-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Bas,
You might also want to enable the CISCO unity extension in strongswan by setting charon.cisco_unity = yes in strongswan.conf and restart the daemon. For that to work, you also need to have the unity plugin loaded. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 13.02.2015 um 21:17 schrieb Bas van Dijk: > Hi Noel, > > Thanks for your reply. > > I did already try esp=aes128-sha1! which didn't help. I will try > esp=aes128-sha! when I'm back at the office. > > Cheers, > > Bas > > On 13 February 2015 at 19:17, Noel Kuntze <[email protected]> wrote: >> > Hello Bas, > > That usually means that the two peers could not decide on a common cipher > proiposal. > It is likely that the CISCO peer has PFS disabled. The normal cipher proposal > for phase two > on strongSwan is all PFS by default. Try this: esp=aes128-sha1! or > esp=aes128-sha! > That will set the proposal for phase two to only propose AES-cbc-128 and SHA1 > in combination > without PFS. > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 13.02.2015 um 16:48 schrieb Bas van Dijk: > >>> I solved the "no netkey IPsec stack detected" errors. It turned out > >>> that the NixOS strongSwan configuration used a modprobe which couldn't > >>> find the right kernel modules. I fixed that and now it starts up > >>> without that error. See the log at: http://pastebin.com/ufutkmdC > >>> > >>> However, my original problem remains. With the following ipsec.conf: > >>> > >>> conn data-display > >>> aggressive=no > >>> auto=add > >>> fragmentation=yes > >>> ike=des-sha1-modp1024 > >>> ikelifetime=24h > >>> keyexchange=ikev1 > >>> left=%any > >>> leftauth=psk > >>> leftfirewall=yes > >>> leftid=83.161.66.130 > >>> lifetime=1h > >>> right=213.163.70.4 > >>> rightauth=psk > >>> rightsubnet=10.180.0.0/16 > >>> > >>> I get the following error: > >>> > >>> $ sudo ipsec up data-display > >>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4 > >>> generating ID_PROT request 0 [ SA V V V V V ] > >>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes) > >>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes) > >>> parsed ID_PROT response 0 [ SA V V ] > >>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > >>> received FRAGMENTATION vendor ID > >>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > >>> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes) > >>> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes) > >>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > >>> received Cisco Unity vendor ID > >>> received XAuth vendor ID > >>> received unknown vendor ID: > >>> 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a > >>> received unknown vendor ID: > >>> 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > >>> local host is behind NAT, sending keep alives > >>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > >>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes) > >>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 > >>> bytes) > >>> parsed ID_PROT response 0 [ ID HASH V ] > >>> received DPD vendor ID > >>> IKE_SA data-display[1] established between > >>> 192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4] > >>> scheduling reauthentication in 85668s > >>> maximum IKE_SA lifetime 86208s > >>> generating QUICK_MODE request 384749459 [ HASH SA No ID ID ] > >>> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 > >>> bytes) > >>> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 > >>> bytes) > >>> parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ] > >>> received NO_PROPOSAL_CHOSEN error notify > >>> establishing connection 'data-display' failed > >>> > >>> What does NO_PROPOSAL_CHOSEN mean? > >>> > >>> Thanks, > >>> > >>> Bas > >>> > >>> On 10 February 2015 at 16:48, Bas van Dijk <[email protected]> wrote: > >>>> Hello, > >>>> > >>>> Apologies in advance for the rather long message but I'm new to > >>>> strongSwan and want to include as much information as I think is > >>>> relevant to my problem. > >>>> > >>>> I'm having some problems using strongSwan-5.2.2 to establish a > >>>> connection to a host on the subnet 10.180.0.0/16 which is behind the > >>>> gateway 213.163.70.4. The IP address of my machine is 192.168.42.162 > >>>> and I'm using NAT to access the internet. My public IP address is: > >>>> 83.161.66.130. I don't control the 213.163.70.4 gateway and I have > >>>> been told it uses the following settings: > >>>> > >>>> Target address: 213.163.70.4 > >>>> Source address: 83.161.66.130 > >>>> IKE SA: Phase 1 > >>>> Encryption: AES-128 with SHA-1 > >>>> Diffie-hellman: Group 2 > >>>> SA lifetime: 86400 seconds > >>>> IKE negotistion mode: Main (non aggressive) > >>>> Pre-shared key: XXXX (censored) > >>>> IPsec proposal: Phase 2 > >>>> Encryption: AES-128 with SHA-1 > >>>> IPsec type: ESP > >>>> IPsec tunnel lifetime: 3600 seconds > >>>> > >>>> I set my ipsec.secrets (censored) to: > >>>> 213.163.70.4 %any : PSK 0xXXXX > >>>> > >>>> ipsec.conf: > >>>> conn data-display > >>>> aggressive=no > >>>> authby=secret > >>>> auto=add > >>>> esp=aes128-sha1 > >>>> fragmentation=yes > >>>> ike=des-sha1-modp1024 > >>>> ikelifetime=24h > >>>> keyexchange=ikev1 > >>>> left=%any > >>>> leftfirewall=yes > >>>> leftid=83.161.66.130 > >>>> lifetime=1h > >>>> right=213.163.70.4 > >>>> rightsubnet=10.180.0.0/16 > >>>> > >>>> I noticed from the strongSwan logs that the gateway is a Cisco Unity > >>>> device so I configured strongSwan with --enable-unity. I'm not sure > >>>> that is required. > >>>> > >>>> When I start stongSwan using "sudo systemctl start strongswan" I get > >>>> the following log (I'm using logging level 2): > >>>> > >>>> http://pastebin.com/pC1WYegL > >>>> > >>>> I'm a bit confused why I get the "no netkey IPsec stack detected" > >>>> warning since all required[1] kernel options are enabled (either build > >>>> in or as modules). In particular: > >>>> > >>>> cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY= > >>>> CONFIG_NET_KEY=m > >>>> > >>>> Since it's a warning I ignore it for a moment and try to start up the > >>>> "data-display" connection using "sudo ipsec up data-display". I get > >>>> the following output: > >>>> > >>>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4 > >>>> generating ID_PROT request 0 [ SA V V V V V ] > >>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes) > >>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 > >>>> bytes) > >>>> parsed ID_PROT response 0 [ SA V V ] > >>>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > >>>> received FRAGMENTATION vendor ID > >>>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > >>>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes) > >>>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 > >>>> bytes) > >>>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > >>>> received Cisco Unity vendor ID > >>>> received XAuth vendor ID > >>>> received unknown vendor ID: > >>>> c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d > >>>> received unknown vendor ID: > >>>> 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > >>>> local host is behind NAT, sending keep alives > >>>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > >>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 > >>>> bytes) > >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 > >>>> bytes) > >>>> parsed ID_PROT response 0 [ ID HASH V ] > >>>> received DPD vendor ID > >>>> IKE_SA data-display[1] established between > >>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] > >>>> scheduling reauthentication in 85593s > >>>> maximum IKE_SA lifetime 86133s > >>>> generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ] > >>>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 > >>>> bytes) > >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 > >>>> bytes) > >>>> parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ] > >>>> received NO_PROPOSAL_CHOSEN error notify > >>>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 > >>>> bytes) > >>>> parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ] > >>>> received DELETE for IKE_SA data-display[1] > >>>> deleting IKE_SA data-display[1] between > >>>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] > >>>> establishing connection 'data-display' failed > >>>> > >>>> The following is posted to syslog: > >>>> > >>>> http://pastebin.com/1Vj1rXaq > >>>> > >>>> So I can see that an IKE_SA is established between me and the gateway. > >>>> However, after that something goes wrong. > >>>> > >>>> Can somebody explain what is going wrong and point me in the right > >>>> direction? > >>>> > >>>> Also note that I'm using NixOS running in VirtualBox. My virtual NIC > >>>> is bridged to my physical NIC. > >>>> > >>>> Let me know if any more information is desired. > >>>> > >>>> Cheers, > >>>> > >>>> Bas > >>>> > >>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules > >>> _______________________________________________ > >>> Users mailing list > >>> [email protected] > >>> https://lists.strongswan.org/mailman/listinfo/users > >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJU3mIDAAoJEDg5KY9j7GZYmLgQAJ12BBk1e/OA4mhSo3toTUW9 LKIRKxL9ueLVreQImvrTYS7oUZSAKgqW1udybGbdBRXesh1IRJ7a2EaO8nfGZv0T 6bzYhLa4NRdaqUsUHpkTzy6S7VfML4x8pDqqwtW7qIt7QzdZXnulqj+FlLwiuKsj QaKldMrFRTIZ/aMnTU1agBeRSixcc/nlB9ZymA07a8yPCWPP363ua64PCg3OBjeU MpXxQY9xmgihu9q4FmNPjUu/peI0g3kQLgtIGO90/WnE8JvjrcLjuaPFAbI9/Adq XhOxoIrSVgDiyBTzZvhd2kNmZMj9/ZcxVcLeinn9nuJJ8dRNFr+EG92GnwbM+Hve O/wZy/8xeDFuj4PcL/8Awk27WenwYbUCxeMYlQ/1iUZTqMTXWKKoCpWst+quRrmT An31s+tOrB3btd1Pe7z0xzwwblmvv3gCdLhVwidNXvmUAflx9PNvWknkqfDGDwVh dTndrgA105Kaew7qwwNgDYzqgICZj9hV0cPCqiaveqAgsSFeje6+Bi48TnpoV5GW tmfcJNRjDET6P56lKyofIrArCZ6tP0rmFV3TQVwoE+BbcjsMaRKheOSvBQYt6pu5 W5guVZ8HFNQqKK81YB1WnD15Wa3bNSDzRkb67FNLe5mFXfaEmzXvOsSxDQ2WDDd1 cR/x0bgJq5jAhZeLl02k =4Z6l -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
