Project

General

Profile

Frequently Asked Questions (FAQ) » History » Version 62

Martin Grothe, 11.02.2020 17:53

1 38 Tobias Brunner
{{title(Frequently Asked Questions (FAQ))}}
2 38 Tobias Brunner
3 5 Martin Willi
h1. Frequently Asked Questions
4 1 Martin Willi
5 11 Tobias Brunner
{{>toc}}
6 1 Martin Willi
7 1 Martin Willi
8 12 Daniel Mentz
h2. General Questions
9 12 Daniel Mentz
10 14 Tobias Brunner
h3. Capturing outbound plaintext packets with tcpdump/wireshark
11 14 Tobias Brunner
12 14 Tobias Brunner
*Q:* _When using tcpdump/wireshark to sniff traffic secured by IPsec, incoming packets show up twice: encrypted i.e. as ESP packets and unencrypted as plaintext packets. However, for outgoing traffic, only ESP packets show up. How can I get incoming *and* outgoing packets as plaintext?_
13 12 Daniel Mentz
14 12 Daniel Mentz
*A:* That's a peculiarity of the Linux kernel. Capture the (UDP encapsulated) ESP packets and use wireshark to decrypt them. See http://wiki.wireshark.org/ESP_Preferences
15 12 Daniel Mentz
Run the following command to determine the encryption algorithms and the symmetric keys used by the kernel. Depending on your configuration, strongSwan periodically changes encryption keys. Keep this in mind if you are capturing traffic over an extended period of time.
16 12 Daniel Mentz
<pre>
17 1 Martin Willi
ip xfrm state
18 1 Martin Willi
</pre>
19 1 Martin Willi
There's also a [[CorrectTrafficDump|document]] about traffic dumps, that shows the ways to dump different traffic on the IPsec endpoint.
20 1 Martin Willi
21 1 Martin Willi
h3. Non-standard IKE ports
22 1 Martin Willi
23 1 Martin Willi
*Q:* _Can I use a local non-standard port for IKE?_
24 1 Martin Willi
25 1 Martin Willi
*A:* The default socket implementation _socket-default_ can only listen on two, predetermined ports (by default, one is used for [[NATTraversal|NAT-Traversal]]). There are compile time flags and two settings in [[strongswan.conf]] to determine these ports, but clients usually will only use the default ports (500/4500). However, strongSwan as a client can use an arbitrary remote port, which may be configured via _rightikeport_ (see the notes regarding [[NATTraversal#Custom-Server-Ports|custom server ports and NAT-Traversal]]).
26 1 Martin Willi
To use arbitrary ports on a client (determined when _socket-default_ plugin is initialized) the settings above may be set to 0. There is also another socket implementation called _socket-dynamic_, which is experimental and can send IKE messages from any port (specified with _leftikeport_), and requires sending packets to the remote NAT-T port (e.g. _rightikeport=4500_).
27 1 Martin Willi
You can also use the @DNAT@ and @SNAT@ targets in iptables to move ports around, if you so desire.
28 1 Martin Willi
29 1 Martin Willi
h3. strongSwan crashes
30 1 Martin Willi
31 1 Martin Willi
*Q:* _strongSwan sometimes crashes and I don't know why. What should I do?_
32 1 Martin Willi
33 12 Daniel Mentz
*A:* If you [[InstallationDocumentation#Compile-yourself|compiled it yourself]], make sure your cleaned the build directory before compiling. If you do not do that, you can end up linking objects of different strongSwan versions together and that can cause crashes. If you don't use the same configure options when building a newer version uninstalling/removing the previous binaries/libraries is required (the same applies if you previously had strongSwan installed from a distribution package). Then recompile it and reinstall it. If the crash persists, use the "search function":https://wiki.strongswan.org/projects/strongswan/search and try to find a similar bug report and read it. If you can not find one, open a new issue on the "issue tracker":https://wiki.strongswan.org/issues. If you are not using the latest version, it is very likely that the crash you experienced was already fixed.
