You are not logged in.

Pages: 1

#1 2020-09-22 09:56:21

blackout
Member
Registered: 2014-05-21
Posts: 38

Strongswan IKEv1 connection Problem

Sorry but I need help. My head is completely stuck at this point.

I have installed strongswan
and wanted to establish a connection to a customers site.
All I know is that they have Cisco Routers and have no clue about how to configure strongswan.

Screenshot-from-2020-09-22-11-36-41.png

This is the doc I got from them.

I tried following config:


/etc/ipsec.conf

config setup
	charondebug="all"

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev1
	authby=secret
 	
conn net-net
	left=%any
	leftsubnet=10.0.0.0/24
	leftid=144.0.0.0
	right=194.0.0.0
	rightsubnet=10.150.30.3/24
	rightid=194.0.0.0
	auto=add
	ike=aes256-sha1-modp1536!
        esp=aes256-sha1-modp1536!

/etc/ipsec.secrets

144.0.0.0 194.0.0.0 : PSK "1*************************************************************************************************************z"
> $ ip a                                                                                                                           
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wls5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e4:42:a6:2f:40:fe brd ff:ff:ff:ff:ff:ff
    altname wlp7s0
    inet 10.0.0.254/24 brd 10.0.0.255 scope global dynamic noprefixroute wls5
       valid_lft 55684sec preferred_lft 55684sec
    inet6 fe80::e642:a6ff:fe2f:40fe/64 scope link 
       valid_lft forever preferred_lft forever
> $ sudo ipsec up net-net                                                                                                                 
initiating Main Mode IKE_SA net-net[2] to 194.0.0.0
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.0.0.254[500] to 194.0.0.0[500] (180 bytes)
received packet: from 194.0.0.0[500] to 10.0.0.254[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.0.0.254[500] to 194.0.0.0[500] (308 bytes)
received packet: from 194.0.0.0[500] to 10.0.0.254[500] (368 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: bb:bd:c9:ec:02:e6:95:58:bf:67:ee:5a:86:fb:6d:47
received XAuth vendor ID
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.0.0.254[4500] to 194.0.0.0[4500] (108 bytes)
received packet: from 194.0.0.0[4500] to 10.0.0.254[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA net-net[2] established between 10.0.0.254[144.0.0.0]...194.0.0.0[194.0.0.0]
scheduling reauthentication in 3333s
maximum IKE_SA lifetime 3513s
generating QUICK_MODE request 3140082308 [ HASH SA No KE ID ID ]
sending packet: from 10.0.0.254[4500] to 194.0.0.0[4500] (380 bytes)
received packet: from 194.0.0.0[4500] to 10.0.0.254[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 2013420777 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'net-net' failed
> $ sudo ipsec statusall                                                                                                                  
Status of IKE charon daemon (strongSwan 5.9.0, Linux 5.9.0-rc6-1-mainline, x86_64):
  uptime: 17 minutes, since Sep 22 11:33:56 2020
  malloc: sbrk 2945024, mmap 0, used 948128, free 1996896
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
Listening IP addresses:
  10.0.0.254
Connections:
     net-net:  %any...194.0.0.0  IKEv1
     net-net:   local:  [144.0.0.0] uses pre-shared key authentication
     net-net:   remote: [194.0.0.0] uses pre-shared key authentication
     net-net:   child:  10.0.0.0/24 === 10.150.30.0/24 TUNNEL
Shunted Connections:
Bypass LAN 10.0.0.0/24:  10.0.0.0/24 === 10.0.0.0/24 PASS
Bypass LAN ::1/128:  ::1/128 === ::1/128 PASS
Bypass LAN fe80::/64:  fe80::/64 === fe80::/64 PASS
Security Associations (1 up, 0 connecting):
     net-net[2]: ESTABLISHED 2 minutes ago, 10.0.0.254[144.0.0.0]...194.0.0.0[194.0.0.0]
     net-net[2]: IKEv1 SPIs: 0e24f507_i* 4e78_r, pre-shared key reauthentication in 52 minutes
     net-net[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536


on ipsec up
i get NO_PROPOSAL_CHOSEN error but on statusall I get up 1 connection

BTW: IPTABLES completely empty, just trying everything.

Shouldn't there be something like this on
ipsec statusall ?

vpn-to-asa: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=restart
vpn-to-asa{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0d93265_i 599b4d60_o
vpn-to-asa{2}: 192.168.2.0/24 === 192.168.1.0/24

If someone has an idea how to fix this mess I would be very happy and would give a paypal tip.

Last edited by blackout (2020-09-22 10:47:47)

Offline

Pages: 1

Board footer

Powered by FluxBB