[strongSwan] Apple IOS 10 VPN
Jim, Here is a configuration that works for iOS 10: http://xpu.ca/strongswan-ubuntu/ Derek. > Can anyone share a working configuration between Strongswan and > Apple IOS 10? > > ___ > > > Jim Buttafuoco > jim at contacttelecom.com > 603-647-7170 > 603-490-3409 - Cell > jimbuttafuoco - Skype ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSwan not responding to DPD messages when modeconfig=push.
Hi All Stalwarts out there , Based on the strongswan logs , it is evident that the Strongswan server is waiting for the acknowledgement for the below request from the ShrewSoft VPN Client. Sep 24 12:58:15 router6654A1 charon: 15[ENC] generating TRANSACTION request 1589939411 [ HASH CPS(ADDR DNS) ] The ShrewSoft VPN Client is not responding to the messages and therefore Strongswan is indefinitely waiting for the response , subsequently queuing all the new requests [DPD Requests] and the client finally tearing down the connection as DPD response is not received. We've the following questions . 1. Why does strongswan wait for the response in spite of assigning the IP requested by client ? 2. Sometimes , shrew soft client is reporting "Invalid message from the gateway" for this transaction request HASH CPS(ADDR DNS) and closing the connection ? 3. Is this an interoperability issue ? Is Shrew soft client not interoperable with Mode-Config standard ? Awaiting the response badly. Thanks Chaitanya On Fri, Oct 21, 2016 at 4:05 PM, chaitanya vinnakota < chaitanya.sa...@gmail.com> wrote: > Hi Tobias, > > The mode configured in strongswan is "push" and the IP assignment to the > VPN client happened after activating MODE_CONFIG task . I'm also sorry to > confuse you with incorrect configuration. The below is the configuration > running in the current scenario. > > > conn c2s_ShrewSoftSrv > auto=add > left=44.44.44.1 > right=44.44.44.2 > aggressive=yes > leftauth=psk > rightauth=psk > leftid=44.44.44.1 > rightid=44.44.44.2 > ike=3des-sha1-modp1024! > ikelifetime=28800s > esp=3des-sha1! > lifetime=3600s > rekeymargin=180s > dpddelay=40 > dpdtimeout=120 > dpdaction=clear > rightsourceip=%config > modeconfig=push > leftsubnet=0.0.0.0/0 > rightauth2=xauth > xauth=server > rightdns=192.168.1.1 > > Below is the excerpt from the logs, where IP assignment [10.0.0.1] > proposed by the VPN client happened after activating MODE_CONFIG task. > > Sep 24 12:58:15 router6654A1 charon: 16[ENC] parsed TRANSACTION > request 3221496499 [ HASH CPRQ(U_SPLITINC U_LOCALLAN U_BANNER U_SAVEPWD > U_NATTPORT VER U_FWTYPE) ] > Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing > UNITY_SPLIT_INCLUDE attribute > Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing > UNITY_LOCAL_LAN attribute > Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing UNITY_BANNER > attribute > Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing > UNITY_SAVE_PASSWD attribute > Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing > UNITY_NATT_PORT attribute > Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing > APPLICATION_VERSION attribute > Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing > UNITY_FW_TYPE attribute > Sep 24 12:58:15 router6654A1 charon: 16[ENC] generating TRANSACTION > response 3221496499 [ HASH CPRP(DNS) ] > Sep 24 12:58:15 router6654A1 charon: 16[NET] sending packet: from > 44.44.44.1[500] to 44.44.44.2[500] (76 bytes) > Sep 24 12:58:15 router6654A1 charon: 15[IKE] queueing MODE_CONFIG > task > Sep 24 12:58:15 router6654A1 charon: 15[IKE] activating new tasks > Sep 24 12:58:15 router6654A1 charon: 15[IKE] activating > MODE_CONFIG task > Sep 24 12:58:15 router6654A1 charon: 15[IKE] assigning virtual IP > %any to peer 'cisco' > Sep 24 12:58:15 router6654A1 charon: 15[CFG] proposing traffic > selectors for us: > Sep 24 12:58:15 router6654A1 charon: 15[CFG] 0.0.0.0/0 > Sep 24 12:58:15 router6654A1 charon: 15[ENC] generating TRANSACTION > request 1589939411 [ HASH CPS(ADDR DNS) ] > Sep 24 12:58:15 router6654A1 charon: 15[NET] sending packet: from > 44.44.44.1[500] to 44.44.44.2[500] (76 bytes) > Sep 24 12:58:15 router6654A1 charon: 15[IKE] delaying task > initiation, TRANSACTION exchange in progress > Sep 24 12:58:17 router6654A1 charon: 10[NET] received packet: from > 44.44.44.2[500] to 44.44.44.1[500] (156 bytes) > Sep 24 12:58:17 router6654A1 charon: 10[ENC] parsed QUICK_MODE > request 1840906332 [ HASH SA No ID ID ] > Sep 24 12:58:17 router6654A1 charon: 10[CFG] looking for a child > config for 0.0.0.0/0 === 10.0.0.1/32 > Sep 24 12:58:17 router6654A1 charon: 10[CFG] proposing traffic > selectors for us: > Sep 24 12:58:17 router6654A1 charon: 10[CFG] 0.0.0.0/0 > Sep 24 12:58:17 router6654A1 charon: 10[CFG] proposing traffic > selectors for other: > Sep 24 12:58:17 router6654A1 charon: 10[CFG] 0.0.0.0/0 > Sep 24 12:58:17 router6654A1 charon: 10[CFG] candidate > "c2s_ShrewSoftSrv" with prio 5+1 > Sep 24 12:58:17 router6654A1 charon: 10[CFG] found matching child > config "c2s_ShrewSoftSrv" with prio 6 > Sep 24 12:58:17 router6654A1 charon: 10[CFG] selecting traffic > selectors for other: > Sep 24 12:58:17 router6654A1 charon: 10[CFG] config: 0.0.0.0/0, > received: 10.0.0.1/32 => match: 10.0.0.1/32 > > > After initiation