34 1 Martin Willi
35 16 Noel Kuntze
If you installed it as [[InstallationDocumentation#Distribution-packages|binary package]], check the corresponding distribution's issue track for reports or use the "search function":https://wiki.strongswan.org/projects/strongswan/search here and try to find a similar bug report and read it. If you can not find one, open a new issue on the "issue tracker":https://wiki.strongswan.org/issues. If you are not using the latest version, it is very likely that the crash you experienced was already fixed.
36 18 Noel Kuntze
37 1 Martin Willi
h3. Plugin is missing
38 18 Noel Kuntze
39 18 Noel Kuntze
*Q:* _I need some [[PluginList|plugin]], but it seems my version of charon doesn't load it! What should I do?!_
40 19 Tobias Brunner
41 19 Tobias Brunner
*A:* Check if you [[PluginLoad|customized the list of loaded plugins]]. If so, make sure the plugin you need is included (see below for details on modular plugin loading). Then make sure the plugin is actually installed. For that, run @find@ (check the man page of @find@ for the syntax) with the required syntax to search your hard drive for the plugin's _.so_ file. If it exists and is in a plausible directory, then it should be installed. Then restart the daemon.
42 44 Tobias Brunner
43 45 Tobias Brunner
If your installation of strongSwan is configured for [[PluginLoad#Modular-Configuration|modular loading]] (the default since version:5.1.2) and @strongswan.conf@ includes the _strongswan.d/charon/_ directory, check if the plugin specific configuration file in _/etc/strongswan.d/charon/_ contains @load = yes@ in the plugin specific configuration section. If the file does not exist, the plugin is likely not installed.
44 1 Martin Willi
45 1 Martin Willi
If you compiled strongSwan yourself, rebuild it with the required plugins [[AutoConf|enabled]]. Make sure to run @make clean@ before rebuilding again to update the plugin lists used by the executables.
46 1 Martin Willi
47 1 Martin Willi
If you got strongSwan from the [[InstallationDocumentation#Distribution-packages|repositories of a distribution]], look for additional packages. It is likely the distribution ships the plugin you're looking for in another package. If you still can not find it, search the issue tracker of that distribution for a bug report or feature request that requests the plugin you want. If you found one, weigh in on it, if it is not already closed or a plausible reason was given why the request can not be fulfilled.
48 1 Martin Willi
If you did not find a bug report of feature request in the issue tracker of that distribution, open one stating your request for the plugin you're looking for to be included.
49 1 Martin Willi
50 1 Martin Willi
h3. configuration compatibility with FreeS/WAN, Openswan and Libreswan
51 1 Martin Willi
52 1 Martin Willi
*Q:* _Are configuration files of FreeS/WAN, Openswan and Libreswan compatible with the ones of strongSwan?_
53 1 Martin Willi
54 1 Martin Willi
*A:* They are not compatible. Although the format of _ipsec.conf_ is identical between the different swans, they files are not compatible, because several options have different meanings and a variety of different
55 1 Martin Willi
options are absent from some versions and others exist. Do not attempt to reuse configuration files between different swans.
56 1 Martin Willi
57 1 Martin Willi
h3. Multiple subnets per SA
58 1 Martin Willi
59 1 Martin Willi
*Q:* _Can I tunnel several subnets in one CHILD_SA?_
60 1 Martin Willi
61 1 Martin Willi
*A:* If you use IKEv2, you can. If you use IKEv1, you need to be a roadwarrior and use the _UNITY_ extension (strongSwan implements it with the [[UnityPlugin|Unity]] plugin). In any other case, you need to define a seperate CHILD_SA per subnet pair.
62 1 Martin Willi
If you're a roadwarrior and use a proprietary implementation, please read the notes about [[UserDocumentation#Interoperability|interoperability]]. If you use strongSwan, try setting @rightsubnet=0.0.0.0/0@
63 1 Martin Willi
and enable the [[UnityPlugin|Unity]] extension. You also need to make sure that the plugin is loaded to be able to use it.
64 1 Martin Willi
An easy to manage example for a site-to-site setup follows:
65 1 Martin Willi
<pre>
66 1 Martin Willi
conn myikesettings
67 1 Martin Willi
    keyexchange=ikev1
68 1 Martin Willi
    left=10.0.0.1
69 1 Martin Willi
    right=10.0.0.2
70 1 Martin Willi
    leftcert=mycert.pem
71 1 Martin Willi
    rightcert=othercert.oem
72 1 Martin Willi
    ike=aesgcm16-prfsha256-modp3072!
