Junos
Highlighted
Junos

LibreSwan -> MX IPSec Phase2 Issue

‎10-26-2019 04:03 AM

Hi,

I am trying to establish an IPSec tunnel from a Ubuntu Host running LibreSwan to a MX running IPSEC. I  am unable to figure out what I'm missing. 

I dont have access to the MX but have been given the MX  Configuration snippet.

MX Config Snippet -  https://pastebin.com/EVpZjXky

My LibreSwan configuration  - https://pastebin.com/NFE2qCxM

Connection Up Output - https://pastebin.com/YyGPR9WN

Log - https://pastebin.com/b8t7rSyd

 

Would sincerely appreciate your assistance...

 

 

3 REPLIES 3
Highlighted
Junos

Re: LibreSwan -> MX IPSec Phase2 Issue

‎10-26-2019 11:08 AM

Looks like a proposal miss match I see the MX phase 2 is set to md5 while the LibraSwan has SHA2.  One side will need to change to match the other.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Junos

Re: LibreSwan -> MX IPSec Phase2 Issue

‎10-26-2019 05:05 PM

Thanks Steve for your response.  Perhaps my understanding  is wrong but I thought following is the config for Phase1 and Phase2 on the MX.

 

Phase 1 - set services ipsec-vpn ike proposal M-T-IKE-Prop authentication-algorithm sha1

Phase 2 - set services ipsec-vpn ipsec proposal M-T-IPSEC-Prop authentication-algorithm hmac-md5-96

 

Correspondingly for LibreSwan the config  is

 

Phase1 - ike=aes128-sha1;dh2

Phase2 - phase2alg=aes128-md5-modp1024

 

In any case, I did try to

1. Swap the two - Phase1  as md5 and Phase2 as sha1 - Result is that it does not complete Phase1.

2. Set both Phase1 and Phase2 as sha1 -  Result is same as the original.  i.e. completes Phase1 but does not proceeed.

 

Unfortunately I dont have access to the MX so all the changes have to be on libreswan.

 

Thanks

Highlighted
Junos

Re: LibreSwan -> MX IPSec Phase2 Issue

‎10-27-2019 05:16 AM

You are correct I misinterpretted the libraswan config I'm not familiar with this software.

 

What is the purpose of these lines? are they declaring proxy id pair and if so what is the resulting pair sets?

left=10.0.0.81
leftsubnet=10.0.0.0/24
right=the.server.ip.addr

 

the Junos config has nothing specific provided so it will be assuming an open pair of

0.0.0.0/0 to 0.0.0.0/0

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback