0

I used the transport mode and NAT-T environment to negotiate SAs, and the method to authenticate the peer is PSK.

When I use Main Mode, IKE negotiation can be completed normally, the logs of PSK is:

Jan  6 01:24:06 09[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan  6 01:24:06 09[CFG] <1>   candidate "trap-a", match: 1/20/3100 (me/other/ike)
Jan  6 01:24:06 09[CFG] <1> selected peer config "trap-a"

But when I use Aggressive Mode, strongswan prompts errors when processing the first received message:

Jan  6 01:45:38 05[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan  6 01:45:38 05[IKE] <1> no peer config found

I checked the initialization log, it looks no problem, because the IDs is loaded as:

Jan  6 01:23:45 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Jan  6 01:23:45 00[CFG]   loaded IKE secret for %any
Jan  6 01:23:45 00[CFG]   loaded IKE secret for %any
Jan  6 01:23:45 00[CFG]   loaded IKE secret for 10.1.1.10

My config is as blow:

ipsec.conf

conn %default
    ikelifetime=6m
    keylife=5m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    ike=aes256-sha256-modp1024
    esp=aes256-sha256-modp1024
    authby=psk
    type=transport
    auto=route
    fragmentation=no
    rekey=no
    forceencaps=yes

conn trap-a
    aggressive=yes # it will set to  aggressive=no  when using main mode
    left=192.168.163.130
    leftsubnet=192.168.163.0/24
    right=10.1.1.10
    rightsubnet=10.1.1.0/24
    auto=add

ipsec.secrets

: PSK "123456"
%any : PSK "123456"
10.1.1.10 : PSK "123456"

strongswan.conf

charon {
        load_modular = yes
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        install_routes = no

        filelog {
                charon {
                        path = /etc/strongswan/logs/strongswan.log
                        time_format = %b %e %T
                        ike_name = yes
                        append = no
                        default = 2
                        flush_line = yes
                }
                stderr {
                        ike = 4
                        knl = 4
                }
        }
}

include strongswan.d/*.conf

Is there any wrong with my configs?

And the network topology diagram is like:

Public network initiator --- Public network NAT --- Intranet responder
10.1.1.10-----------------10.1.1.11--192.168.163.1------192.168.163.130

Thanks for help!

freshman.ipsec
  • 1
  • I set `aggressive=yes` in trap-a of the configuration file, but the log file does not prompt `aggressive=yes` when loading trap-a. Is this normal? – freshman.ipsec Jan 10 '22 at 01:25
  • In aggressive mode, if I set the type of the ID payload to IPv4, the IKE negotiation can be completed normally. But if I set the type of ID payload to KEY_ID, the negotiation fails, why? – freshman.ipsec Jan 13 '22 at 11:02

0 Answers0