73 1 Martin Willi
    esp=aesgcm16-modp3072!
74 1 Martin Willi
75 1 Martin Willi
conn sa_1
76 1 Martin Willi
    leftsubnet=192.168.1.0/24
77 1 Martin Willi
    rightsubnet=192.168.51.0/24
78 1 Martin Willi
    also=myikesettings
79 1 Martin Willi
    auto=route
80 1 Martin Willi
81 1 Martin Willi
conn sa_2
82 1 Martin Willi
    leftsubnet=192.168.2.0/24
83 1 Martin Willi
    rightsubnet=192.168.52.0/24
84 1 Martin Willi
    also=myikesettings
85 1 Martin Willi
    auto=route
86 1 Martin Willi
</pre>
87 1 Martin Willi
88 1 Martin Willi
h3. IPsec and iptables/nftables
89 1 Martin Willi
90 1 Martin Willi
*Q:* _How does IPsec on Linux interact with iptables/nftables?_
91 1 Martin Willi
92 1 Martin Willi
*A:* ipsec protected traffic passes through the same tables and chains as unprotected traffic. The only exception is that ipsec protected traffic passes through some chains twice. You can tell protected and unprotected traffic apart using the @policy@ module in iptables. There's currently (2016-11-17) no way to tell the traffic apart using nftables. "This graph":htttps://inai.de/images/nf-packet-flow.png shows where IPsec (XFRM) hooks into Netfilter and which tables and chains are traversed in what order. Packets that are compressed using the ipcomp option pass through some chains three times. Once as encapsulated packet, then as IP-in-IP packet and then as the actual packet. The protocol number depends on the encapsulated protocol. You need to allow the protocols in @iptables@ and @ip6tables@ depending on your tunnel configuration.
93 1 Martin Willi
94 1 Martin Willi
h3. High Availability and Failover configurations
95 1 Martin Willi
96 1 Martin Willi
*Q:* _Does strongSwan support high availability and failover configurations?_
97 1 Martin Willi
98 1 Martin Willi
*A:* At this moment (version 5.5.1), strongSwan only supports [[HighAvailability|active-active HA clusters]] that are comprised of two nodes. It only supports active-passive configurations when both peers receive the same packets by use of an multicast group, as described in [[HighAvailability]]. Failover configurations with policy based tunnels are not possible. However, with route based tunnels that are built [[RouteBasedVPN|using VTIs]] and with a dynamic routing daemon, such a configuration should be possible between one strongSwan installation and two redundant remote gateways, like AWS.
99 1 Martin Willi
100 1 Martin Willi
h3. Wildcard Certificates
101 1 Martin Willi
102 1 Martin Willi
*Q:* _Does strongSwan support wildcard certificates?_
103 1 Martin Willi
104 1 Martin Willi
*A:*: No, it doesn't. The reason for that is that "wildcard certificates are declared deprecated in RFC 6125":https://tools.ietf.org/html/rfc6125#section-7.2.
105 1 Martin Willi
106 1 Martin Willi
h3. Common Name field in the Distinguished Name
107 1 Martin Willi
108 1 Martin Willi
*Q:* _Does strongSwan support checking the ID against the Common Name (CN) field of the Distinguished Name (DN) in X.509 certificates?_
109 1 Martin Willi
110 1 Martin Willi
*A:*: No, it doesn't. This is discussed in #629. The ID must be present in a SAN field with the correct type.
111 1 Martin Willi
112 55 Tobias Brunner
h3. "no matching peer config found"
113 55 Tobias Brunner
114 55 Tobias Brunner
*Q:* _The connection attempt by a peer fails with the error "no matching peer config found". How do I fix this?_
115 55 Tobias Brunner
116 55 Tobias Brunner
*A:* When a peer connects, the IKE daemon has to find a config object with all the information required for the authentication of the peer and the CHILD_SAs that should be established. It does this by comparing the *IP addresses* and the *identities* in the received message to those in the loaded configurations. If no matching configuration is found based on that information, the connection can't be established and you see the corresponding error message.
