
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..."
Jul 13 13:35:57 10[ENC] <2100> generating IKE_SA_INIT response 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) V ]
Jul 13 13:35:57 10[NET] <2100> sending packet: from 192.168.142.17[500] to 
192.168.142.13[52583] (585 bytes)
Jul 13 13:35:57 16[NET] <2100> received packet: from 192.168.142.13[60908] to 
192.168.142.17[4500] (288 bytes)
Jul 13 13:35:57 16[ENC] <2100> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) 
IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jul 13 13:35:57 16[CFG] <2100> looking for peer configs matching 
192.168.142.17[gate.example.com]...192.168.142.13[prn17.red.example.de]
Jul 13 13:35:57 16[CFG] <prn17-ikev2|2100> selected peer config 'prn17-ikev2'
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> authentication of 
'prn17.red.example.de' with pre-shared key successful
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> authentication of 'gate.example.com' 
(myself) with pre-shared key
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> IKE_SA prn17-ikev2[2100] established 
between 192.168.142.17[gate.example.com]...192.168.142.13[prn17.red.example.de]
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> scheduling reauthentication in 86135s
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> maximum IKE_SA lifetime 86315s
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> expected a virtual IP request, 
sending FAILED_CP_REQUIRED
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> traffic selectors 0.0.0.0/0 === 
10.100.0.17/32 inacceptable
Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> failed to establish CHILD_SA, 
keeping IKE_SA
Jul 13 13:35:57 16[ENC] <prn17-ikev2|2100> generating IKE_AUTH response 1 [ IDr 
AUTH N(AUTH_LFT) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jul 13 13:35:57 16[NET] <prn17-ikev2|2100> sending packet: from 
192.168.142.17[4500] to 192.168.142.13[60908] (160 bytes)
:
:
Jul 13 13:36:27 29[IKE] <prn17-ikev2|2100> sending DPD request
Jul 13 13:36:27 29[ENC] <prn17-ikev2|2100> generating INFORMATIONAL request 0 [ 
]
Jul 13 13:36:27 29[NET] <prn17-ikev2|2100> sending packet: from 
192.168.142.17[4500] to 192.168.142.13[60908] (80 bytes)
Jul 13 13:36:27 14[NET] <prn17-ikev2|2100> received packet: from 
192.168.142.13[60908] to 192.168.142.17[4500] (80 bytes)
Jul 13 13:36:27 14[ENC] <prn17-ikev2|2100> parsed INFORMATIONAL response 0 [ ]
:


Please note the "expected a virtual IP request". Unfortunately the
printer does not provide any logging, AFAICT.


Every helpful comment is highly appreciated
Harri
-----------------------------------------------------------------------------
ipsec.conf:

conn %default
        # left=%any
        left            = gate.example.com
        fragmentation   = yes
        leftsubnet      = 172.16.96.0/19
        leftfirewall    = no
        ikelifetime     = 1d
        lifetime        = 8h
        rekey           = yes
        dpdaction       = none          # default: no dead peer detection
        dpddelay        = 30s           # default: 30s
        dpdtimeout      = 150s          # default: 150s, used for IKEv1 only

#
# IKEv2 using RSA authentication
conn IPSec-IKEv2
        keyexchange     = ikev2
        leftcert        = gate.example.com_3.pem
        also            = roadwarrior
        ike             = 
aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
        esp             = 
aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
        right           = %any
        rightca         = "C=DE, O=example, OU=Certificate Authority, 
CN=root-CA"
        rightauth       = pubkey
        rightsendcert   = ifasked
        rightsourceip   = %dhcp
        auto            = add

#
# connection to prn17
conn prn17-ikev2
        # left=%any
        left            = gate.example.com
        leftid          = @gate.example.com
        leftfirewall    = no
        right           = 5.145.142.13
        rightid         = @prn17.red.example.de
        rightsourceip   = %dhcp
        authby          = secret

        keyexchange     = ikev2
        ike             = 
aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
        esp             = 
aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
        ikelifetime     = 1d
        lifetime        = 1h
        rekey           = yes
        rekeymargin     = 3m
        keyingtries     = 1

        auto            = add
        dpdaction       = hold
        dpddelay        = 30s

[strongSwan] problem connecting to Kyocera printer

Reply via email to