Frequently Asked Questions (FAQ) » History » Version 39

Noel Kuntze, 09.05.2017 17:24

1 38 Tobias Brunner
{{title(Frequently Asked Questions (FAQ))}}
2 38 Tobias Brunner
3 5 Martin Willi
h1. Frequently Asked Questions
4 1 Martin Willi
5 11 Tobias Brunner
6 1 Martin Willi
7 11 Tobias Brunner
h2. IKEv1
8 1 Martin Willi
9 14 Tobias Brunner
h3. "no proposal chosen" returned by ZyXEL/Linksys/x router
10 1 Martin Willi
11 14 Tobias Brunner
*Q:* _I'm trying to set up a VPN tunnel with a ZyXEL/Linksys/X router but the other side keeps on telling me "no proposal chosen" when strongSwan initiates the connection._
12 14 Tobias Brunner
13 6 Tobias Brunner
*A:* Make sure that the peer supports all the algorithms (including the key lengths) which strongSwan proposes for IKE and ESP. In terms of IKE, the proposal consists of the following parts: Encryption algorithm, hash algorithm (PRF) and DH group. In terms of ESP the proposal includes the following: Encryption algorithm, hash algorithm, pfs group (DH group) and *compression algorithm*. There are lots of IPsec implementations out there that do *not* support compression or have implemented it erronously. So the first thing to try in this situation is to switch compression off on the peer. strongSwan's default setting is
14 5 Martin Willi
15 1 Martin Willi
16 1 Martin Willi
17 1 Martin Willi
See also Chapter "14.1 Authentication and encryption algorithms": of the strongSwan documentation. It has good information about the relevant parameters.
18 11 Tobias Brunner
19 1 Martin Willi
20 14 Tobias Brunner
h3. "no RSA public key known for '...'"
21 1 Martin Willi
22 14 Tobias Brunner
*Q:* _I'm getting the error message "no RSA public key known for '....' ". What am I doing wrong?_
23 14 Tobias Brunner
24 11 Tobias Brunner
*A:* If you are using RSA based signatures for authentication strongSwan needs to have the peer's RSA public key in order to verify its authentication. This public key can be provided either by using the @rightrsasigkey@ directive in [[ipsecconf|ipsec.conf]] which was popular with FreeS/WAN or it can be extracted from the peer's X.509 certificate. This certificate can in turn be preloaded via the @rightcert@ directive if it is available locally or it can be requested from the remote end with a _certificate request_. Now if the certificate is missing one reason might be that the remote end refused to send it. Another reason could be that strongSwan did not send a _certificate request_. This happens if you set the @nocrsend@ option to @yes@. The Astaro Security Gateway which uses strongSwan behind the scene is known to do that. In order to make the IPsec connection work in that scenario you need to set @leftsendcert@ to @yes@ on the other end. With @leftsendcert=yes@ strongSwan sends its certificate across even if no _certificate request_ was received. This helps to interoperate with some misconfigured peers.
25 1 Martin Willi
26 20 Tobias Brunner
h3. "invalid HASH_V1 payload length, decryption failed?"
27 20 Tobias Brunner
28 20 Tobias Brunner
*Q:* _I'm getting the error message "invalid HASH_V1 payload length, decryption failed?" when using PSK authentication. What could be the reason?_
29 20 Tobias Brunner
30 20 Tobias Brunner
*A:* This is most likely due to an incorrect PSK on one of the peers. Since the PSK is incorporated into the key material used so secure the IKEv1 packets they can't be decrypted properly if the PSKs don't match.
31 1 Martin Willi
32 22 Tobias Brunner
Note that the PSK whose associated identities/IPs matches best is used. So if the local identity is configured with every PSK every PSK will basically match to some degree. Which is why only remote identities/IPs should be associated with PSKs.
33 22 Tobias Brunner
34 22 Tobias Brunner
For IKEv1 the first lookup is always based on the IP addresses (i.e. every secret that lists the local IP will match). If no PSK is found an initiator will use the configured identities for a second lookup. As responder identities can only be used if aggressive mode is used ([[FAQ#Aggressive-Mode|which should never be used with PSK]]). However, if a configuration is found (based on the IPs) a lookup based on the configured identities is done (all matching configs are considered until a PSK is found).