117 55 Tobias Brunner
118 55 Tobias Brunner
That message is actually preceded by another that looks something like this: @"looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]"@, which contains the following information:
119 55 Tobias Brunner
120 55 Tobias Brunner
 * @192.168.0.1@: Local IP address of the IKE_SA (= responder/server's IP)
121 55 Tobias Brunner
 * @[moon.strongswan.org]@: Responder/Server identity proposed by the initiator/client in the IDr payload, if one was received, must match the identity that's configured
122 55 Tobias Brunner
 * @192.168.0.100@: Remote IP address of the IKE_SA (= initiator/client's IP)
123 55 Tobias Brunner
 * @[carol@strongswan.org]@: Initiator/Client identity proposed by the initiator/client in the IDi payload, must match the remote identity that's configured on the responder
124 55 Tobias Brunner
125 55 Tobias Brunner
Basically this information has to match whatever is configured in [[swanctl.conf]] or [[ipsec.conf]] (wildcards are allowed in the configured identities, and the remote identity even defaults to _%any_ if it's not configured). So if no config is found make sure to compare the data in the log message to the configured values seen in @swanctl --list-conns@ or @ipsec statusall@. But note that the type of compared identities (e.g. FQDN vs. USER_FQDN or KEY_ID, see [[IdentityParsing]]) must match too. Identities might look the same in the log and e.g. @swanctl --list-conns@ but their type could be different. More details about this comparison (including the type) are logged only if the [[LoggerConfiguration|log level]] for _cfg_ is increased to 3.
126 55 Tobias Brunner
127 55 Tobias Brunner
128 1 Martin Willi
h3. "constraint check failed: identity '...' required"
129 1 Martin Willi
130 1 Martin Willi
*Q:* _The authentication fails with the error "constraint check failed: identity '...' required". What exactly is the problem?_
131 1 Martin Willi
132 55 Tobias Brunner
*A:* To prevent MITM(man-in-the-middle) attacks some of the clients that, for simplicity, don't require configuring the server identity explicitly (e.g. the [[AndroidVPNClient|Android]] and [[MacOsX|macOS]] apps or the [[NetworkManager]] plugin) enforce the hostname/IP as remote identity and will check that this identity is contained in a _subjectAlternativeName_ (SAN) extension of the server certificate. If that's not the case you'll receive that error (also see the questions above regarding matching identities against CN and wildcard certificates). The Android app allows configuring the server identity explicitly in the advanced profile settings, but other clients might not. In that case you'll have to add the missing SAN to the certificate (e.g. with the @--san@ option for [[ipsecpkiissue|pki --issue]]) or use a hostname or IP that's already contained as SAN in the certificate.
133 1 Martin Willi
134 1 Martin Willi
h3. "No private key found"
135 1 Martin Willi
136 1 Martin Willi
*Q:* _strongSwan logs "No private key found". What's wrong?_
137 1 Martin Willi
138 1 Martin Willi
*A:* You are trying to use a certificate to authenticate yourself for which you did not provide the private key to strongSwan. If you're using [[ipsecconf|ipsec.conf]], you need to put a reference to the private key in the [[ipsecsecrets|ipsec.secrets]] file. You need to have the private key in order to be able to use it. If it still logs the error, make sure you reread the secrets or restarted the daemon. strongSwan *obviously* also needs to be able to read the file the key is in. If it persists, check if the certificate's public key was generated using the private key you're trying to use. It surprisingly often happens that people mix up private keys and certificates and try to use the wrong private key.
139 55 Tobias Brunner
140 57 Noel Kuntze
h3. X509 Certificate chain files
141 56 Noel Kuntze
142 56 Noel Kuntze
*Q:* _Can strongSwan read chain files (a leaf certificate and the CAs that are required to authenticate it)?_
143 56 Noel Kuntze
144 56 Noel Kuntze
*A:* No, strongswan does not support chain files. Every certificate needs to be provided in a single file, given it is not loaded by a user provided application that uses the [[VICI]] API.
