Join Log in
Score:0
avatar Server

How to use aggressive mode + transport mode + PSK to negotiate SAs with strongswan server in NAT-T environment

cn flag
freshman.ipsec

I used the transport mode and NAT-T environment to negotiate SAs, and the method to authenticate the peer is PSK.

When I use Main Mode, IKE negotiation can be completed normally, the logs of PSK is:

Jan  6 01:24:06 09[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan  6 01:24:06 09[CFG] <1>   candidate "trap-a", match: 1/20/3100 (me/other/ike)
Jan  6 01:24:06 09[CFG] <1> selected peer config "trap-a"

But when I use Aggressive Mode, strongswan prompts errors when processing the first received message:

Jan  6 01:45:38 05[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan  6 01:45:38 05[IKE] <1> no peer config found

I checked the initialization log, it looks no problem, because the IDs is loaded as:

Jan  6 01:23:45 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Jan  6 01:23:45 00[CFG]   loaded IKE secret for %any
Jan  6 01:23:45 00[CFG]   loaded IKE secret for %any
Jan  6 01:23:45 00[CFG]   loaded IKE secret for 10.1.1.10

My config is as blow:

ipsec.conf

conn %default
    ikelifetime=6m
    keylife=5m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    ike=aes256-sha256-modp1024
    esp=aes256-sha256-modp1024
    authby=psk
    type=transport
    auto=route
    fragmentation=no
    rekey=no
    forceencaps=yes

conn trap-a
    aggressive=yes # it will set to  aggressive=no  when using main mode
    left=192.168.163.130
    leftsubnet=192.168.163.0/24
    right=10.1.1.10
    rightsubnet=10.1.1.0/24
    auto=add

ipsec.secrets

: PSK "123456"
%any : PSK "123456"
10.1.1.10 : PSK "123456"

strongswan.conf

charon {
        load_modular = yes
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        install_routes = no

        filelog {
                charon {
                        path = /etc/strongswan/logs/strongswan.log
                        time_format = %b %e %T
                        ike_name = yes
                        append = no
                        default = 2
                        flush_line = yes
                }
                stderr {
                        ike = 4
                        knl = 4
                }
        }
}

include strongswan.d/*.conf

Is there any wrong with my configs?

And the network topology diagram is like:

Public network initiator --- Public network NAT --- Intranet responder
10.1.1.10-----------------10.1.1.11--192.168.163.1------192.168.163.130

Thanks for help!

51
0 + 0
nat
cn flag
freshman.ipsec
I set `aggressive=yes` in trap-a of the configuration file, but the log file does not prompt `aggressive=yes` when loading trap-a. Is this normal?
0
Reply
cn flag
freshman.ipsec
In aggressive mode, if I set the type of the ID payload to IPv4, the IKE negotiation can be completed normally. But if I set the type of ID payload to KEY_ID, the negotiation fails, why?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.