[Vpn-help] No IPSEC SA after ISAKMP - SOLVED!

David Santinoli marauder at tiscali.it
Fri Oct 26 09:42:32 CDT 2007


Thanks to Matthew's bugfixes and assistance, I finally managed to
happily interoperate strongSwan (on Linux) and the Shrew Soft Windows
client, and I'd like to share my experience with the list.

First and foremost, there had been a bit of misunderstanding on my side,
in that I expected the IPSEC SA (aka Phase 2) to be automagically
established right after the ISAKMP SA (aka Phase 1).  This is not the
case!  After you press the "Connect" button and "tunnel enabled" shows
up, you still have to stimulate the IPSEC SA creation by generating some
traffic to the remote subnet.  Any IP traffic will do - ping, web
browsing etc.
This might sound a bit questionable and counterintuitive, especially
related to other clients/gateways, but it's the way things work here.
And actually, there had been at least another warning against this
misconception (see

 http://lists.openswan.org/pipermail/users/2006-November/011216.html )

which I shamefully overlooked.  (IMHO it might be appropriate to give
the point some more emphasis in the official documentation.)


Another very important issue had to do with Phase 2 configuration.
As Matthew stated previously in this thread, the explicit specification
of each of these parameters can make the difference, and it did in my
case.

Amongst the Transform Algorithms, avoid choosing "esp-cast" or
"esp-des", unless you know for certain that your gateway supports them
(strongSwan does not, by default).
The list of the ESP encryption algos your gateway supports can
be obtained by issuing "ipsec listalgs" and looking for a block similar
to this:

  000 List of registered ESP Encryption Algorithms:
  000
  000 #2     ESP_DES, blocksize: 8, keylen: 64-64
  000 #3     ESP_3DES, blocksize: 8, keylen: 192-192
  000 #7     ESP_BLOWFISH, blocksize: 8, keylen: 40-448
  000 #11    ESP_NULL, blocksize: 0, keylen: 0-0
  000 #12    ESP_AES, blocksize: 8, keylen: 128-256
  000 #252   ESP_SERPENT, blocksize: 8, keylen: 128-256
  000 #253   ESP_TWOFISH, blocksize: 8, keylen: 128-256

Of course, the output may vary depending on how your software was
compiled.

If you activate PFS, be careful with the group you choose.  StrongSwan
(and maybe other FreeS/WAN derivatives) does not support group 1, as
it is deemed insecure.
All other groups currently available in the client (2, 5, 14, 15) should
be OK.
Again, to get a list of the groups available on your *Swan gateway,
issue "ipsec listalgs" and look for a block of lines similar to this:

  000 List of registered IKE DH Groups:
  000
  000 #2     OAKLEY_GROUP_MODP1024, groupsize: 1024
  000 #5     OAKLEY_GROUP_MODP1536, groupsize: 1536
  000 #14    OAKLEY_GROUP_MODP2048, groupsize: 2048
  000 #15    OAKLEY_GROUP_MODP3072, groupsize: 3072
  000 #16    OAKLEY_GROUP_MODP4096, groupsize: 4096
  000 #17    OAKLEY_GROUP_MODP6144, groupsize: 6144
  000 #18    OAKLEY_GROUP_MODP8192, groupsize: 8192


I also had to manually specify the "IPSEC Policy Configuration" in the
last tab of the Configuration window.  At the bare minimum, it's enough
to just add the remote subnet you are connecting to.


And that's all.  The server required no particular reconfiguration.

Thanks again to Shrew Soft for this brilliant piece of software!

Cheers,
 David
-- 
 David Santinoli
 Tieffe Sistemi S.r.l.                      viale Piceno 21, Milano
 www.tieffesistemi.com                         tel. +39 02 45490882



More information about the vpn-help mailing list