Hello all, I'm struggling with the problem with Strongswan 5.2.1 client. I have a High-end Juniper SRX as VPN gateway, which is working fine and was tested with other VPN client.
I'm using IKEv1 aggressive mode, PSK+XAUTH. IKE phase 1 is connecting properly. The problem is on phase2 with getting virtual IP from the VPN gateway. Here are logs I get: *initiating Aggressive Mode IKE_SA test[1] to 192.168.yy.yygenerating AGGRESSIVE request 0 [ SA KE No ID V V V V ]sending packet: from 192.168.xx.xx[500] to 192.168.yy.yy[500] (350 bytes)received packet: from 192.168.yy.yy[500] to 192.168.xx.xx[500] (409 bytes)parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]received DPD vendor IDreceived NAT-T (RFC 3947) vendor IDreceived unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00faking NAT situation to enforce UDP encapsulationgenerating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (108 bytes)received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)parsed TRANSACTION request 4287602294 [ HASH CPRQ(X_USER X_PWD) ]generating TRANSACTION response 4287602294 [ HASH CPRP(X_USER X_PWD) ]sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (92 bytes)received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes)parsed TRANSACTION request 4124377813 [ HASH CPS(X_STATUS) ]XAuth authentication of 'user' (myself) successfulIKE_SA test[1] established between 192.168.xx.xx[HIDDED_ID1]...192.168.yy.yy[HIDDEN_ID2]scheduling reauthentication in 86220smaximum IKE_SA lifetime 86400sgenerating TRANSACTION response 4124377813 [ HASH CPA(X_STATUS) ]sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)generating TRANSACTION request 2379419226 [ HASH CPRQ(ADDR DNS) ]sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes)queueing TRANSACTION request as tasks still activereceived packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (60 bytes)payload of type CONFIGURATION_V1 not occurred 1 times (0)message verification failedgenerating INFORMATIONAL_V1 request 1197204442 [ HASH N(PLD_MAL) ]sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)TRANSACTION response with message ID 2379419226 processing failedconnection 'test' not established after 4000ms, detaching* Configuration of ipsec.conf file: *conn %default keyingtries=%forever mobike=no ikelifetime=86400 keylife=86400 rekeymargin=180s ike=aes128-sha1-modp1024! esp=aes128-sha1-modp1024! authby=xauthpsk dpdaction=restart dpddelay=10 dpdtimeout=30 rekeyfuzz=0% auto=add keyexchange=ikev1 rightid=HIDDEN_ID2 right=192.168.yy.yyconn test aggressive=yes left=192.168.xx.xx leftid=HIDDEN_ID1 leftauth=psk leftauth2=xauth leftsourceip=%config leftsubnet=10.aa.aa.aa/32 rightsubnet=10.bb.bb.bb/32 <http://10.bb.bb.bb/32> rightauth=psk xauth=client xauth_identity=user* Did anybody have similar problem with IKEv1 aggressive PSK+XAUTH with Virtual IP? I'd be really grateful of some help or hint. Best Regards, Marcin Kieliszczyk
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
