-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello MK,
Please enable CISCO UNITY and ommit "leftsubnet". If you use virtual IPs, those should be included in the traffic selector. "leftsubnet" defaults to "%dynamic". "%dynamic" is replaced dynamically by either the received virtual IP or the the value of "left". Also, please compile/download and install and load the UNITY plugin and enable it by setting the "charon.cisco_unity" key in strongswan.conf to "yes". That will enable support for split tunneling in IKEv1. I think you need a configuration similiar to [1] and [2]. [1] http://www.strongswan.org/uml/testresults/ikev1/virtual-ip/index.html [2] http://www.strongswan.org/uml/testresults/ikev1/rw-cert-unity/index.html Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 22.12.2014 um 13:51 schrieb MK: > Thank you Martin. > It helped IPsec is now established but only IKE Phase 1 is up. Logs are > saying, that everything established successfully, but no Phase2 is up. > > /root@enb-17:/etc# ipsec restart > Stopping strongSwan IPsec... > Starting strongSwan 5.2.1 IPsec [starter]... > root@enb-17:/etc# ipsec up test > initiating Aggressive Mode IKE_SA test[1] to 192.168.yy.yy > generating AGGRESSIVE request 0 [ SA KE No ID V V V V ] > sending packet: from 192.168.xx.xx[500] to 192.168.yy.yy[500] (350 bytes) > received packet: from 192.168.yy.yy[500] to 192.168.xx.xx[500] (409 bytes) > parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ] > received DPD vendor ID > received NAT-T (RFC 3947) vendor ID > received unknown vendor ID: > 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00 > faking NAT situation to enforce UDP encapsulation > generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ] > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (108 bytes) > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes) > parsed TRANSACTION request 4069442794 [ HASH CPRQ(X_USER X_PWD) ] > generating TRANSACTION response 4069442794 [ HASH CPRP(X_USER X_PWD) ] > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (92 bytes) > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (76 bytes) > parsed TRANSACTION request 666211454 [ HASH CPS(X_STATUS) ] > XAuth authentication of 'user' (myself) successful > IKE_SA test[1] established between > 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2] > scheduling reauthentication in 86220s > maximum IKE_SA lifetime 86400s > generating TRANSACTION response 666211454 [ HASH CPA(X_STATUS) ] > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes) > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 bytes) > parsed TRANSACTION request 1168201470 [ HASH CPS(ADDR MASK SUBNET) ] > handling INTERNAL_IP4_NETMASK attribute failed > handling INTERNAL_IP4_SUBNET attribute failed > installing new virtual IP 10.20.zz.zz > generating TRANSACTION response 1168201470 [ HASH CPA(ADDR) ] > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes) > generating QUICK_MODE request 1154954290 [ HASH SA No KE ID ID ] > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (316 bytes) > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (300 bytes) > parsed QUICK_MODE response 1154954290 [ HASH SA No KE ID ID ] > connection 'test' established successfully/ > /root@enb-17:/etc# ipsec statusall > Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.10.41-031041-generic, > x86_64): > uptime: 15 seconds, since Dec 22 13:43:47 2014 > malloc: sbrk 675840, mmap 0, used 535920, free 139920 > worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, > scheduled: 9 > loaded plugins: charon test-vectors ldap pkcs11 aes des rc2 sha1 