145 56 Noel Kuntze
146 58 Noel Kuntze
h3. "no trusted RSA public key found for [...]"
147 58 Noel Kuntze
148 58 Noel Kuntze
*Q:* _I get the error "no trusted RSA public key found for [...]" when trying to establish my VPN connection. Why is that happening?_
149 58 Noel Kuntze
150 58 Noel Kuntze
*A:* The daemon is unable to authenticate the remote peer's transmitted - or the locally configured ID for the remote peer - using its available authentication credentials (e.g. transmitted client certificate, all transmitted and available CA certificates). Make sure your configuration fullfills the following requirements:
151 58 Noel Kuntze
* The client transmits its certificate to the remote peer (Configure logging as shown on the HelpRequests page and search for "cert" without ")
152 58 Noel Kuntze
* The remote peer trusts the root CA that issued the client's certificate or the client's certificate is locally available and loaded (check with ipsec listcerts or swanctl --list-certs)
153 58 Noel Kuntze
* The remote peer's certificate is valid
154 58 Noel Kuntze
* The remote peer's transmitted ID is either in one of it's certificate's SAN fields with the correct type (type IP if it's an IP, type FQDN if it's a FQDN) or it is its certificate's whole DN (distinguished name)
155 58 Noel Kuntze
156 59 Noel Kuntze
h3. XFRM policy ordering
157 59 Noel Kuntze
158 59 Noel Kuntze
*Q:* _In which order do XFRM policies apply?_
159 59 Noel Kuntze
160 59 Noel Kuntze
*Q:* The policies' priorities are used to order them. They are checked from the lowest priority to the highest priority. The one that matches first is applied  (first match wins, lower number = higher priority). . strongSwan installs all passthrough policies with higher priorities than other policies.
161 58 Noel Kuntze
162 55 Tobias Brunner
h2. IKEv2
163 55 Tobias Brunner
164 55 Tobias Brunner
165 55 Tobias Brunner
h3. Disabling NAT traversal?
166 55 Tobias Brunner
167 55 Tobias Brunner
*Q:* _How can I turn off NAT traversal in charon (IKEv2)?_
168 55 Tobias Brunner
169 55 Tobias Brunner
*A:* NAT traversal cannot be disabled in the charon daemon. If you don't like automatic port floating to UDP/4500 due to the MOBIKE protocol (RFC 4555) which happens even if no NAT situation exists then you can disable MOBIKE by adding
170 55 Tobias Brunner
<pre>
171 55 Tobias Brunner
mobike=no
172 55 Tobias Brunner
</pre> to [[ipsecconf|ipsec.conf]] in the connection definition.
173 55 Tobias Brunner
174 55 Tobias Brunner
175 55 Tobias Brunner
h3. Public key authentication fails with retransmissions
176 55 Tobias Brunner
177 55 Tobias Brunner
*Q:* _My IKEv2 connection fails with retransmits during the IKE_AUTH exchange when using RSA certificates, but works when a PSK is used. Why?_
178 55 Tobias Brunner
179 55 Tobias Brunner
*A:* This is probably related to the Path MTU(Maximum Transmission Unit). The IKE_AUTH messages that contain the certificates and certificate requests can get pretty big, therefore, the IP packets transporting these UDP datagrams could get fragmented. Some firewalls might block IP fragments and will therefore hamper your IKE connection.  If you can't configure the responsible firewall(s) to accept fragments you could try to preload the certificates on both sides and then configure _rightsendcert=never_ in [[ConnSection|ipsec.conf]] to prevent the daemon from sending certificate requests. With the default setting of _leftsendcert=ifasked_ the own certificate will not be sent (this could be enforced with _leftsendcert=never_). Using ECDSA instead of RSA will also reduce the size of the IKE_AUTH messages as keys/certificates will be significantly smaller.
180 55 Tobias Brunner
181 55 Tobias Brunner
Since version:5.2.1 support for the "IKEv2 fragmentation extension":https://tools.ietf.org/html/rfc7383 is available, which can be enabled with the _fragmentation_ option in [[connsection|ipsec.conf]] (the default since version:5.5.1).