35 22 Tobias Brunner
36 14 Tobias Brunner
h3. Aggressive Mode
37 1 Martin Willi
38 14 Tobias Brunner
*Q:* _Does strongSwan support IKEv1 Aggressive Mode?_
39 1 Martin Willi
40 1 Martin Willi
*A:* Since [[5.0.0|version 5.0.0]] the answer is _yes_. For previous releases, where the IKEv1 protocol was handled by the pluto daemon, the answer is and remains _no_. 
41 1 Martin Willi
However, the strongSwan developers still recommend to avoid its use with pre-shared keys. This is due to a known weakness of the protocol. With Aggressive Mode, a hash of the pre-shared key is transmitted in clear-text. An eavesdropper can capture this hash and run an offline brute-force attack against it. Once the pre-shared key is known "MITM attacks": to gather the XAuth credentials can easily be executed. Aggressive Mode is therefore incompatible with the basic principles of the strongSwan project which is to deliver a product that meets high security standards. That's why, in order to use Aggressive Mode with pre-shared keys as responder (i.e. on gateways) it is required to set @charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes@ in [[strongswan.conf]]. As promised often in numerous public and private talks strongSwan then changes its name to *weakSwan*. It is not required to set this option for clients as they often have no other choice.
42 1 Martin Willi
43 1 Martin Willi
To avoid Aggressive Mode with pre-shared keys (and other short-comings of IKEv1 Main or Aggressive Mode) the best option is to switch to *IKEv2*. But even for IKEv1 strongSwan [[5.0.0]] now provides an easy to deploy alternative: {{tc(ikev1/xauth-id-rsa-hybrid, hybrid authentication)}}.  This mode uses a certificate to authenticate the gateway and only XAuth to authenticate the client, during Phase 1 (Main or Aggressive Mode) the client is not authenticated.
44 1 Martin Willi
45 1 Martin Willi
46 14 Tobias Brunner
h3. Public key authentication fails with retransmissions
47 1 Martin Willi
48 14 Tobias Brunner
*Q:* _strongSwan fails to initiate a connection to a peer. I'm using RSA authentication and I noticed the two error messages: @'discarding duplicate packet; already STATE_MAIN_I3'@ on the initiator side and @'max number of retransmissions (2) reached STATE_MAIN_R2'@ on the responder side._
49 14 Tobias Brunner
50 1 Martin Willi
*A:* This problem might be related to the Path MTU (Maximum Transmission Unit). The IKE protocol is transported in UDP datagrams. As result the UDP datagrams also contain the X.509 certificate you are using. Now, if you're using a large certificate the UDP datagram might get bigger than the PMTU. That's the point where IP fragmentation kicks in and cuts your IP packet / UDP datagram in two or more pieces. There are some firewalls out there that strictly block IP fragments and therefore hamper your IKE connection. Large X.509 certificates could result from long Distinguished names or from long RSA keys (2048 bit). As a workaround you can reconfigure your firewall, try to make your certificates smaller or preload the certificates on both sides and thereby get away without transmitting the certificates over UDP.
51 1 Martin Willi
52 14 Tobias Brunner
Since version:5.0.2 strongSwan supports the proprietary IKEv1 fragmentation extension, which can be enabled with the _fragmentation_ option in [[ConnSection|ipsec.conf]].
53 8 Daniel Mentz
54 11 Tobias Brunner
55 14 Tobias Brunner
h3. NAT between Windows L2TP/IPsec clients and older strongSwan servers
56 14 Tobias Brunner
57 14 Tobias Brunner
*Q:* _I want to set up strongSwan to interoperate with Microsoft Windows using L2TP/IPsec. I'm getting the error message "NAT-Traversal: Transport mode disabled due to security concerns" which results in strongSwan sending an encrypted notification BAD_PROPOSAL_SYNTAX_
58 14 Tobias Brunner
59 14 Tobias Brunner
*A:* Here is a quote from strongSwan lead developer Andreas Steffen on how to deal with this problem:
60 14 Tobias Brunner
61 14 Tobias Brunner
> NAT-Traversal with IPsec transport mode has some inherent security risks. Since Microsoft doesn't care about this please compile strongSwan with the option
62 14 Tobias Brunner
> <pre>
63 14 Tobias Brunner
  ./configure  --enable-nat-transport</pre>
64 14 Tobias Brunner
65 14 Tobias Brunner
66 14 Tobias Brunner
h3. "ignoring CERT_PKCS7_WRAPPED_X509 certificate request" with Juniper device
67 14 Tobias Brunner
68 14 Tobias Brunner
*Q:* _I'm trying to setup strongSwan to interop with a device from Juniper. The connection setup fails. I found the following message in the log file: @'ignoring CERT_PKCS7_WRAPPED_X509 certificate request payload'@._
69 14 Tobias Brunner
70 8 Daniel Mentz
*A:* The problem is that Juniper expects strongSwan to send its certificate[s] in CERT_PKCS7_WRAPPED_X509 format which is quite unusual. strongSwan can parse such payloads (e.g. Windows XP sends them if there is a multi-level certificate chain) but currently cannot construct them since there was never a need. We have full PKCS#7 functionality in our scepclient tool but it hasn't be integrated into the pluto daemon.
