[Vpn-help] No IPSEC SA after ISAKMP - SOLVED!
David Santinoli
marauder at tiscali.it
Fri Oct 26 09:42:32 CDT 2007
Thanks to Matthew's bugfixes and assistance, I finally managed to
happily interoperate strongSwan (on Linux) and the Shrew Soft Windows
client, and I'd like to share my experience with the list.
First and foremost, there had been a bit of misunderstanding on my side,
in that I expected the IPSEC SA (aka Phase 2) to be automagically
established right after the ISAKMP SA (aka Phase 1). This is not the
case! After you press the "Connect" button and "tunnel enabled" shows
up, you still have to stimulate the IPSEC SA creation by generating some
traffic to the remote subnet. Any IP traffic will do - ping, web
browsing etc.
This might sound a bit questionable and counterintuitive, especially
related to other clients/gateways, but it's the way things work here.
And actually, there had been at least another warning against this
misconception (see
http://lists.openswan.org/pipermail/users/2006-November/011216.html )
which I shamefully overlooked. (IMHO it might be appropriate to give
the point some more emphasis in the official documentation.)
Another very important issue had to do with Phase 2 configuration.
As Matthew stated previously in this thread, the explicit specification
of each of these parameters can make the difference, and it did in my
case.
Amongst the Transform Algorithms, avoid choosing "esp-cast" or
"esp-des", unless you know for certain that your gateway supports them
(strongSwan does not, by default).
The list of the ESP encryption algos your gateway supports can
be obtained by issuing "ipsec listalgs" and looking for a block similar
to this:
000 List of registered ESP Encryption Algorithms:
000
000 #2 ESP_DES, blocksize: 8, keylen: 64-64
000 #3 ESP_3DES, blocksize: 8, keylen: 192-192
000 #7 ESP_BLOWFISH, blocksize: 8, keylen: 40-448
000 #11 ESP_NULL, blocksize: 0, keylen: 0-0
000 #12 ESP_AES, blocksize: 8, keylen: 128-256
000 #252 ESP_SERPENT, blocksize: 8, keylen: 128-256
000 #253 ESP_TWOFISH, blocksize: 8, keylen: 128-256
Of course, the output may vary depending on how your software was
compiled.
If you activate PFS, be careful with the group you choose. StrongSwan
(and maybe other FreeS/WAN derivatives) does not support group 1, as
it is deemed insecure.
All other groups currently available in the client (2, 5, 14, 15) should
be OK.
Again, to get a list of the groups available on your *Swan gateway,
issue "ipsec listalgs" and look for a block of lines similar to this:
000 List of registered IKE DH Groups:
000
000 #2 OAKLEY_GROUP_MODP1024, groupsize: 1024
000 #5 OAKLEY_GROUP_MODP1536, groupsize: 1536
000 #14 OAKLEY_GROUP_MODP2048, groupsize: 2048
000 #15 OAKLEY_GROUP_MODP3072, groupsize: 3072
000 #16 OAKLEY_GROUP_MODP4096, groupsize: 4096
000 #17 OAKLEY_GROUP_MODP6144, groupsize: 6144
000 #18 OAKLEY_GROUP_MODP8192, groupsize: 8192
I also had to manually specify the "IPSEC Policy Configuration" in the
last tab of the Configuration window. At the bare minimum, it's enough
to just add the remote subnet you are connecting to.
And that's all. The server required no particular reconfiguration.
Thanks again to Shrew Soft for this brilliant piece of software!
Cheers,
David
--
David Santinoli
Tieffe Sistemi S.r.l. viale Piceno 21, Milano
www.tieffesistemi.com tel. +39 02 45490882
More information about the vpn-help
mailing list