Professional Documents
Culture Documents
Status: Closed
Priority: Normal
Assignee: Tobias Brunner
Category: configuration
Affected version: 4.4.1 Resolution: Fixed
Description
I have already spent more that 12h to configure PSK+XAUTH. It worked fine with 4.5.2 version but it is not working with 5.0.4.
cat /etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = never
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
# Add connections here.
conn radius
left=172.31.30.10
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftauth=psk
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.2.0.0/16
auto=add
cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
172.31.30.10 : PSK "12345"
carol : XAUTH "12345"
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
29.04.2021 1/6
# cachecrls=yes
# nat_traversal=yes
# charonstart=yes
# plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=xauthpsk
xauth=client
conn home4.0
left=%defaultroute
leftfirewall=yes
leftsourceip=%modeconfig
right=172.31.30.11
rightsubnet=0.0.0.0/0
xauth_identity=carol
auto=add
pfs=no
conn home5.0
left=%defaultroute
leftfirewall=yes
leftsourceip=%modeconfig
right=172.31.30.10
rightsubnet=0.0.0.0/0
xauth_identity=carol
auto=add
pfs=no
cat /etc/ipsec.secrets
include /var/lib/strongswan/ipsec.secrets.inc
172.31.30.8 : PSK "12345"
carol : XAUTH "12345"
Jul 30 15:37:39 debian-vpn charon: 00[DMN] signal of type SIGINT received. Shutting down
Jul 30 15:37:42 debian-vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6
.32-5-amd64, x86_64)
Jul 30 15:37:42 debian-vpn charon: 00[CFG] sql plugin: database URI not set
Jul 30 15:37:42 debian-vpn charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create return
ed NULL
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocs
pcerts'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acert
s'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loaded IKE secret for 172.31.30.10
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loaded EAP secret for carol
Jul 30 15:37:42 debian-vpn charon: 00[DMN] loaded plugins: charon test-vectors mysql aes des sha1
sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf g
mp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 ea
p-mschapv2 eap-radius xauth-generic xauth-eap
29.04.2021 2/6
Jul 30 15:37:42 debian-vpn charon: 00[JOB] spawning 16 worker threads
Jul 30 15:37:42 debian-vpn charon: 09[CFG] received stroke: add connection 'radius'
Jul 30 15:37:42 debian-vpn charon: 09[CFG] adding virtual IP address pool 10.2.0.0/16
Jul 30 15:37:42 debian-vpn charon: 09[CFG] added configuration 'radius'
Jul 30 15:38:22 debian-vpn charon: 10[NET] received packet: from 172.31.30.8[500] to 172.31.30.10[
500] (168 bytes)
Jul 30 15:38:22 debian-vpn charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V ]
Jul 30 15:38:22 debian-vpn charon: 10[IKE] received strongSwan vendor ID
Jul 30 15:38:22 debian-vpn charon: 10[IKE] received XAuth vendor ID
Jul 30 15:38:22 debian-vpn charon: 10[IKE] received DPD vendor ID
Jul 30 15:38:22 debian-vpn charon: 10[IKE] 172.31.30.8 is initiating a Main Mode IKE_SA
Jul 30 15:38:22 debian-vpn charon: 10[ENC] generating ID_PROT response 0 [ SA V V ]
Jul 30 15:38:22 debian-vpn charon: 10[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (116 bytes)
Jul 30 15:38:22 debian-vpn charon: 11[NET] received packet: from 172.31.30.8[500] to 172.31.30.10[
500] (308 bytes)
Jul 30 15:38:22 debian-vpn charon: 11[ENC] parsed ID_PROT request 0 [ KE No ]
Jul 30 15:38:22 debian-vpn charon: 11[ENC] generating ID_PROT response 0 [ KE No ]
Jul 30 15:38:22 debian-vpn charon: 11[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (324 bytes)
Jul 30 15:38:22 debian-vpn charon: 12[NET] received packet: from 172.31.30.8[500] to 172.31.30.10[
500] (76 bytes)
Jul 30 15:38:22 debian-vpn charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jul 30 15:38:22 debian-vpn charon: 12[CFG] looking for XAuthInitPSK peer configs matching 172.31.3