71 1 Martin Willi
72 1 Martin Willi
Are you using a multi-level certificate hierarchy and if yes could you import the root and all intermediate CA certificates statically on your Juniper box? Or just use a simple certificate hierarchy with path length 0?
73 1 Martin Willi
74 1 Martin Willi
75 14 Tobias Brunner
h3. "next payload type of ISAKMP Message has an unknown value: 33"
76 1 Martin Willi
77 14 Tobias Brunner
*Q:* _I'm trying to set up a connection using a pre-shared key configuration. I get the following error message: @'packet from 10.x.x.30:500: next payload type of ISAKMP Message has an unknown value: 33'@._
78 1 Martin Willi
79 14 Tobias Brunner
*A:* This error message usually points to a difference in the pre-shared key configured on the two server. With the wrong key the receiver is not able to correctly decrypt the incoming traffic. Please check the configured PSKs in [[ipsec.secrets]].
80 14 Tobias Brunner
81 14 Tobias Brunner
82 1 Martin Willi
h2. IKEv2
83 1 Martin Willi
84 8 Daniel Mentz
85 14 Tobias Brunner
h3. Disabling NAT traversal?
86 14 Tobias Brunner
87 14 Tobias Brunner
*Q:* _How can I turn off NAT traversal in charon (IKEv2)?_
88 14 Tobias Brunner
89 14 Tobias Brunner
*A:* NAT traversal cannot be disabled in the charon daemon. If you don't like automatic port floating to UDP/4500 due to the MOBIKE protocol (RFC 4555) which happens even if no NAT situation exists then you can disable MOBIKE by adding
90 8 Daniel Mentz
91 11 Tobias Brunner
92 11 Tobias Brunner
</pre> to [[ipsecconf|ipsec.conf]] in the connection definition.
93 9 Daniel Mentz
94 14 Tobias Brunner
95 14 Tobias Brunner
h3. Public key authentication fails with retransmissions
96 14 Tobias Brunner
97 14 Tobias Brunner
*Q:* _My IKEv2 connection fails with retransmits during the IKE_AUTH exchange when using RSA certificates, but works when a PSK is used. Why?_
98 14 Tobias Brunner
99 14 Tobias Brunner
*A:* This is probably related to the Path MTU(Maximum Transmission Unit). The IKE_AUTH messages that contain the certificates and certificate requests can get pretty big, therefore, the IP packets transporting these UDP datagrams could get fragmented. Some firewalls might block IP fragments and will therefore hamper your IKE connection.  If you can't configure the responsible firewall(s) to accept fragments you could try to preload the certificates on both sides and then configure _rightsendcert=never_ in [[ConnSection|ipsec.conf]] to prevent the daemon from sending certificate requests. With the default setting of _leftsendcert=ifasked_ the own certificate will not be sent (this could be enforced with _leftsendcert=never_). Using ECDSA instead of RSA will also reduce the size of the IKE_AUTH messages as keys/certificates will be significantly smaller.
100 14 Tobias Brunner
101 31 Tobias Brunner
Since version:5.2.1 support for the "IKEv2 fragmentation extension": is available, which can be enabled with the _fragmentation_ option in [[connsection|ipsec.conf]] (the default since version:5.5.1).
102 14 Tobias Brunner
103 12 Daniel Mentz
h2. General Questions
104 12 Daniel Mentz
105 14 Tobias Brunner
h3. Capturing outbound plaintext packets with tcpdump/wireshark
106 14 Tobias Brunner
107 14 Tobias Brunner
*Q:* _When using tcpdump/wireshark to sniff traffic secured by IPsec, incoming packets show up twice: encrypted i.e. as ESP packets and unencrypted as plaintext packets. However, for outgoing traffic, only ESP packets show up. How can I get incoming *and* outgoing packets as plaintext?_
108 12 Daniel Mentz
109 12 Daniel Mentz
*A:* That's a peculiarity of the Linux kernel. Capture the (UDP encapsulated) ESP packets and use wireshark to decrypt them. See
110 12 Daniel Mentz
Run the following command to determine the encryption algorithms and the symmetric keys used by the kernel. Depending on your configuration, strongSwan periodically changes encryption keys. Keep this in mind if you are capturing traffic over an extended period of time.