182 55 Tobias Brunner
183 55 Tobias Brunner
184 62 Martin Grothe
h3. Pre-Shared Key Authentication
185 62 Martin Grothe
186 62 Martin Grothe
*Q:* _Should I use IKEv2 with PSK authentication?_
187 62 Martin Grothe
188 62 Martin Grothe
*A:*  Both IKEv1 and IKEv2 with PSK based authentication are known to be vulnerable for dictionary and brute-force attacks. So it is recommended to use digital signatures (certificates) based authentication. If you have to use PSKs, you should generate high entropy PSK as shown in the "security recommendations":https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Preshared-Keys-PSKs.
189 62 Martin Grothe
190 62 Martin Grothe
191 55 Tobias Brunner
h2. IKEv1
192 55 Tobias Brunner
193 55 Tobias Brunner
h3. "no proposal chosen" returned by ZyXEL/Linksys/x router
194 55 Tobias Brunner
195 55 Tobias Brunner
*Q:* _I'm trying to set up a VPN tunnel with a ZyXEL/Linksys/X router but the other side keeps on telling me "no proposal chosen" when strongSwan initiates the connection._
196 55 Tobias Brunner
197 55 Tobias Brunner
*A:* Make sure that the peer supports all the algorithms (including the key lengths) which strongSwan proposes for IKE and ESP. In terms of IKE, the proposal consists of the following parts: Encryption algorithm, hash algorithm (PRF) and DH group. In terms of ESP the proposal includes the following: Encryption algorithm, hash algorithm, pfs group (DH group) and *compression algorithm*. There are lots of IPsec implementations out there that do *not* support compression or have implemented it erronously. So the first thing to try in this situation is to switch compression off on the peer. strongSwan's default setting is
198 55 Tobias Brunner
<pre>
199 55 Tobias Brunner
compress=no
200 55 Tobias Brunner
</pre>
201 55 Tobias Brunner
See also Chapter "14.1 Authentication and encryption algorithms":http://www.strongswan.org/docs/readme4.htm#section_14.1 of the strongSwan documentation. It has good information about the relevant parameters.
202 55 Tobias Brunner
203 55 Tobias Brunner
204 55 Tobias Brunner
h3. "no RSA public key known for '...'"
205 55 Tobias Brunner
206 55 Tobias Brunner
*Q:* _I'm getting the error message "no RSA public key known for '....' ". What am I doing wrong?_
207 55 Tobias Brunner
208 61 Martin Grothe
*A:* If you are using RSA based signatures for authentication strongSwan needs to have the peer's RSA public key in order to verify its authentication. This public key can be provided either by using the @rightrsasigkey@ directive in [[ipsecconf|ipsec.conf]] which was popular with FreeS/WAN or it can be extracted from the peer's X.509 certificate. This certificate can in turn be preloaded via the @rightcert@ directive if it is available locally or it can be requested from the remote end with a _certificate request_. Now if the certificate is missing one reason might be that the remote end refused to send it. Another reason could be that strongSwan did not send a _certificate request_. This happens if you set the @nocrsend@ option to @yes@. The Astaro Security Gateway which uses strongSwan behind the scene is known to do that. In order to make the IPsec connection work in that scenario, you need to set @leftsendcert@ to @yes@ on the other end. With @leftsendcert=yes@ strongSwan sends its certificate across even if no _certificate request_ was received. This helps to interoperate with some misconfigured peers.
209 55 Tobias Brunner
210 55 Tobias Brunner
h3. "invalid HASH_V1 payload length, decryption failed?"
211 55 Tobias Brunner
212 55 Tobias Brunner
*Q:* _I'm getting the error message "invalid HASH_V1 payload length, decryption failed?" when using PSK authentication. What could be the reason?_
213 55 Tobias Brunner
214 55 Tobias Brunner
*A:* This is most likely due to an incorrect PSK on one of the peers. Since the PSK is incorporated into the key material used so secure the IKEv1 packets they can't be decrypted properly if the PSKs don't match.
215 55 Tobias Brunner
216 1 Martin Willi
Note that the PSK whose associated identities/IPs matches best is used. So if the local identity is configured with every PSK every PSK will basically match to some degree. Which is why only remote identities/IPs should be associated with PSKs.
