Project

General

Profile

Feature #2314

Updated by Tobias Brunner about 5 years ago

I am not able to get work ikev1 connection between strongswan and watchguard (firebox) in aggressive mode. Phase 1 is successfull on strongswan side but on watchguard side not. It reports:
<pre>


Phase 1 started by peer with policy [gateway.4] from 89.xx.xx.xx:500 aggressive mode, pri=6, proc_id=iked, msg_id=",9618820,

IkeCreateIsakmpSA: init vpnDpdSequenceNum : 262831126(Isakmp SA 0x101cc568), pri=6, proc_id=iked, msg_id=",9618819,

After id match, use IKE Policy [gateway.4, dev:eth0] for peer IP:89.xx.xx.xx, numXform:1, pkt ifIndex:2, pri=6, proc_id=iked, msg_id=",9618818,

******** RECV an IKE packet at 84.xx.xx.x:500(socket:11 ifIndex:2) from Peer 89.xx.xx.xx:500 ********, pri=6, proc_id=iked, msg_id=",9618781,

ike_process_pkt : ProcessData returned error (-1) , pri=6, proc_id=iked, msg_id=",9618915,

Discard received phase 2 message from 89.xx.xx.xx:500 to 84.xx.xx.xx:500 cookies i:4d5dd9ec 2c41716f r:f2c312cc f58c1678 before phase 1 is complete, pri=4, proc_id=iked, msg_id=",9618914,

******** RECV an IKE packet at 84.xx.xx.xx:500(socket:11 ifIndex:2) from Peer 89.xx.xx.xx:500 ********, pri=6, proc_id=iked, msg_id="

ike_process_pkt : ProcessData returned error (-1) , pri=6, proc_id=iked, msg_id="

IKE phase-1 negotiation from 84.xx.xx.xx:500 to 89.xx.xx.xx:500 failed. Gateway-Endpoint:'gateway.4' Reason:Received invalid aggressive mode hash payload. Check VPN IKE diagnostic log messages for more information., pri=3, proc_id=iked, msg_id=",9618885,

Process 3rd Msg (AM): failed to process hash payload, pri=3, proc_id=iked, msg_id="

IkeAMProcessHashMsg : IkeCheckPayloads failed , pri=3, proc_id=iked, msg_id="

Check Payloads : next should be HASH payload, pri=3, proc_id=iked, msg_id="

Received aggressive mode 3rd message with policy 'gateway.4' from 89.xx.xx.xx:500, pri=6, proc_id=iked, msg_id=",9618881
</pre>



Strongswan's ipsec.conf:
<pre>


conn ipsec1
left=89.xx.xx.xx
right=84.xx.xx.xx
leftid=@@conel
rightid=84.xx.xx.xx
leftauth=psk
rightauth=psk
leftsubnet=10.70.0.144/29
rightsubnet=10.0.5.0/24
leftupdown=/etc/scripts/updown
keyexchange=ikev1
ikelifetime=3600
keylife=3600
rekeymargin=30
rekeyfuzz=100%
keyingtries=%forever
type=tunnel
aggressive=yes
ike=aes256-sha1-modp3072!
esp=aes128-sha1!
auto=start
</pre>


IPsec status:
<pre>


Status of IKE charon daemon (weakSwan 5.4.0, Linux 3.5.0-lsp-3.3.1, armv5tejl):
uptime: 4 minutes, since May 03 14:44:49 2017
malloc: sbrk 405504, mmap 0, used 123720, free 281784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon nonce pem openssl kernel-netlink socket-default stroke updown xauth-generic unity
Listening IP addresses:
10.70.0.145
xx.xx.xx.xx
Connections:
ipsec1: 89.xx.xx.xx...84.xx.xx.xx IKEv1 Aggressive
ipsec1: local: [conel] uses pre-shared key authentication
ipsec1: remote: [84.xx.xx.xx] uses pre-shared key authentication
ipsec1: child: 10.70.0.144/29 === 10.0.5.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
ipsec1[2]: ESTABLISHED 104 seconds ago, 89.xx.xx.xx[conel]...84.xx.xx.xx[84.xx.xx.xx]
ipsec1[2]: IKEv1 SPIs: 7347d25ed81aef63_i* 5a3a452d5cadddb5_r, pre-shared key reauthentication in 57 minutes
ipsec1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
ipsec1[2]: Tasks queued: ISAKMP_DELETE QUICK_MODE
ipsec1[2]: Tasks active: QUICK_MODE
</pre>


Strongswan's log:
<pre>
2017-05-03 15:09:53 charon: 14[IKE] IKE_SA ipsec1[10] established between 89.xx.xx.xx[conel]...84.xx.xx.xx[84.xx.xx.xx]
2017-05-03 15:09:53 charon: 14[IKE] scheduling reauthentication in 3555s
2017-05-03 15:09:53 charon: 14[IKE] maximum IKE_SA lifetime 3585s
2017-05-03 15:09:53 charon: 14[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
2017-05-03 15:09:53 charon: 14[NET] sending packet: from 89.xx.xx.xx[500] to 84.xx.xx.xx[500] (108 bytes)
2017-05-03 15:09:53 charon: 14[ENC] generating QUICK_MODE request 2344175958 [ HASH SA No ID ID ]
2017-05-03 15:09:53 charon: 14[NET] sending packet: from 89.xx.xx.xx[500] to 84.xx.xx.xx[500] (188 bytes)
2017-05-03 15:09:55 charon: 09[NET] received packet: from 84.xx.xx.xx[500] to 89.xx.xx.x[500] (608 bytes)
2017-05-03 15:09:55 charon: 09[IKE] received retransmit of response with ID 0, resending last request
...
</pre>


Do you have any idea why it does not work?

Back