111 12 Daniel Mentz
112 12 Daniel Mentz
ip xfrm state
113 1 Martin Willi
114 16 Noel Kuntze
There's also a [[CorrectTrafficDump|document]] about traffic dumps, that shows the ways to dump different traffic on the IPsec endpoint.
115 18 Noel Kuntze
116 18 Noel Kuntze
h3. Non-standard IKE ports
117 18 Noel Kuntze
118 19 Tobias Brunner
*Q:* _Can I use a local non-standard port for IKE?_
119 19 Tobias Brunner
120 19 Tobias Brunner
*A:* The default socket implementation _socket-default_ can only listen on two, predetermined ports (by default, one is used for NAT Traversal). There are compile time flags and two settings in [[strongswan.conf]] to determine these ports, but clients usually will only use the default ports (500/4500). However, strongSwan as a client can use an arbitrary remote port, which may be configured via _rightikeport_.
121 19 Tobias Brunner
There is also another socket implementation called @socket-dynamic@, which is experimental and can send IKE messages from any port (specified with _leftikeport_).
122 18 Noel Kuntze
You can also use the @DNAT@ and @SNAT@ targets in iptables to move ports around, if you so desire.
123 21 Noel Kuntze
124 1 Martin Willi
h3. strongSwan crashes
125 1 Martin Willi
126 1 Martin Willi
*Q:* strongSwan sometimes crashes and I don't know why. What should I do?
127 1 Martin Willi
128 1 Martin Willi
*A:* If you [[InstallationDocumentation#Compile-yourself|compiled it yourself]], make sure your cleaned the build directory before compiling. If you do not do that, you can end up linking objects of different strongSwan versions together and that can cause crashes. If you don't use the same configure options when building a newer version uninstalling/removing the previous binaries/libraries is required (the same applies if you previously had strongSwan installed from a distribution package). Then recompile it and reinstall it. If the crash persists, use the "search function": and try to find a similar bug report and read it. If you can not find one, open a new issue on the "issue tracker": If you are not using the latest version, it is very likely that the crash you experienced was already fixed.
129 1 Martin Willi
130 1 Martin Willi
If you installed it as [[InstallationDocumentation#Distribution-packages|binary package]], check the corresponding distribution's issue track for reports or use the "search function": here and try to find a similar bug report and read it. If you can not find one, open a new issue on the "issue tracker": If you are not using the latest version, it is very likely that the crash you experienced was already fixed.
131 1 Martin Willi
132 1 Martin Willi
h3. Plugin is missing
133 1 Martin Willi
134 1 Martin Willi
*Q:* I need some [[PluginList|plugin]], but it seems my version of charon doesn't load it! What should I do?!
135 1 Martin Willi
136 1 Martin Willi
*A:* Check if you [[PluginLoad|customized the list of loaded plugins]]. If so, make sure the plugin you need is included (see below for details on modular plugin loading). Then make sure the plugin is actually installed. For that, run @find@ (check the man page of @find@ for the syntax) with the required syntax to search your hard drive for the plugin's _.so_ file. If it exists and is in a plausible directory, then it should be installed. Then restart the daemon.
137 1 Martin Willi
138 1 Martin Willi
If your installation of strongSwan is configured for [[PluginLoad#Modular-Configuration|modular loading]] (the default since version:5.1.2) and @strongswan.conf@ includes the _strongswan.d/charon/_ directory, check if the plugin specific configuration file in _/etc/strongswan.d/charon/_ contains @load = yes@ in the plugin specific configuration section. If the file does not exist, the plugin is likely not installed.
139 1 Martin Willi
140 1 Martin Willi
If you compiled strongSwan yourself, rebuild it with the required plugins [[AutoConf|enabled]].
141 1 Martin Willi
142 1 Martin Willi
If you got strongSwan from the [[InstallationDocumentation#Distribution-packages|repositories of a distribution]], look for additional packages. It is likely the distribution ships the plugin you're looking for in another package. If you still can not find it, search the issue tracker of that distribution for a bug report or feature request that requests the plugin you want. If you found one, weigh in on it, if it is not already closed or a plausible reason was given why the request can not be fulfilled.
