search

xelerance / Openswan

Openswan
Other
852 stars 214 forks source link

Aggressive mode VPN to Juniper SRX #93

Open flamery opened 9 years ago

flamery commented 9 years ago

HI guys,

I have an openswan router with a dynamic IP address, connecting to a Juniper SRX with a fixed IP. I am using aggressive mode tunnel with a local ID. Heres the problem, the phase 1 accepts a proposal, it accepts the local identity ( I have done a packet capture to ensure the identity is sent correctly) then the openswan replies back saying "error 18 invalid id" Phase 1 never gets completed. It seems to be an issue with the local identity. I have tried different names like "test" "a.vpn" "123" but nothing works. also tried setting the remote and local id on both side.s makes no difference. changing this to main mode, worked perfectly first time. But as the IP changes this wont work in production.

Configs:

conn ip-tunnel type=tunnel authby=secret auth=esp ikelifetime=28800s keylife=3600s esp=3des-md5-96 ike=3des-md5;modp1024 keyexchange=ike pfs=no forceencaps=yes

Left security gateway, subnet behind it, nexthop toward right.

    left=192.168.10.1
    leftid=a.vpn
    leftsubnet=192.168.10.0/24
    # Right security gateway, subnet behind it, nexthop toward left.
    right=111.61.x.x  
    rightsubnet=192.168.1.0/24
    phase2alg=3des-md5;modp1024
    # To authorize this connection, but not actually start it,
    # at startup, uncomment this.
    auto=start
secrets:

11.61.x.x 49.x.x : PSK “password” 

    juniper:

set security ike proposal IKE-SHA-AES128-DH1 authentication-method pre-shared-keys set security ike proposal IKE-SHA-AES128-DH1 dh-group group2 set security ike proposal IKE-SHA-AES128-DH1 authentication-algorithm md5 set security ike proposal IKE-SHA-AES128-DH1 encryption-algorithm 3des-cbc set security ike proposal IKE-SHA-AES128-DH1 lifetime-seconds 28800 set security ike policy ike-policy-cfgr mode aggressive set security ike policy ike-policy-cfgr proposals IKE-SHA-AES128-DH1 set security ike policy ike-policy-cfgr pre-shared-key ascii-text "$9$zL84F9p0ORSlM1Rs4ZjPf1RhcyK" set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr dynamic hostname a.vpn set security ike gateway ike-gate-cfgr external-interface at-1/0/0 set security ipsec proposal IPSEC-SHA-AES128-ESP protocol esp set security ipsec proposal IPSEC-SHA-AES128-ESP authentication-algorithm hmac-md5-96 set security ipsec proposal IPSEC-SHA-AES128-ESP encryption-algorithm 3des-cbc set security ipsec proposal IPSEC-SHA-AES128-ESP lifetime-seconds 3600 set security ipsec policy ipsec-policy-cfgr proposals IPSEC-SHA-AES128-ESP set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity local 192.168.1.0/24 set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity remote 192.168.10.0/24 set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr

letoams commented 9 years ago

On Mon, 6 Oct 2014, flamery wrote:

I have an openswan router with a dynamic IP address, connecting to a Juniper SRX with a fixed IP. I am using aggressive mode tunnel with a local ID. Heres the problem, the phase 1 accepts a proposal, it accepts the local identity ( I have done a packet capture to ensure the identity is sent correctly) then the openswan replies back saying "error 18 invalid id" Phase 1 never gets completed. It seems to be an issue with the local identity. I have tried different names like "test" "a.vpn" "123" but nothing works. also tried setting the remote and local id on both side.s makes no difference. changing this to main mode, worked perfectly first time. But as the IP changes this wont work in production.

leftid= will resolve DNS unless you prepend a "@" symbol. So for the text "a.vpn", you need to use leftid=@a.vpn

set security ike policy ike-policy-cfgr pre-shared-key ascii-text "$9$zL84F9p0ORSlM1Rs4ZjPf1RhcyK"

Note you pasted in your secret preshared key here, so please change it!

Paul

flamery commented 9 years ago

thanks for the comment, Sorry i should have mentioned, all the leftid's did have @ on them. right now its leftid=@test and rightid=@srx However still doesnt work. Is that format valid? On the juniper side I should not be adding the @ is that correct? Well base dont he packet capture I receive "test" so I guess openswan strips that off before transmitting. I am curious now as to whether the juniper is trying to look it up. my full config:

version 2.0 # conforms to second version of ipsec.conf specification

basic configuration

config setup

Do not set debug options to debug configuration issues!

    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    plutodebug=all
    plutostderrlog=/var/log/ipseclog
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. netkey,klips,mast,auto or none
    protostack=netkey
    #####

conn netconn18 authby="secret" left=%defaultroute leftsubnet=192.168.10.0/24 leftid=@test right=111.69.200.193 rightsubnet=192.168.1.0/24 rightid=@srx pfs=on salifetime=28800s ikelifetime=3600s auth=esp ike=3des-md5;modp1024 phase2alg=3des-md5;modp1024 dpdaction=hold dpddelay=10 dpdtimeout=60 aggrmode=yes auto=add

I am using 5 # as end of tunnel section

root:/etc# cat ipsec.secrets

netsecrets18

@test @srx 49.225.25.167 111.69.200.193: PSK "password"

@test @srx %any 111.69.200.193: PSK "password"

end of secrets
letoams commented 9 years ago

On Tue, 7 Oct 2014, flamery wrote:

thanks for the comment, Sorry i should have mentioned, all the leftid's did have @ on them. right now its leftid=@test and rightid=@srx However still doesnt work. Is that format valid? On the juniper side I should not be adding the @ is that correct? Well base dont he packet capture I receive "test" so I guess openswan strips that off before transmitting. I am curious now as to whether the juniper is trying to look it up. my full config:

If you go to VPN -> AutoKey Advanced -> Gateway, you should see your gateway. The "Name" of the gateway should match your rightid=@Name

If you can generate traffic from behind the Juniper, and let it initiate to you, you will also see how it is identifying itself, so you can match it up in your own configuration on the swan side.

leftid=@test

So I think this means the remote gateway name should be "test" on the Juniper.

