Issue #743: 5.2.1 version IOS, Android IPSEC config did not connect - strongSwan

Issue #743

5.2.1 version IOS, Android IPSEC config did not connect

Added by K H Jeng almost 11 years ago. Updated almost 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

configuration

Affected version:

5.2.1

Resolution:

No change required

Description

Hi.

I was use below config at 5.2.0 and with radius, success connect IOS, Andriod phone
but did not connect after upgrade 5.2.1
What's wrong?

2014-10-21    15:48:38    charon: 12[JOB] deleting half open IKE_SA after timeout
2014-10-21    15:48:36    charon: 11[JOB] deleting half open IKE_SA after timeout
2014-10-21    15:48:18    charon: 01[IKE] ID_PROT request with message ID 0 processing failed
2014-10-21    15:48:18    charon: 01[NET] sending packet: from *.*.196.23[500] to 175.207.77.5[500] (68 bytes)
2014-10-21    15:48:18    charon: 01[ENC] generating INFORMATIONAL_V1 request 4149959442 [ HASH N(PLD_MAL) ]
2014-10-21    15:48:18    charon: 01[IKE] message parsing failed
2014-10-21    15:48:18    charon: 01[ENC] could not decrypt payloads
2014-10-21    15:48:18    charon: 01[ENC] invalid ID_V1 payload length, decryption failed?
2014-10-21    15:48:18    charon: 01[NET] received packet: from 175.207.77.5[500] to *.*.196.23[500] (68 bytes)
2014-10-21    15:48:17    charon: 16[IKE] ID_PROT request with message ID 0 processing failed
2014-10-21    15:48:17    charon: 16[NET] sending packet: from *.*.196.23[500] to *.*.195.224[500] (68 bytes)
2014-10-21    15:48:17    charon: 16[ENC] generating INFORMATIONAL_V1 request 3609038205 [ HASH N(PLD_MAL) ]

#cat ipsec.conf
config setup
        cachecrls=yes
        uniqueids=yes

conn AnyVPN-IKE
        keyexchange=ikev1
        authby=xauthpsk
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=%any
        rightsubnet=10.7.0.0/24
        rightsourceip=%radius
        auto=add

#cat ipsec.secrets
%any : PSK "secret123" 

#cat strongswan.conf
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

#strongswan --version
Linux strongSwan U5.2.1/K2.6.32-220.el6.i686

History

#1 Updated by Tobias Brunner almost 11 years ago

Description updated (diff)
Status changed from New to Feedback
Assignee set to Tobias Brunner

The error messages seem to indicate a problem with the PSK (decryption failure). The log excerpt is a bit short, so it's unclear which message triggered this.

Did you change anything at all in the config files before or after upgrading strongSwan? Are there any other secrets defined in ipsec.secrets?

#2 Updated by K H Jeng almost 11 years ago

K H Jeng wrote:

Hi.

I was use below config at 5.2.0 and with radius, success connect IOS, Andriod phone
but did not connect after upgrade 5.2.1
What's wrong?

[...]

Sorry
It's my miss
The problem is radius Framed-IP, it's not strongswan problem
I was assign [rightsourceip=%radius] ip from radius framed-IP attribute(from each NAS-Identifier = "strongSwan")
old 5.2.0 is not 'NAS-Identifier = "strongSwan"'
change it(NAS-Identifier = "old_ID") work fine.
Thanks

#3 Updated by Tobias Brunner almost 11 years ago

Category set to configuration
Status changed from Feedback to Closed
Resolution set to No change required

Project

General

Profile