Frequently Asked Questions (FAQ) » History » Version 22

« Previous - Version 22/64 (diff) - Next » - Current version
Tobias Brunner, 19.09.2016 13:45
Add some notes regarding PSK matching

Frequently Asked Questions


Multiple subnets per SA

Q: Can I tunnel several subnets in one CHILD_SA?

A: Usually not, unless you're a roadwarrior client and can use the Cisco Unity extension. In any other case, you need to define a seperate CHILD_SA per subnet pair.
If you're a roadwarrior and use a proprietary implementation, please read the notes about interoperability. If you use strongSwan, try setting rightsubnet=
and enable the Unity extension. You also need to make sure that the plugin is loaded to be able to use it.
An easy to manage example for a site-to-site setup follows:

conn myikesettings

conn sa_1

conn sa_2

"no proposal chosen" returned by ZyXEL/Linksys/x router

Q: I'm trying to set up a VPN tunnel with a ZyXEL/Linksys/X router but the other side keeps on telling me "no proposal chosen" when strongSwan initiates the connection.

A: Make sure that the peer supports all the algorithms (including the key lengths) which strongSwan proposes for IKE and ESP. In terms of IKE, the proposal consists of the following parts: Encryption algorithm, hash algorithm (PRF) and DH group. In terms of ESP the proposal includes the following: Encryption algorithm, hash algorithm, pfs group (DH group) and compression algorithm. There are lots of IPsec implementations out there that do not support compression or have implemented it erronously. So the first thing to try in this situation is to switch compression off on the peer. strongSwan's default setting is


See also Chapter 14.1 Authentication and encryption algorithms of the strongSwan documentation. It has good information about the relevant parameters.

"no RSA public key known for '...'"

Q: I'm getting the error message "no RSA public key known for '....' ". What am I doing wrong?

A: If you are using RSA based signatures for authentication strongSwan needs to have the peer's RSA public key in order to verify its authentication. This public key can be provided either by using the rightrsasigkey directive in ipsec.conf which was popular with FreeS/WAN or it can be extracted from the peer's X.509 certificate. This certificate can in turn be preloaded via the rightcert directive if it is available locally or it can be requested from the remote end with a certificate request. Now if the certificate is missing one reason might be that the remote end refused to send it. Another reason could be that strongSwan did not send a certificate request. This happens if you set the nocrsend option to yes. The Astaro Security Gateway which uses strongSwan behind the scene is known to do that. In order to make the IPsec connection work in that scenario you need to set leftsendcert to yes on the other end. With leftsendcert=yes strongSwan sends its certificate across even if no certificate request was received. This helps to interoperate with some misconfigured peers.

"invalid HASH_V1 payload length, decryption failed?"

Q: I'm getting the error message "invalid HASH_V1 payload length, decryption failed?" when using PSK authentication. What could be the reason?

A: This is most likely due to an incorrect PSK on one of the peers. Since the PSK is incorporated into the key material used so secure the IKEv1 packets they can't be decrypted properly if the PSKs don't match.

Note that the PSK whose associated identities/IPs matches best is used. So if the local identity is configured with every PSK every PSK will basically match to some degree. Which is why only remote identities/IPs should be associated with PSKs.

For IKEv1 the first lookup is always based on the IP addresses (i.e. every secret that lists the local IP will match). If no PSK is found an initiator will use the configured identities for a second lookup. As responder identities can only be used if aggressive mode is used (which should never be used with PSK). However, if a configuration is found (based on the IPs) a lookup based on the configured identities is done (all matching configs are considered until a PSK is found).

Aggressive Mode

Q: Does strongSwan support IKEv1 Aggressive Mode?

A: Since version 5.0.0 the answer is yes. For previous releases, where the IKEv1 protocol was handled by the pluto daemon, the answer is and remains no.
However, the strongSwan developers still recommend to avoid its use with pre-shared keys. This is due to a known weakness of the protocol. With Aggressive Mode, a hash of the pre-shared key is transmitted in clear-text. An eavesdropper can capture this hash and run an offline brute-force attack against it. Once the pre-shared key is known MITM attacks to gather the XAuth credentials can easily be executed. Aggressive Mode is therefore incompatible with the basic principles of the strongSwan project which is to deliver a product that meets high security standards. That's why, in order to use Aggressive Mode with pre-shared keys as responder (i.e. on gateways) it is required to set charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes in strongswan.conf. As promised often in numerous public and private talks strongSwan then changes its name to weakSwan. It is not required to set this option for clients as they often have no other choice.

To avoid Aggressive Mode with pre-shared keys (and other short-comings of IKEv1 Main or Aggressive Mode) the best option is to switch to IKEv2. But even for IKEv1 strongSwan 5.0.0 now provides an easy to deploy alternative: hybrid authentication. This mode uses a certificate to authenticate the gateway and only XAuth to authenticate the client, during Phase 1 (Main or Aggressive Mode) the client is not authenticated.

Public key authentication fails with retransmissions

Q: strongSwan fails to initiate a connection to a peer. I'm using RSA authentication and I noticed the two error messages: 'discarding duplicate packet; already STATE_MAIN_I3' on the initiator side and 'max number of retransmissions (2) reached STATE_MAIN_R2' on the responder side.

A: This problem might be related to the Path MTU (Maximum Transmission Unit). The IKE protocol is transported in UDP datagrams. As result the UDP datagrams also contain the X.509 certificate you are using. Now, if you're using a large certificate the UDP datagram might get bigger than the PMTU. That's the point where IP fragmentation kicks in and cuts your IP packet / UDP datagram in two or more pieces. There are some firewalls out there that strictly block IP fragments and therefore hamper your IKE connection. Large X.509 certificates could result from long Distinguished names or from long RSA keys (2048 bit). As a workaround you can reconfigure your firewall, try to make your certificates smaller or preload the certificates on both sides and thereby get away without transmitting the certificates over UDP.