0.10...172.31.30.8[172.31.30.8]
Jul 30 15:38:22 debian-vpn charon: 12[CFG] selected peer config "radius"
Jul 30 15:38:22 debian-vpn charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
Jul 30 15:38:22 debian-vpn charon: 12[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (76 bytes)
Jul 30 15:38:22 debian-vpn charon: 12[ENC] generating TRANSACTION request 375591222 [ HASH CP ]
Jul 30 15:38:22 debian-vpn charon: 12[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (76 bytes)
Jul 30 15:38:22 debian-vpn charon: 13[NET] received packet: from 172.31.30.8[500] to 172.31.30.10[
500] (92 bytes)
Jul 30 15:38:22 debian-vpn charon: 13[ENC] length of CONFIGURATION_ATTRIBUTE_V1 substructure lis
t invalid
Jul 30 15:38:22 debian-vpn charon: 13[ENC] could not decrypt payloads
Jul 30 15:38:22 debian-vpn charon: 13[IKE] message parsing failed
Jul 30 15:38:22 debian-vpn charon: 13[ENC] generating INFORMATIONAL_V1 request 2362884502 [ HASH N
(PLD_MAL) ]
Jul 30 15:38:22 debian-vpn charon: 13[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (76 bytes)
Jul 30 15:38:22 debian-vpn charon: 13[IKE] TRANSACTION response with message ID 375591222 processi
ng failed
Jul 30 15:38:26 debian-vpn charon: 14[IKE] sending retransmit 1 of request message ID 375591222, s
eq 1
Jul 30 15:38:26 debian-vpn charon: 14[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (76 bytes)
Jul 30 15:38:32 debian-vpn charon: 15[NET] received packet: from 172.31.30.8[500] to 172.31.30.10[
500] (92 bytes)
Jul 30 15:38:32 debian-vpn charon: 15[ENC] length of CONFIGURATION_ATTRIBUTE_V1 substructure lis
t invalid
Jul 30 15:38:32 debian-vpn charon: 15[ENC] could not decrypt payloads
Jul 30 15:38:32 debian-vpn charon: 15[IKE] message parsing failed
Jul 30 15:38:32 debian-vpn charon: 15[ENC] generating INFORMATIONAL_V1 request 586950680 [ HASH N(
PLD_MAL) ]
Jul 30 15:38:32 debian-vpn charon: 15[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (76 bytes)
Jul 30 15:38:32 debian-vpn charon: 15[IKE] TRANSACTION response with message ID 375591222 processi
ng failed
Jul 30 15:38:33 debian-vpn charon: 01[IKE] sending retransmit 2 of request message ID 375591222, s
eq 1
Jul 30 15:38:33 debian-vpn charon: 01[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (76 bytes)
Can anyone explain what length of CONFIGURATION_ATTRIBUTE_V1 substructure list invalid is?
Is it possible to configure PSK + generic XAUTH (ipsec.secrets) in 5.0.4 version? Can you help?
29.04.2021 3/6
Thanks in advance,
Gabriel
History
#1 - 30.07.2013 15:51 - G S
And here is the output from the client:
root@debian:/home/debian# ipsec up home5.0
002 "home5.0" #8: initiating Main Mode
104 "home5.0" #8: STATE_MAIN_I1: initiate
003 "home5.0" #8: received Vendor ID payload [XAUTH]
003 "home5.0" #8: received Vendor ID payload [Dead Peer Detection]
106 "home5.0" #8: STATE_MAIN_I2: sent MI2, expecting MR2
108 "home5.0" #8: STATE_MAIN_I3: sent MI3, expecting MR3
002 "home5.0" #8: Peer ID is ID_IPV4_ADDR: '172.31.30.10'
002 "home5.0" #8: ISAKMP SA established
004 "home5.0" #8: STATE_MAIN_I4: ISAKMP SA established
002 "home5.0" #8: parsing XAUTH request
002 "home5.0" #8: sending XAUTH reply
120 "home5.0" #8: STATE_XAUTH_I1: sent XAUTH reply, expecting status
003 "home5.0" #8: byte 2 of ISAKMP Hash Payload must be zero, but is not
003 "home5.0" #8: malformed payload in packet
003 "home5.0" #8: discarding duplicate packet; already STATE_XAUTH_I1
010 "home5.0" #8: STATE_XAUTH_I1: retransmission; will wait 20s for response
003 "home5.0" #8: next payload type of ISAKMP Hash Payload has an unknown value: 182
003 "home5.0" #8: malformed payload in packet
003 "home5.0" #8: discarding duplicate packet; already STATE_XAUTH_I1
This is caused by a bug in 4.4.1 that was fixed by 1f2c3283, which was included in 4.5.0.