217 61 Martin Grothe
218 61 Martin Grothe
For IKEv1 the first lookup is always based on the IP addresses (i.e. every secret that lists the local IP will match). If no PSK is found an initiator will use the configured identities for a second lookup. As responder identities can only be used if the aggressive mode is used ([[FAQ#Aggressive-Mode|which should never be used with PSK]]). However, if a configuration is found (based on the IPs) a lookup based on the configured identities is done (all matching configs are considered until a PSK is found).
219 61 Martin Grothe
220 61 Martin Grothe
h3. Main Mode
221 1 Martin Willi
222 62 Martin Grothe
*Q:* _Should I use IKEv1 with PSK authentication?_
223 61 Martin Grothe
224 61 Martin Grothe
*A:*  Both IKEv1 and IKEv2 with PSK based authentication are known to be vulnerable for dictionary and brute-force attacks. So it is recommended to use digital signatures (certificates) based authentication. If you have to use PSKs, you should generate high entropy PSK as shown in the "security recommendations":https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Preshared-Keys-PSKs.
225 55 Tobias Brunner
226 55 Tobias Brunner
h3. Aggressive Mode
227 55 Tobias Brunner
228 55 Tobias Brunner
*Q:* _Does strongSwan support IKEv1 Aggressive Mode?_
229 55 Tobias Brunner
230 55 Tobias Brunner
*A:* Since [[5.0.0|version 5.0.0]] the answer is _yes_. For previous releases, where the IKEv1 protocol was handled by the pluto daemon, the answer is and remains _no_. 
231 55 Tobias Brunner
However, the strongSwan developers still recommend to avoid its use with pre-shared keys. This is due to a known weakness of the protocol. With Aggressive Mode, a hash of the pre-shared key is transmitted in clear-text. An eavesdropper can capture this hash and run an offline brute-force attack against it. Once the pre-shared key is known "MITM attacks":http://en.wikipedia.org/wiki/Man-in-the-middle_attack to gather the XAuth credentials can easily be executed. Aggressive Mode is therefore incompatible with the basic principles of the strongSwan project which is to deliver a product that meets high security standards. That's why, in order to use Aggressive Mode with pre-shared keys as responder (i.e. on gateways) it is required to set @charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes@ in [[strongswan.conf]]. As promised often in numerous public and private talks strongSwan then changes its name to *weakSwan*. It is not required to set this option for clients as they often have no other choice.
232 55 Tobias Brunner
233 60 Martin Grothe
To avoid Aggressive Mode with pre-shared keys (and other short-comings of IKEv1 Main or Aggressive Mode) the best option is to switch to *IKEv2* with signature-based authentication. Because IKEv2 PSK based authentication is also vulnerable for dictionary and brute-force attacks. But even for IKEv1 strongSwan [[5.0.0]] now provides an easy to deploy alternative: {{tc(ikev1/xauth-id-rsa-hybrid, hybrid authentication)}}.  This mode uses a certificate to authenticate the gateway and only XAuth to authenticate the client, during Phase 1 (Main or Aggressive Mode) the client is not authenticated.
234 55 Tobias Brunner
235 55 Tobias Brunner
h3. Public key authentication fails with retransmissions
236 55 Tobias Brunner
237 55 Tobias Brunner
*Q:* _strongSwan fails to initiate a connection to a peer. I'm using RSA authentication and I noticed the two error messages: @'discarding duplicate packet; already STATE_MAIN_I3'@ on the initiator side and @'max number of retransmissions (2) reached STATE_MAIN_R2'@ on the responder side._
238 55 Tobias Brunner
239 55 Tobias Brunner
*A:* This problem might be related to the Path MTU (Maximum Transmission Unit). The IKE protocol is transported in UDP datagrams. As result the UDP datagrams also contain the X.509 certificate you are using. Now, if you're using a large certificate the UDP datagram might get bigger than the PMTU. That's the point where IP fragmentation kicks in and cuts your IP packet / UDP datagram in two or more pieces. There are some firewalls out there that strictly block IP fragments and therefore hamper your IKE connection. Large X.509 certificates could result from long Distinguished names or from long RSA keys (2048 bit). As a workaround you can reconfigure your firewall, try to make your certificates smaller or preload the certificates on both sides and thereby get away without transmitting the certificates over UDP.
