IPSEC configuration HUGE doubts and problems. Please, experts help is needed.

Hi friends,

I'm getting very worried because a few days ago I've been posting the same doubt and editing the text to make it clearer, but I have no response from the Experts Exchange or any other Expert (there's a lot of good ones here)... I've been a Experts Exchange subscriber for over 5 years now... and never before have I been without the help of the experts ... I do not understand why it was left in oblivion.

Well... lets get to the point...

Please, I need to connect a strongswan VPN (my side) with another VPN software (other side) but the admin from "the other side doesn't provides enough info... so I'm trying to figure out and troubleshoot this with trial and error... already for many days and a lot of migraines...

They (the other side) provide me a PSK (OK)... already configured in ipsec.secrets and they also gave me the following instructions:  

1st Phase (IKE V2)                                          
DH 2 = 1024 bits                                           
SHA-256                                          
AES-256                                          
Lifetime = 1440m                                           
                                          
2nd Phase (ESP)                                          
PFS - DH 2 - 1024 bits                                          
SHA-256                                          
AES-256                                          
Lifetime = 3600s

My question is (please): how do I configure this specific connection? especially the parameters ike and esp; anything else is needed in the configuration example below?

conn myside-otherside
      keyingtries=%forever
        keyexchange=ikev2
        compress=no
        authby=secret
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        ike=???
        esp=???
        right=x.x.x.x
        rightid=x.x.x.x
        rightsubnet=y.y.y.y/z
        left=a.a.a.a
        leftid=a.a.a.a
        leftsubnet=b.b.b.b/c
        leftfirewall=yes
        lefthostaccess=yes
        auto=start

In time... My participation here in the Experts Exchange is not so good because, mainly, of the language barrier and also because the overwork (which sucks up to those milliseconds I'd like to save per day) that everyone here knows... :)

Finally... Please... If I'm doing something wrong that is causing this lack of interest in my questions, I apologize in advance and ask you guys to clarify me how I can overcome / correct the situation.

Best Regards
FabioConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ajohnson30Network ManagerCommented:
Typically the "esp" and "ike" parameters on a vpn tunnel are the encryption type descriptors supported.  It looks like on StrongSwan this is no exception.  It appears you need something like

  ike=aes256-sha1-modp1024,3des-sha1-modp1024!
  esp=aes256-sha1,3des-sha1!

Open in new window


Take a look at https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04

If I had to guess, I'd say you weren't getting replies because StrongSwan is such a one-off vpn.  Most people are using a Cisco, SonicWall,  Juniper, or even OpenVPN compatible.

Hope this helps,
Aaron
FabioConsultantAuthor Commented:
Hi ajohnson30,

How are you?

Thanks INDEED for your reply.

Today, after a lot of asking, I finally got some info about the "other side"... They're using a Checkpoint to their end of VPN.

About IKE and ESP, my doubt is what algorithms should I configure in ike and esp parameters using that info they gave to me? I think that I'm using the right ones:
        ike=aes256-sha256-modp1024
        esp=aes256-sha256-modp1024

But I'm getting this error when I start the connection with the command "ipsec up myside-otherside":

initiating IKE_SA myside-otherside[3] to 2.2.2.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (540 bytes)
received packet: from 2.2.2.2[500] to 1.1.1.1[500] (384 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
authentication of '1.1.1.1' (myself) with pre-shared key
establishing CHILD_SA myside-otherside
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (352 bytes)
received packet: from 2.2.2.2[500] to 1.1.1.1[500] (80 bytes)
parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
IDr payload missing
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (80 bytes)
establishing connection 'myside-otherside' failed

Any clues??

Once again, thank you INDEED for your help and for your reply!

Best Regards
ajohnson30Network ManagerCommented:
Your problem looks very similar to this one.  Perhaps it helps?
https://ubuntuforums.org/showthread.php?t=2217019
Basically in message #3 he is saying he had some ip addresses swapped around in the config.  Once that was corrected, the tunnel got past the authentication
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

FabioConsultantAuthor Commented:
Hi again friend,

I can't thank you enough for your attention.

I was googling the "IDr payload missing" and got just a few answers... but all answers regarding IKEv2...

As the people on the "otherside" mentioned that IKEv1 could be used, I changed to IKEv1 and also changed rightid and leftid to "%any"... I think that the IKEv2 configuration on the "otherside" is incorrect or missing something (probably rightid and leftid fields).

The esp and ike parameters are configured this way:

ike=aes256-sha256-modp1024
esp=aes256-sha256-modp1024

Unfortunately "they" probably will not (never) tell me what was wrong (They probably will tell that my configuration was wrong... LOL), but if (by some miracle) they report the error, I'll post it here.

Once again thank you indeed for your help and attention.

Best Regards

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ajohnson30Network ManagerCommented:
The guide I saw did have an exclamation mark "!" on the end of the encryption specifier "modp1024!".  I don't know if that matters
FabioConsultantAuthor Commented:
The information I had was incomplete, and the efforts and attention of ajohnson30 helped me to confirm that the error was not in my settings and helped me find an alternative and a solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.