#3 - 30.07.2013 17:45 - G S
Tobias Brunner wrote:
This is caused by a bug in 4.4.1 that was fixed by 1f2c3283, which was included in 4.5.0.
I have to say that I do not fully understand you answer. I am using v5.0.4 at the server side and yes v4.4.1 at the client side but...
I have a very similar problem while trying to connect from ipad, here is the output:
Jul 30 17:41:46 debian-vpn charon: 00[DMN] signal of type SIGINT received. Shutting down
Jul 30 17:41:49 debian-vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-5-amd64,
x86_64)
Jul 30 17:41:49 debian-vpn charon: 00[CFG] sql plugin: database URI not set
Jul 30 17:41:49 debian-vpn charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loaded IKE secret for 172.31.30.10
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loaded EAP secret for carol
Jul 30 17:41:49 debian-vpn charon: 00[DMN] loaded plugins: charon test-vectors mysql aes des sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr k
ernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic
xauth-eap
Jul 30 17:41:49 debian-vpn charon: 00[JOB] spawning 16 worker threads
Jul 30 17:41:49 debian-vpn charon: 10[CFG] received stroke: add connection 'radius'
Jul 30 17:41:49 debian-vpn charon: 10[CFG] adding virtual IP address pool 10.2.0.0/16
Jul 30 17:41:49 debian-vpn charon: 10[CFG] added configuration 'radius'
Jul 30 17:42:04 debian-vpn charon: 02[NET] received packet: from 172.31.30.4[500] to 172.31.30.10[500] (572 by
29.04.2021 4/6
tes)
Jul 30 17:42:04 debian-vpn charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V ]
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received XAuth vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received Cisco Unity vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received DPD vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] 172.31.30.4 is initiating a Main Mode IKE_SA
Jul 30 17:42:04 debian-vpn charon: 02[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 30 17:42:04 debian-vpn charon: 02[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (136 byt
es)
Jul 30 17:42:05 debian-vpn charon: 12[NET] received packet: from 172.31.30.4[500] to 172.31.30.10[500] (228 by
tes)
Jul 30 17:42:05 debian-vpn charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 30 17:42:05 debian-vpn charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jul 30 17:42:05 debian-vpn charon: 12[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (244 byt
es)
Jul 30 17:42:05 debian-vpn charon: 13[NET] received packet: from 172.31.30.4[500] to 172.31.30.10[500] (108 by
tes)
Jul 30 17:42:05 debian-vpn charon: 13[ENC] invalid ID_V1 payload length, decryption failed?
Jul 30 17:42:05 debian-vpn charon: 13[ENC] could not decrypt payloads
Jul 30 17:42:05 debian-vpn charon: 13[IKE] message parsing failed
Jul 30 17:42:05 debian-vpn charon: 13[ENC] generating INFORMATIONAL_V1 request 3653904164 [ HASH N(PLD_MAL) ]
Jul 30 17:42:05 debian-vpn charon: 13[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (76 byte
s)
Jul 30 17:42:05 debian-vpn charon: 13[IKE] ID_PROT request with message ID 0 processing failed
Jul 30 17:42:08 debian-vpn charon: 14[NET] received packet: from 172.31.30.4[500] to 172.31.30.10[500] (108 by
tes)
Jul 30 17:42:08 debian-vpn charon: 14[ENC] invalid ID_V1 payload length, decryption failed?
