[Swan] problem connect shrew vpn client version 3.29
António Silva
asilva at wirelessmundi.com
Fri Jun 28 10:04:51 UTC 2019
Hi Paul,
Thanks for the reply, yes the psk is "test" :S ... it is a virtual
machine not connect to internet...
Solved the configuration errors.
After looking into the shrew errors, i found out that the tunnel was
closed because misconfigure IDs:
19/06/28 11:54:03 !! : phase1 id type mismatch ( received ipv4-host but
expected fqdn )
19/06/28 11:54:03 ii : sending peer DELETE message
Problem solved by adjusting to the right configuration. Also force a
"local ID" in shrew client so it doesn't send an empty one.
Sorry for the noise.
On 27/06/2019 17:32, Paul Wouters wrote:
> On Thu, 27 Jun 2019, António Silva wrote:
>
>> Sorry forget to add the log from the client:
>
> First, fix all the visible errors in your configuration, eg:
>
> Jun 27 13:30:12 cmhome addconn[23652]: duplicate key 'ikev2' in conn
> tunnel3-aggr while processing def tunnel3
> Jun 27 13:30:12 cmhome addconn[23652]: duplicate key 'ikev2' in conn
> tunnel3 while processing def tunnel3
> Jun 27 13:30:12 cmhome addconn[23652]: addconn, in config
> '/etc/ipsec.conf', ignoring: duplicate key 'ikev2' in conn
> tunnel3-aggr while processing def tunnel3
> Jun 27 13:30:12 cmhome addconn[23652]: duplicate key 'ikev2' in conn
> tunnel3 while processing def tunnel3
> Jun 27 13:30:12 cmhome _stackmanager[23656]: duplicate key 'ikev2' in
> conn tunnel3-aggr while processing def tunnel3
> Jun 27 13:30:12 cmhome libipsecconf[23664]: duplicate key 'ikev2' in
> conn tunnel3-aggr while processing def tunnel3
> Jun 27 13:30:12 cmhome _stackmanager[23656]: duplicate key 'ikev2' in
> conn tunnel3 while processing def tunnel3
> Jun 27 13:30:12 cmhome libipsecconf[23664]: duplicate key 'ikev2' in
> conn tunnel3 while processing def tunnel3
> Jun 27 13:30:12 cmhome _stackmanager[23656]: addconn, in config
> '/etc/ipsec.conf', ignoring: duplicate key 'ikev2' in conn
> tunnel3-aggr while processing def tunnel3
>
> note also:
>
> Jun 27 13:30:35 cmhome pluto[23927]: "tunnel3"[1] 192.168.1.66 #1:
> WARNING: connection tunnel3 PSK length of 4 bytes is too short for md5
> PRF in FIPS mode (8 bytes required)
>
> I really hope "test" is not your PSK, not even for testing :P
>
> Jun 27 13:30:35 cmhome pluto[23927]: "tunnel3"[2] 192.168.1.66 #1:
> Peer ID is ID_FQDN: '@'
>
> that seems a weird ID? blanc?
>
> However, the IKE SA came up:
>
> Jun 27 13:30:35 cmhome pluto[23927]: "tunnel3"[2] 192.168.1.66 #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
> cipher=AES_CBC_256 integ=HMAC_MD5 group=MODP2048}
>
> But it got deleted by the other endpoint before it could setup an IPsec
> SA:
>
> Jun 27 13:30:35 cmhome pluto[23927]: "tunnel3"[2] 192.168.1.66 #1:
> received Delete SA payload: self-deleting ISAKMP State #1
>
> So you should check the other end to see why it send a delete request.
>
>> In the logs i do see libreswan sending xauth request:
>>
>> Jun 27 13:30:35 cmhome pluto[23927]: | XAUTH: Sending XAUTH
>> Login/Password Request
>
> The above did not show any trace of XAUTH, so it seems various logs do
> not match the same exchange attempt between client and server?
>
>> Is there a change from previous version that could affect auth with
>> xauth?
>
> Yes, we continiously update the algorithms in the default proposal and
> obsolete things, so perhaps you were using MD5 or 3DES or DH2 which are
> no longer in the default proposal set, even for IKEv1.
>
>> or is just that the shrew client is to old and i should stop using it?
>
> That to probably. But it should still work.
>
>> On 27/06/2019 13:36, António Silva wrote:
>> Hi,
>>
>> In version 3.29 i cannot connect shrew vpn client and i don't
>> get why, probably something with new
>> ike negotiation.
>>
>> other clients (android, cisco client) are working ok.
>>
>> the configuration (client and server) was working in previous
>> versions:
>>
>> ipsec.conf:
>>
>> conn tunnel3
>> pfs=no
>> type=tunnel
>> auto=add
>> ikev2=no
>> phase2=esp
>> sha2-truncbug=yes
>> authby=secret
>> keyingtries=3
>> ikelifetime=1h
>> salifetime=1h
>> left=192.168.1.10
>> leftsubnet=0.0.0.0/0
>> leftid=192.168.1.10
>> leftupdown=/scripts/ipsec_monitor.php
>> right=%any
>> rightid=%any
>> rightaddresspool=192.168.168.80-192.168.168.80
>> rightupdown=/scripts/ipsec_monitor.php
>> dpddelay=30
>> dpdtimeout=60
>> dpdaction=hold
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> ike-frag=yes
>> ikev2=never
>> xauthby=pam
>
> looks fine.
>
>>
>> The output of the connection is:
>>
>> Jun 27 13:30:35 cmhome pluto[23927]: "tunnel3"[2] 192.168.1.66
>> #1: STATE_MAIN_R3: sent MR3, ISAKMP
>> SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
>> integ=HMAC_MD5 group=MODP2048}
>>
>> Jun 27 13:30:35 cmhome pluto[23927]: "tunnel3"[2] 192.168.1.66
>> #1: received Delete SA payload:
>> self-deleting ISAKMP State #1
>> Jun 27 13:30:35 cmhome pluto[23927]: "tunnel3"[2] 192.168.1.66
>> #1: deleting state (STATE_MAIN_R3)
>> aged 0.585s and sending notification
>> Jun 27 13:30:35 cmhome pluto[23927]: packet from
>> 192.168.1.66:50591: deleting connection
>> "tunnel3"[2] 192.168.1.66 instance with peer 192.168.1.66
>> {isakmp=#0/ipsec=#0}
>>
>> I guess that is something related to the new changes for IKE
>> negotiation.
>>
>> Full log can be found at : https://pastebin.com/D8aQNWHN
>
> So yeah, find out why the other end send a delete.
>
> Paul
--
Saludos / Regards / Cumprimentos
António Silva
More information about the Swan
mailing list