sha2 md5 > random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp > dnskey sshkey pem openssl fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl > attr kernel-libipsec kernel-netlink resolve socket-default farp stroke updown > eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls > eap-tnc xauth-generic tnc-tnccs dhcp led addrblock > Listening IP addresses: > * > Connections: > test: 192.168.xx.xx...192.168.yy.yy IKEv1 Aggressive, dpddelay=10s > test: local: [HIDDEN_ID1] uses pre-shared key authentication > test: local: [HIDDEN_ID1] uses XAuth authentication: any with XAuth > identity 'user' > test: remote: [HIDDEN_ID2] uses pre-shared key authentication > test: child: 10.xx.xxx.xx/32 === 10.yy.yy.yy/32 TUNNEL, > dpdaction=restart > Security Associations (1 up, 0 connecting): > test[1]: ESTABLISHED 8 seconds ago, > 192.168.xx.xx[HIDDEN_ID1]...192.168.yy.yy[HIDDEN_ID2] > test[1]: IKEv1 SPIs: b88fcca7af8ef6fb_i* ed25f627ba68ed81_r, pre-shared > key+XAuth reauthentication in 23 hours > test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > root@enb-17:/etc#/ > > > I'm wondering - should Strongswan aggressive mode psk xauth with Juniper SRX > devices? > > Here's IPsec.conf.. > conn %default > keyingtries=%forever > mobike=no > ikelifetime=86400 > keylife=86400 > rekeymargin=180s > ike=aes128-sha1-modp1024! > esp=aes128-sha1-modp1024! > authby=xauthpsk > dpdaction=restart > dpddelay=10 > dpdtimeout=30 > rekeyfuzz=0% > auto=add > keyexchange=ikev1 > rightid=HIDDEN_ID2 > right=192.168.yy.yy > conn test > aggressive=yes > left=192.168.xx.xx > leftid=HIDDEN_ID1 > leftauth=psk > leftauth2=xauth > leftsourceip=%config > leftsubnet=10.aa.aa.aa/32 > rightsubnet=10.bb.bb.bb/32 <http://10.bb.bb.bb/32> > rightauth=psk > xauth=client > xauth_identity=user > modeconfig=push > > Best Regards, > Marcin > > > 2014-12-19 16:35 GMT+01:00 Martin Willi <[email protected] > <mailto:[email protected]>>: > > Hi, > > > generating TRANSACTION response 4124377813 <tel:4124377813> [ HASH > CPA(X_STATUS) ] > > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 > bytes) > > generating TRANSACTION request 2379419226 [ HASH CPRQ(ADDR DNS) ] > > sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 > bytes) > > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (92 > bytes) > > queueing TRANSACTION request as tasks still active > > received packet: from 192.168.yy.yy[4500] to 192.168.xx.xx[4500] (60 > bytes) > > payload of type CONFIGURATION_V1 not occurred > > Your gateway is initiating a TRANSACTION request after XAuth. Most > likely it is configured to use push mode, while strongSwan performs a > Mode Config pull. > > Try to switch to push mode in strongSwan by setting modeconfig=push in > your connection definition. > > Regards > Martin > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUmbwzAAoJEDg5KY9j7GZYLFEP/0H43M3jsLDZtwtUdQDqS3Iy O+0UF/dQNyMukZEfe1czTr4iSm0XDS6bMYDPlsAE6GRovHrgfeGp1TZo8zHEhm0q bARQVnQjipXNwgzGyVTBs93shqIbMsCYwFq4hOo6/PoS8AfVtCKVbipgDUqKNNUC IYNekB8VjgmPwCxc+kLbBSu1/M5LJ7hk3Tc6lp2cR1Vtlm+rFtyofMJ/WcmwlTik KB5nRl1zyVNR76AfCyZ8InW7/+NXnDPJcJZjFa3+WFYeC6QdMsf3qgqnpkOA8gxY leMSalf7n+hjlaC+i26/t9ZtqWJcxXdaZT9EQ6N4A9VfejmukgmhSLnYWaN2OK79 CZpv9rHFB4WeERo7HCpw7jzLesQ0Mw9MsO4qu5gRjnMR52paPXPO6AauBW2mR8fJ CvRk4x4vE3ELKClQtCI8ISTPxD3qUm/UZwvWWMGmfZHUhHHEuOrdf7xVTciWTwVs 0sDfMjXl5Nnaiwl98gmyTVm7tZNvW989C97QWJ3jK1i97rUYwvLVofXvKGfiYo7V NYqdZd2RQAmTgzyE6H6TvJKILKxGq2fRGyNKr4tvDJvsqWW7Bc0AKkXZ/LPlPlD5 jk6L3ClWfeivYf1ho/3pQTk/3kTyRUV0s7oRmGxPnvzzxYPKll8jeoHDfWPe+91h f/WJw5AEd4TkxNUzrd3b =uI+H -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