240 55 Tobias Brunner
241 55 Tobias Brunner
Since version:5.0.2 strongSwan supports the proprietary IKEv1 fragmentation extension, which can be enabled with the _fragmentation_ option in [[ConnSection|ipsec.conf]].
242 55 Tobias Brunner
243 55 Tobias Brunner
h3. NAT between Windows L2TP/IPsec clients and strongSwan
244 55 Tobias Brunner
245 55 Tobias Brunner
*Q:* _I want to set up strongSwan to interoperate with Microsoft Windows using L2TP/IPsec. With strongSwan versions < 5.0.0 I'm getting the error message "NAT-Traversal: Transport mode disabled due to security concerns" which results in strongSwan sending an encrypted notification BAD_PROPOSAL_SYNTAX_
246 55 Tobias Brunner
247 55 Tobias Brunner
*A:* NAT-Traversal with IPsec transport mode has some inherent issues (see "section 5.2 of RFC 3948":https://tools.ietf.org/html/rfc3948#section-5.2 and {{tc(ikev2/host2host-transport-nat)}} for an illustration). To avoid the error message in the question, strongSwan versions prior to 5.0.0 need to be compiled with the option @--enable-nat-transport@. With newer versions NAT-T with transport mode is supported, however, the issues remain. Refer to the [[connmark|connmark plugin]] for possible workarounds in some scenarios, however, for Windows L2TP clients that all use the same client port [[Connmark#Windows-L2TP|the plugin alone is not enough]].
248 55 Tobias Brunner
249 55 Tobias Brunner
h3. "ignoring CERT_PKCS7_WRAPPED_X509 certificate request" with Juniper device
250 55 Tobias Brunner
251 55 Tobias Brunner
*Q:* _I'm trying to setup strongSwan to interop with a device from Juniper. The connection setup fails. I found the following message in the log file: @'ignoring CERT_PKCS7_WRAPPED_X509 certificate request payload'@._
252 55 Tobias Brunner
253 55 Tobias Brunner
*A:* The problem is that Juniper expects strongSwan to send its certificate[s] in CERT_PKCS7_WRAPPED_X509 format which is quite unusual. strongSwan can parse such payloads (e.g. Windows XP sends them if there is a multi-level certificate chain) but currently cannot construct them since there was never a need. We have full PKCS#7 functionality in our scepclient tool but it hasn't be integrated into the pluto daemon.
254 55 Tobias Brunner
255 55 Tobias Brunner
Are you using a multi-level certificate hierarchy and if yes could you import the root and all intermediate CA certificates statically on your Juniper box? Or just use a simple certificate hierarchy with path length 0?
256 55 Tobias Brunner
257 55 Tobias Brunner
258 55 Tobias Brunner
h3. "next payload type of ISAKMP Message has an unknown value: 33"
259 55 Tobias Brunner
260 55 Tobias Brunner
*Q:* _I'm trying to set up a connection using a pre-shared key configuration. I get the following error message: @'packet from 10.x.x.30:500: next payload type of ISAKMP Message has an unknown value: 33'@._
261 55 Tobias Brunner
262 55 Tobias Brunner
*A:* This error message usually points to a difference in the pre-shared key configured on the two server. With the wrong key the receiver is not able to correctly decrypt the incoming traffic. Please check the configured PSKs in [[ipsec.secrets]].
263 55 Tobias Brunner
264 55 Tobias Brunner
265 55 Tobias Brunner
h3. "ignoring unprotected INFORMATIONAL"
266 55 Tobias Brunner
267 55 Tobias Brunner
*Q*: _strongSwan logs "ignoring unprotected INFORMATIONAL". What does that mean?_
268 55 Tobias Brunner
269 55 Tobias Brunner
*A*: It means that strongSwan did not process an Informational message, because the other peer did not authenticate it, that is, it didn't contain an AUTH payload. Some implementations send error notifies in such a way. If so, try to determine what the problem is based on the type of notify that was contained in the message (it should be listed in the log message before this one).