1

I am trying to configure my client using VPN (strongswan) to access the remote server whose DNS is vpngw.fh-kempten.de

Details of my remote VPN Server are: Authentication Method = Mutual +XAuth PSK =****

Phase 1 Exchange Type = aggressive DH exchange = group2 Cipher Algorithm = 3ds Hash Algorithm = md5 Key life time limit = 28800secs

Phase 2 Tensform Algorithm = esp-3des HMAC Algorithm = md5 PFC exchange = Auto compress Algorithm = disabled Key life time limit = 28800secs

General

Host Name or IP = vpngw.fh-kempten.de port = 500 Auto configuration = IKE conf. pull MTU = 1400 Adapter mode = use a virtual adapter and assigned address

Client firewall options NAT traversal = enable NAT traversal port = 4500 Keep alive packet rate = 15s IKE fragmentation = enable Maximum packet siye = 540 bytes

This is all info I have related to my VPN Server which is a remote server.

Using the command sudo ipsec up ikev1-psk-xauth, I try to run my client VPN. I get the following error in my raspberry pi

initiating Aggressive Mode IKE_SA ikev1-psk-xauth[1] to 193.174.193.64
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (363 bytes)
received packet: from 193.174.193.64[500] to 192.168.60.96[500] (404 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
IDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de'
generating INFORMATIONAL_V1 request 304912695 [ N(INVAL_ID) ]
sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (56 bytes)
establishing connection 'ikev1-psk-xauth' failed

Following is my ipsec.conf file

config setup
conn ikev1-psk-xauth
ikelifetime=28800s
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike = 3des-md5-modp1024!
esp = 3des-md5-modp1024!
modeconfig = pull
aggressive = yes
fragmentation=yes
#keyexchange = ikev2
authby = secret
type = transport
leftauth = psk
leftauth2 = xauth
leftprotoport=17/1701
rightprotoport=17/1701
right = vpngw.fh-kempten.de
rightauth = psk
rightauth2 = xauth
auto = add

My motivation is to access the shared drives which are present on the remote VPN server. Any suggestions would be highly appreciated. Thanks in advance!!

Saqib Shakeel
  • 111
  • 3

1 Answers1

1

The remote identity the server returns does not match your configuration (the identities default to the IP addresses). Try configuring rightid = vpngw.fh-kempten.de and you might have to configure leftid to the group name (Cisco lingo), which you have to determine somehow.

For your information, using Aggressive Mode with XAauth/PSK is inherently unsafe and the algorithm selection is from a different era (so is the use of L2TP actually), so you might want to complain to the admins of your university for providing such a crappy VPN.

ecdsa
  • 3,800
  • 12
  • 26
  • After yout possible recommendation. I changed my config file and commenting agressive gives me the following when I run `sudo ipsec up ikev1-psk-xauth` – Saqib Shakeel Mar 08 '19 at 09:25
  • `parsed TRANSACTION request 36532437 [ HASH CPS(X_STATUS) ] no XAuth method found ` – Saqib Shakeel Mar 08 '19 at 09:28
  • Sounds like the _xauth-generic_ plugin is not loaded. See [here](https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing). – ecdsa Mar 08 '19 at 12:43
  • I have tried to install and use ** xauth-generic ** plugin but when I try to install using this command , it gives me the following lines Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package strongswan-plugin-xauth-generic – Saqib Shakeel Mar 13 '19 at 20:47
  • Individual packages for plugins were only available on older Ubuntu releases. On newer ones the plugin is in the _libcharon-standard-plugins_ package. – ecdsa Mar 14 '19 at 07:39
  • Thanks, so to conclude this, when I checked the status of my ipsec using ´sudo nano ipsec statusall´ , I can see that the xauth-generic plugin is there. :) – Saqib Shakeel Mar 14 '19 at 21:57