Jul 30 17:42:08 debian-vpn charon: 14[ENC] could not decrypt payloads
Jul 30 17:42:08 debian-vpn charon: 14[IKE] message parsing failed
Jul 30 17:42:08 debian-vpn charon: 14[ENC] generating INFORMATIONAL_V1 request 1086460854 [ HASH N(PLD_MAL) ]
Jul 30 17:42:08 debian-vpn charon: 14[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (76 byte
s)
Jul 30 17:42:08 debian-vpn charon: 14[IKE] ID_PROT request with message ID 0 processing failed
Jul 30 17:42:11 debian-vpn charon: 15[NET] received packet: from 172.31.30.4[500] to 172.31.30.10[500] (108 by
tes)
Jul 30 17:42:11 debian-vpn charon: 15[ENC] invalid ID_V1 payload length, decryption failed?
Jul 30 17:42:11 debian-vpn charon: 15[ENC] could not decrypt payloads
Jul 30 17:42:11 debian-vpn charon: 15[IKE] message parsing failed
Jul 30 17:42:11 debian-vpn charon: 15[ENC] generating INFORMATIONAL_V1 request 1639472003 [ HASH N(PLD_MAL) ]
Jul 30 17:42:11 debian-vpn charon: 15[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (76 byte
s)
Jul 30 17:42:11 debian-vpn charon: 15[IKE] ID_PROT request with message ID 0 processing failed
Jul 30 17:42:14 debian-vpn charon: 16[NET] received packet: from 172.31.30.4[500] to 172.31.30.10[500] (108 by
tes)
Jul 30 17:42:14 debian-vpn charon: 16[ENC] invalid ID_V1 payload length, decryption failed?
Jul 30 17:42:14 debian-vpn charon: 16[ENC] could not decrypt payloads
Jul 30 17:42:14 debian-vpn charon: 16[IKE] message parsing failed
Jul 30 17:42:14 debian-vpn charon: 16[ENC] generating INFORMATIONAL_V1 request 1293380206 [ HASH N(PLD_MAL) ]
Jul 30 17:42:14 debian-vpn charon: 16[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (76 byte
s)
Jul 30 17:42:14 debian-vpn charon: 16[IKE] ID_PROT request with message ID 0 processing failed
Gabriel
This is caused by a bug in 4.4.1 that was fixed by 1f2c3283, which was included in 4.5.0.
I have to say that I do not fully understand you answer. I am using v5.0.4 at the server side and yes v4.4.1 at the client side but...
29.04.2021 5/6
Well, it's the client (4.4.1) that does something wrong here (it sends additional data behind the XAuth secret). So unless you update the client (or use
IKEv2, which is recommended for strongSwan<->strongSwan connections anyway) this won't work with newer strongSwan releases. It could be that
pluto (the IKEv1 daemon that was used until 5.0.0) handled those invalid payloads a bit more lenient, which might be why it worked with 4.5.2.
I have a very similar problem while trying to connect from ipad, here is the output:
This is clearly not the same problem. It breaks earlier and from the log message it looks like something with the PSK is wrong (e.g. most likely a typo
on the iOS client).
#5 - 30.07.2013 18:04 - G S
Tobias Brunner wrote:
This is caused by a bug in 4.4.1 that was fixed by 1f2c3283, which was included in 4.5.0.
I have to say that I do not fully understand you answer. I am using v5.0.4 at the server side and yes v4.4.1 at the client side but...
Well, it's the client (4.4.1) that does something wrong here (it sends additional data behind the XAuth secret). So unless you update the client
(or use IKEv2, which is recommended for strongSwan<->strongSwan connections anyway) this won't work with newer strongSwan releases. It
could be that pluto (the IKEv1 daemon that was used until 5.0.0) handled those invalid payloads a bit more lenient, which might be why it worked
with 4.5.2.
I have a very similar problem while trying to connect from ipad, here is the output:
This is clearly not the same problem. It breaks earlier and from the log message it looks like something with the PSK is wrong (e.g. most likely a
typo on the iOS client).
Regards,
G.S.
29.04.2021 6/6