Paul

flamery commented 9 years ago

That is correct, on the Juniper I have both these set: ike gateway ike-gate-cfgr dynamic hostname test (which is the permitted hostname allowed to connect to me)

local-identity hostname srx which is my local ID sent back to openswan. i have confirmed with packet traces, that these ID's are being sent and received correctly, i have also removed the local ID from the Juniper and the remote ID form the openswan because it seems to be not needed. however still the same error occurs:

"netconn7" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '111.69.198.127' | refine_connection: starting with netconn7 | started looking for secret for @test->111.69.198.127 of kind PPK_PSK | actually looking for secret for @test->111.69.198.127 of kind PPK_PSK | line 3: key type PPK_PSK(@test) to type PPK_PSK | 1: compared key 111.69.198.127 to @test / 111.69.198.127 -> 4 | 2: compared key %any to @test / 111.69.198.127 -> 6 | 3: compared key @ to @test / 111.69.198.127 -> 6 | 4: compared key @test to @test / 111.69.198.127 -> 14 | line 3: match=14 | concluding with best_match=0 best=(nil) (lineno=-1) "netconn7" #1: no suitable connection for peer '111.69.198.127' "netconn7" #1: initial Aggressive Mode packet claiming to be from 111.69.198.127 on 111.69.198.127 but no connection has been authorized | peer supports dpd | enabling sending dpd | complete state transition with (null) "netconn7" #1: sending notification INVALID_ID_INFORMATION to 111.69.198.127:500

and kaput. the process tops there and restarts again!

letoams commented 9 years ago

On Wed, 8 Oct 2014, flamery wrote:

That is correct, on the Juniper I have both these set: ike gateway ike-gate-cfgr dynamic hostname test (which is the permitted hostname allowed to connect to me)

local-identity hostname srx which is my local ID sent back to openswan. i have confirmed with packet traces, that these ID's are being sent and received correctly, i have also removed the local ID from the Juniper and the remote ID form the openswan because it seems to be not needed. however still the same error occurs:

"netconn7" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '111.69.198.127'

The peer is using its ip address as ID, so use rightid=111.69.198.127

Paul

flamery commented 9 years ago

Ok that does make sense, however i tried it, and still got the same error doh!

"netconn7" #2: Aggressive mode peer ID is ID_IPV4_ADDR: '111.69.193.107' | refine_connection: starting with netconn7 | started looking for secret for @test->@111.69.193.107 of kind PPK_PSK | actually looking for secret for @test->@111.69.193.107 of kind PPK_PSK | line 3: key type PPK_PSK(@test) to type PPK_PSK | 1: compared key 111.69.193.107 to @test / @111.69.193.107 -> 0 | 2: compared key %any to @test / @111.69.193.107 -> 2 | 3: compared key @111.69.193.107 to @test / @111.69.193.107 -> 6 | 4: compared key @test to @test / @111.69.193.107 -> 14 | line 3: match=14 | concluding with best_match=0 best=(nil) (lineno=-1) "netconn7" #2: no suitable connection for peer '111.69.193.107' "netconn7" #2: initial Aggressive Mode packet claiming to be from @111.69.193.107 on 111.69.193.107 but no connection has been authorized | peer supports dpd | complete state transition with (null) "netconn7" #2: sending notification INVALID_ID_INFORMATION to 111.69.193.107:500 | _emit ISAKMP Message: | initiator cookie: | 0b e3 36 a5 7b ea c8 1e | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_N | ISAKMP version: ISAKMP Version 1.0 (rfc2407) | exchange type: ISAKMP_XCHG_INFO | flags: none | message ID: 00 00 00 00 | _*emit ISAKMP Notification Payload: | next payload type: ISAKMP_NEXT_NONE | DOI: ISAKMP_DOI_IPSEC | protocol ID: 1 | SPI size: 0 | Notify Message Type: INVALID_ID_INFORMATION

flamery commented 9 years ago

Also I tried using right Id without the @ in front of Ip address, same error

"netconn7" #2: Aggressive mode peer ID is ID_IPV4_ADDR: '111.69.193.107' | refine_connection: starting with netconn7 | started looking for secret for @test->111.69.193.107 of kind PPK_PSK | actually looking for secret for @test->111.69.193.107 of kind PPK_PSK | line 3: key type PPK_PSK(@test) to type PPK_PSK | 1: compared key 111.69.193.107 to @test / 111.69.193.107 -> 4 | 2: compared key %any to @test / 111.69.193.107 -> 6 | 3: compared key @ to @test / 111.69.193.107 -> 6 | 4: compared key @test to @test / 111.69.193.107 -> 14 | line 3: match=14 | concluding with best_match=0 best=(nil) (lineno=-1) "netconn7" #2: no suitable connection for peer '111.69.193.107' "netconn7" #2: initial Aggressive Mode packet claiming to be from 111.69.193.107 on 111.69.193.107 but no connection has been authorized | peer supports dpd | complete state transition with (null) "netconn7" #2: sending notification INVALID_ID_INFORMATION to 111.69.193.107:500

letoams commented 9 years ago

On Wed, 8 Oct 2014, flamery wrote:

Also I tried using right Id without the @ in front of Ip address, same error

for now, why don't you put this in ipsec.secrets:

: PSK "your secret"

That will match everything.

Paul