Since 5.0.2 strongSwan supports the proprietary IKEv1 fragmentation extension, which can be enabled with the fragmentation option in ipsec.conf.

NAT between Windows L2TP/IPsec clients and older strongSwan servers

Q: I want to set up strongSwan to interoperate with Microsoft Windows using L2TP/IPsec. I'm getting the error message "NAT-Traversal: Transport mode disabled due to security concerns" which results in strongSwan sending an encrypted notification BAD_PROPOSAL_SYNTAX

A: Here is a quote from strongSwan lead developer Andreas Steffen on how to deal with this problem:

NAT-Traversal with IPsec transport mode has some inherent security risks. Since Microsoft doesn't care about this please compile strongSwan with the option

  ./configure  --enable-nat-transport

"ignoring CERT_PKCS7_WRAPPED_X509 certificate request" with Juniper device

Q: I'm trying to setup strongSwan to interop with a device from Juniper. The connection setup fails. I found the following message in the log file: 'ignoring CERT_PKCS7_WRAPPED_X509 certificate request payload'.

A: The problem is that Juniper expects strongSwan to send its certificate[s] in CERT_PKCS7_WRAPPED_X509 format which is quite unusual. strongSwan can parse such payloads (e.g. Windows XP sends them if there is a multi-level certificate chain) but currently cannot construct them since there was never a need. We have full PKCS#7 functionality in our scepclient tool but it hasn't be integrated into the pluto daemon.

Are you using a multi-level certificate hierarchy and if yes could you import the root and all intermediate CA certificates statically on your Juniper box? Or just use a simple certificate hierarchy with path length 0?

"next payload type of ISAKMP Message has an unknown value: 33"

Q: I'm trying to set up a connection using a pre-shared key configuration. I get the following error message: 'packet from 10.x.x.30:500: next payload type of ISAKMP Message has an unknown value: 33'.

A: This error message usually points to a difference in the pre-shared key configured on the two server. With the wrong key the receiver is not able to correctly decrypt the incoming traffic. Please check the configured PSKs in ipsec.secrets.


Disabling NAT traversal?

Q: How can I turn off NAT traversal in charon (IKEv2)?

A: NAT traversal cannot be disabled in the charon daemon. If you don't like automatic port floating to UDP/4500 due to the MOBIKE protocol (RFC 4555) which happens even if no NAT situation exists then you can disable MOBIKE by adding

to ipsec.conf in the connection definition.

Public key authentication fails with retransmissions

Q: My IKEv2 connection fails with retransmits during the IKE_AUTH exchange when using RSA certificates, but works when a PSK is used. Why?

A: This is probably related to the Path MTU. The IKE_AUTH messages that contain the certificates and certificate requests can get pretty big, therefore, the IP packets transporting these UDP datagrams could get fragmented. Some firewalls might block IP fragments and will therefore hamper your IKE connection. If you can't configure the responsible firewall(s) to accept fragments you could try to preload the certificates on both sides and then configure rightsendcert=never in ipsec.conf to prevent the daemon from sending certificate requests. With the default setting of leftsendcert=ifasked the own certificate will not be sent (this could be enforced with leftsendcert=never). Using ECDSA instead of RSA will also reduce the size of the IKE_AUTH messages as keys/certificates will be significantly smaller.

The 5.1.2 release and newer contain support for the IKEv2 fragmentation extension, which can be enabled with the fragmentation option in ipsec.conf.

General Questions

Capturing outbound plaintext packets with tcpdump/wireshark

Q: When using tcpdump/wireshark to sniff traffic secured by IPsec, incoming packets show up twice: encrypted i.e. as ESP packets and unencrypted as plaintext packets. However, for outgoing traffic, only ESP packets show up. How can I get incoming and outgoing packets as plaintext?

A: That's a peculiarity of the Linux kernel. Capture the (UDP encapsulated) ESP packets and use wireshark to decrypt them. See
Run the following command to determine the encryption algorithms and the symmetric keys used by the kernel. Depending on your configuration, strongSwan periodically changes encryption keys. Keep this in mind if you are capturing traffic over an extended period of time.

ip xfrm state

There's also a document about traffic dumps, that shows the ways to dump different traffic on the IPsec endpoint.

Non-standard IKE ports

Q: Can I use a local non-standard port for IKE?

A: The default socket implementation socket-default can only listen on two, predetermined ports (by default, one is used for NAT Traversal). There are compile time flags and two settings in strongswan.conf to determine these ports, but clients usually will only use the default ports (500/4500). However, strongSwan as a client can use an arbitrary remote port, which may be configured via rightikeport.
There is also another socket implementation called socket-dynamic, which is experimental and can send IKE messages from any port (specified with leftikeport).
You can also use the DNAT and SNAT targets in iptables to move ports around, if you so desire.

Using strongSwan on an AWS EC2 instance

Q: Can I use strongSwan on an AWS EC2 instance?

A: strongSwan works just fine on an AWS EC2 instances, as in any other virtual machine. If you want to set up a site-to-site or roadwarrior connection, where
the EC2 instance acts as a router, you have to disable the source and destination check of the EC2 instance, additionally to setting up the connection itself, routing and firewalling correctly.
That is because if the source and destination check is enabled (which it is by default), the VPC will drop the forwarded packets, as the source does not match the IP address
of the node that was assigned via DHCP by the VPC.