[strongSwan] Strongswan in AWS (NATed), connecting to Cisco 72xx, fails

Thu, 14 May 2015 18:44:13 -0700

Latest Strongswan on CentOS 7, in AWS. The cloud is doing NAT for us, so our private IP on the Strongswan instance is not directly visible to the outside. I'm trying to connect to a Cisco 72xx box.
Something seems to fail pretty early on. Are there any specific settings I need to be aware of for this scenario? 


See the config below. XXX.YYY.ZZZ.KKK is the private IP of my Strongswan 
instance (different from its public IP). AAA.BBB.CCC.DDD is the address 
of the Cisco appliance.


conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=psk
        keyexchange=ikev1

conn us2them
        left=%any
        leftsubnet=our_stuff/27
        leftid=XXX.YYY.ZZZ.KKK
        right=AAA.BBB.CCC.DDD
        rightsubnet=their_stuff/16
        rightid=AAA.BBB.CCC.DDD
        auto=start

        ike = 
aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1-modp1536
        esp = 
aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1-modp1536

        ikelifetime = 24h
        lifetime = 1h

And logs:


May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] generating 
ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (308 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[NET] received packet: 
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] invalid ID_V1 
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] could not decrypt 
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[IKE] message parsing 
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[ENC] generating 
INFORMATIONAL_V1 request 1961174309 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 12[IKE] ID_PROT request 
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] sending 
retransmit 1 of request message ID 0, seq 3
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[NET] received packet: 
from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (156 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[ENC] invalid NOTIFY_V1 
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[ENC] could not decrypt 
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] message parsing 
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] ignore malformed 
INFORMATIONAL request
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[IKE] INFORMATIONAL_V1 
request with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] sending 
retransmit 2 of request message ID 0, seq 3
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[NET] received packet: 
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] invalid ID_V1 
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] could not decrypt 
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[IKE] message parsing 
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[ENC] generating 
INFORMATIONAL_V1 request 117938482 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 04[IKE] ID_PROT request 
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[NET] received packet: 
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] invalid ID_V1 
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] could not decrypt 
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[IKE] message parsing 
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[ENC] generating 
INFORMATIONAL_V1 request 2518869891 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 10[IKE] ID_PROT request 
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] sending 
retransmit 3 of request message ID 0, seq 3
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[4500] to AAA.BBB.CCC.DDD[4500] (108 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] received packet: 
from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (372 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 01[JOB] deleting half 
open IKE_SA after timeout
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[ENC] parsed ID_PROT 
request 0 [ SA V V V ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-07 vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[IKE] AAA.BBB.CCC.DDD 
is initiating a Main Mode IKE_SA
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[ENC] generating 
ID_PROT response 0 [ SA V V V ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 06[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (140 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] received packet: 
from AAA.BBB.CCC.DDD[500] to XXX.YYY.ZZZ.KKK[500] (368 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] parsed ID_PROT 
request 0 [ KE No V V V V NAT-D NAT-D ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received Cisco 
Unity vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received DPD 
vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] received unknown 
vendor ID: 7d:1a:ad:38:e2:99:95:01:e9:7e:9d:14:d5:a3:ed:ad
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] received XAuth 
vendor ID
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[IKE] local host is 
behind NAT, sending keep alives
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[ENC] generating 
ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 02[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (308 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] received packet: 
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] invalid ID_V1 
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] could not decrypt 
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[IKE] message parsing 
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[ENC] generating 
INFORMATIONAL_V1 request 2298509626 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 14[IKE] ID_PROT request 
with message ID 0 processing failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] received packet: 
from AAA.BBB.CCC.DDD[4500] to XXX.YYY.ZZZ.KKK[4500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] invalid ID_V1 
payload length, decryption failed?
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] could not decrypt 
payloads
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] message parsing 
failed
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[ENC] generating 
INFORMATIONAL_V1 request 24529605 [ HASH N(PLD_MAL) ]
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[NET] sending packet: 
from XXX.YYY.ZZZ.KKK[500] to AAA.BBB.CCC.DDD[500] (76 bytes)
May 15 01:13:03 ip-XXX-YYY-ZZZ-KKK strongswan: 08[IKE] ID_PROT request 
with message ID 0 processing failed



--
Florin Andrei
http://florin.myip.org/
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users






















					Reply via email to