143 1 Martin Willi
If you did not find a bug report of feature request in the issue tracker of that distribution, open one stating your request for the plugin you're looking for to be included.
144 1 Martin Willi
145 1 Martin Willi
h3. configuration compatibility with freeswan, openswan and libreswan
146 1 Martin Willi
147 1 Martin Willi
*Q:* Are configuration files of freeswan, openswan and libreswan compatible with the ones of strongswan?
148 1 Martin Willi
149 1 Martin Willi
*A:* They are not compatible. Although the format of _ipsec.conf_ is identical between the different swans, they files are not compatible, because several options have different meanings and a variety of different
150 1 Martin Willi
options are absent from some versions and others exist. Do not attempt to reuse configuration files between different swans.
151 34 Noel Kuntze
152 34 Noel Kuntze
h3. Multiple subnets per SA
153 34 Noel Kuntze
154 34 Noel Kuntze
*Q:* _Can I tunnel several subnets in one CHILD_SA?_
155 34 Noel Kuntze
156 34 Noel Kuntze
*A:* If you use IKEv2, you can. If you use IKEv1, you need to be a roadwarrior and use the _UNITY_ extension (strongSwan implements it with the [[UnityPlugin|Unity]] plugin). In any other case, you need to define a seperate CHILD_SA per subnet pair.
157 34 Noel Kuntze
If you're a roadwarrior and use a proprietary implementation, please read the notes about [[UserDocumentation#Interoperability|interoperability]]. If you use strongSwan, try setting @rightsubnet=
158 34 Noel Kuntze
and enable the [[UnityPlugin|Unity]] extension. You also need to make sure that the plugin is loaded to be able to use it.
159 34 Noel Kuntze
An easy to manage example for a site-to-site setup follows:
160 34 Noel Kuntze
161 34 Noel Kuntze
conn myikesettings
162 34 Noel Kuntze
163 34 Noel Kuntze
164 34 Noel Kuntze
165 34 Noel Kuntze
166 34 Noel Kuntze
167 34 Noel Kuntze
168 34 Noel Kuntze
169 34 Noel Kuntze
170 34 Noel Kuntze
conn sa_1
171 34 Noel Kuntze
172 34 Noel Kuntze
173 34 Noel Kuntze
174 34 Noel Kuntze
175 34 Noel Kuntze
176 34 Noel Kuntze
conn sa_2
177 34 Noel Kuntze
178 34 Noel Kuntze
179 34 Noel Kuntze
180 34 Noel Kuntze
181 34 Noel Kuntze
182 34 Noel Kuntze
183 34 Noel Kuntze
h3. IPsec and iptables/nftables
184 34 Noel Kuntze
185 34 Noel Kuntze
*Q:* How does IPsec on Linux interact with iptables/nftables?
186 35 Noel Kuntze
*A:* ipsec protected traffic passes through the same tables and chains as unprotected traffic. The only exception is that ipsec protected traffic passes through some chains twice. You can tell protected and unprotected traffic apart using the @policy@ module in iptables. There's currently (2016-11-17) no way to tell the traffic apart using nftables. "This graph":htttps:// shows where IPsec (XFRM) hooks into Netfilter and which tables and chains are traversed in what order. Packets that are compressed using the ipcomp option pass through some chains three times. Once as encapsulated packet, then as IP-in-IP packet and then as the actual packet. The protocol number depends on the encapsulated protocol. You need to allow the protocols in @iptables@ and @ip6tables@ depending on your tunnel configuration.
187 37 Noel Kuntze
188 37 Noel Kuntze
h3. High Availability and Failover configurations
189 37 Noel Kuntze
190 37 Noel Kuntze
*Q:* Does strongSwan support high availability and failover configurations?
191 39 Noel Kuntze
*A:* At this moment (version 5.5.1), strongSwan only supports [[HighAvailability|active-active HA clusters]] that are comprised of two nodes. It only supports active-passive configurations when both peers receive the same packets by use of an multicast group, as described in [[HighAvailability]]. Failover configurations with policy based tunnels are not possible. However, with route based tunnels that are built [[RouteBasedVPN|using VTIs]] and with a dynamic routing daemon, such a configuration should be possible between one strongSwan installation and two redundant remote gateways, like AWS.