Re: [strongSwan] StrongSwan IPSEC/L2TP VPN Client to Zyxel USG-20W
I got past this issue by switching from strongswan to openswan. I never figured out what's wrong with the strongswan connection, but openswan worked more or less "out of the box" on the Linux box as did the Windows 10 native client in my earlier trials. From: Userson behalf of Tom Jackson Sent: Monday, October 24, 2016 8:19:22 PM To: users@lists.strongswan.org Subject: [strongSwan] StrongSwan IPSEC/L2TP VPN Client to Zyxel USG-20W I've configured a Zyxel USG-20W at the office as a IPsec/L2TP VPN server. I can successfully connect to this from multiple Windows 10 machines using the built-in client, and have tested this on multiple remote networks. This setup uses a pre-shared key, and "Type of sign-in info" in the Windows configuration is "User name and password." The pre-shared key, user name, and password are all correspondingly entered into the configuration of the Zyxel. I'm trying now to configure a Linux client, running StrongSwan on the Debian Linux machine. This is not working. In the configuration info that follows, office-public-ip is a place holder for the actual IP in W.X.Y.Z format, home-public-ip is the IP (same format) that I get from the home location where I'm running the test, and home-lan-ip is the IP for the Linux box as assigned via DHCP from my home router, e.g. a number in the range 192.168.A.B. I think this doesn't matter, but... I am accessing the Zyxel from home during the testing via an IPsec/L2TP VPN session from a Windows 10 machine. That Windows 10 machine then has the same public IP as the Linux box that I'm trying to test, but, of course, a different local number at home 192.168.A.C, and also a IP address representing it on the work network ala the VPN connection as 192.168.D.1. The Zyxel's local IP address is 192.168.E.1, where A, D, and E are all different numbers corresponding to different subnets. Setup on the Linux machine in ipsec.conf: --- config setup charondebug="ike 5" conn Conn authby=secret keyexchange=ikev1 esp=aes256-sha256 ike=aes256-sha256-modp1024! auto=add type=transport left=%defaultroute right=office-public-ip The IKE and ESP match protocols configured on the Zyxel. (If I change them to something that doesn't match, I get a different error than what I'm going to show below.) I restarted ipsec after changing the file with sudo /etc/init.d/ipsec restart and then I try to bring up the connection with sudo ipsec up Conn In the terminal on the Debian box, I get these messages: initiating Main Mode IKE_SA Conn[1] to office-public-ip generating ID_PROT request 0 [SA V V V V] sending packet: from home-lan-ip[500] to office-public-ip[500] (156 bytes) received packet from office-public-ip[500] to home-lan-ip[500] (84 bytes) parsed ID_PROT response 0 [ SA ] generating ID_PROT request 0 [ KE No ] sending packet: from home-lan-ip[500] to office-public-ip[500] (196 bytes) received packet from office-public-ip[500] to home-lan-ip[500] (91 bytes) parsed INFORMATIONAL_V1 request 3824697940 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED error notify establishing connection ‘Conn’ failed The log messages on the Zyxel are (abbreviating the various cookie values): Recv Main Mode request from [home-public-ip] The cookie pair is : 0x027... / 0x074… Recv: [SA] [VID][VID] [VID][VID] Recv: IKE sa: SA([0] protocol = IKE(1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA265-128, 1024 bit MODP;). The cookie pair is 0x074… / 0x027… [SA] : No proposal chosen Send:[SA] Recv:[KE][NONCE] Send:[NOTIFY:AUTHENTICATION_FAILED] The cookie pair is : 0x074… / 0x027… ISAKMP SA [] is disconnected In contrast, the Phase 1 log messages from a successful session initiated by one of the Windows clients are Recv Main Mode request from [home-public-ip] The cookie pair is : 0xe099… / 0xe98… Recv: [SA] [VID][VID] [VID][VID] [VID][VID] [VID][VID] Recv IKE sa: SA([0] protocol = IKE(1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bin ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP;). The cookie pair is 0x099… / 0xe098… Send: [SA] [VID][VID] [VID][VID] [VID][VID] [VID][VID] Recv: [KE][NONCE][PRV][PRV] Send: [KE][NONCE][PRV][PRV] Recv: [ID][HASH] The cookie pair is : 0x099… / 0xe098 Send: [ID][HASH] The cookie pair is : 0x099… / 0xe098 Phase 1 IKE SA process done (From this point, the successful session has another sequences of log messages corresponding to Phase 2. Also, the Windows machine must be accepted using 3DES-SHA1-DH2 since that's the apparent overlap between the Windows proposal and what's allowed by the Zyxel's current configuration.) It would seem that the StrongSwan client is sending less information for authentication, but I have not figured out exactly what's not being sent and how to make it go.