Upgrade from 2.2.6 to 2.3 broke mobile IPSec [fixed]

jswope

I had IPSec Setup and working great with 2.2.6 with the cisco vpn client and shrew soft now cisco vpn client says the error code 411 The remote peer does not support the vpn client protocol.

Shrew soft connects but will not pass traffic

Anybody had this issue.

jswope

Shrew soft also fails the security association

cmb

That isn't related to either of the two known issues, configs like that work in general. What do you have in your IPsec logs?

jswope

Apr 17 10:45:22 charon 14[KNL] creating rekey job for CHILD_SA ESP/0xcb0d144c/71.xx.xx.xx
Apr 17 10:45:16 charon 14[IKE] <con5|19>deleting IKE_SA con5[19] between 71.xx.xx.xx[71.xx.xx.xx]…71.xx.xx.xx[admin]
Apr 17 10:45:16 charon 14[IKE] <con5|19>received DELETE for IKE_SA con5[19]
Apr 17 10:45:16 charon 14[ENC] <con5|19>parsed INFORMATIONAL_V1 request 2396139029 [ HASH D ]
Apr 17 10:45:16 charon 14[NET] <con5|19>received packet: from 71.XX.XX.XX[49483] to 71.XX.XXX.XXX[4500] (92 bytes)
Apr 17 10:45:16 charon 12[NET] <con5|19>sending packet: from 71.xx.xx.xx[4500] to 71.xx.xx.xx[49483] (76 bytes)
Apr 17 10:45:16 charon 12[ENC] <con5|19>generating TRANSACTION request 576097578 [ HASH CPRQ(X_USER X_PWD) ]
Apr 17 10:45:16 charon 12[IKE] <con5|19>remote host is behind NAT
Apr 17 10:45:16 charon 12[IKE] <con5|19>local host is behind NAT, sending keep alives
Apr 17 10:45:16 charon 12[IKE] <con5|19>received Cisco Unity vendor ID
Apr 17 10:45:16 charon 12[ENC] <con5|19>received unknown vendor ID: bb:18:f6:5a:1e:16:2e:db:cf:1b:12:72:5f:94:0c:3e
Apr 17 10:45:16 charon 12[ENC] <con5|19>parsed AGGRESSIVE request 0 [ HASH N(INITIAL_CONTACT) NAT-D NAT-D V V ]
Apr 17 10:45:16 charon 12[NET] <con5|19>received packet: from 71.xx.xx.xx[49483] to 71.xx.xx.xx[4500] (172 bytes)
Apr 17 10:45:16 charon 12[NET] <con5|19>sending packet: from 71.xx.xx.xx[500] to 71.xx.xx.xx[49482] (416 bytes)
Apr 17 10:45:16 charon 12[ENC] <con5|19>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Apr 17 10:45:16 charon 12[CFG] <19> selected peer config "con5"
Apr 17 10:45:16 charon 12[CFG] <19> looking for XAuthInitPSK peer configs matching 71.xx.xx.xx…71.xx.xx.xx[admin]
Apr 17 10:45:16 charon 12[IKE] <19> 71.xx.xx.xx is initiating a Aggressive Mode IKE_SA
Apr 17 10:45:16 charon 12[IKE] <19> received Cisco Unity vendor ID
Apr 17 10:45:16 charon 12[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 17 10:45:16 charon 12[IKE] <19> received FRAGMENTATION vendor ID
Apr 17 10:45:16 charon 12[IKE] <19> received DPD vendor ID
Apr 17 10:45:16 charon 12[IKE] <19> received XAuth vendor ID
Apr 17 10:45:16 charon 12[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Apr 17 10:45:16 charon 12[NET] <19> received packet: from 71.xx.xx.xx[49482] to 71.xx.xx.xx[500] (865 bytes)</con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19>

cmb

You probably need to enable Unity, VPN>IPsec, Advanced tab.

jswope

Unity it is not checked

cmb

@jswope:

Unity it is not checked

Yes that's probably why, enable it. Then stop and start (not restart) strongswan under Status>Services to be sure it's definitely applied.

jswope

That was it. It was because in 2.2.6 is is disabled if it is checked. lol

Thanks a lot
8)

cmb

Good, glad to hear. We changed the default for the Unity plugin because it's better for most people if it's disabled, but the minority who need it have to enable it. I added a more clear note on that to the 2.3 section of the upgrade guide.

That's not something you'll have to worry about again going forward as that default won't change again and your config has it enabled.

jswope

Thanks makes total sense. thanks for your help