<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=koi8-r" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.9600.17280">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2 face=Arial>Hi all!</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>I met strange situation: have Amazon AWS CentOS
with Strongswan installed and try to use test VPN. So, I can establish VPN using
PKI on Windows 7 & 8.1 machines and EAP-MSCHAPv2 on Blackberry 10 devices,
but latters totally won't work with PKI</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>My configs are:</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial># I know it's not optimized yet, but it works, so
I'll optimise in the future<BR># ServerPublicIP means public IP of Amazon AWS
instance i.e. 54.xxx.xxx.xxx<BR># ServerPrivateIP means private IP of Amazon
instance, i.e 172.xxx.xxx.xxx<BR># ClientPublicIP means public IP of remote
client</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>config setup<BR>
strictcrlpolicy=no</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>conn %default<BR>
ikelifetime=24h<BR> keylife=24h<BR>
keyexchange=ikev2<BR> dpdaction=clear<BR>
dpdtimeout=3600s<BR> dpddelay=3600s<BR>
compress=yes<BR>
#esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096<BR>
#ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial># It's EAP-MSCHAP connect, it works flawless on
every Blackberry device</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>conn BB_10<BR> rekey=no<BR>
left=%any<BR> leftsubnet=0.0.0.0/0<BR>
leftauth=psk<BR>
leftid=<STRONG>ServerPublicIP</STRONG><BR>
right=%any<BR> rightsourceip=192.168.2.100/28<BR>
rightauth=eap-mschapv2<BR> rightsendcert=never<BR>
eap_identity=%any<BR> auto=add</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial># Win 7 connect, working good too</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>conn laptop<BR>
left=%any<BR> leftauth=pubkey<BR>
leftcert=serverCert.pem<BR>
leftid=<STRONG>ServerPublicIP</STRONG><BR>
leftsubnet=0.0.0.0/0<BR> right=%any<BR>
rightsourceip=192.168.2.100/28<BR> rightauth=pubkey<BR>
rightcert=clientCert.pem<BR> rightsendcert=never<BR>
rekey=no<BR> auto=add</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial># Win 8.1 connect, I didn't merge it with previous
conn because of plans<BR># swap device to ultrabook with mobile SIM slot, so it
should be MOBIKE<BR># connect rather laptop above</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>conn Win8<BR> left=%any<BR>
leftauth=pubkey<BR> leftcert=serverCert.pem<BR>
leftid=<STRONG>ServerPublicIP</STRONG><BR>
leftsubnet=0.0.0.0/0<BR> right=%any<BR>
rightsourceip=192.168.2.100/28<BR> rightauth=pubkey<BR>
rightcert=My_BB.pem<BR> rightsendcert=never<BR>
rekey=no<BR> auto=add</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial># This connect doesn't work</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>conn BB1<BR> left=%any<BR>
leftid="C=US,O=Acme,CN=<STRONG>ServerPublicIP</STRONG>"<BR>
leftsubnet=0.0.0.0/0<BR> leftauth=pubkey<BR>
leftcert=serverCert.pem<BR> right=%any<BR>
rightsourceip=192.168.2.100/28<BR> rightauth=pubkey<BR>
rightid="C=US,O=Acme,CN=user"<BR> rekey=no<BR>
auto=add</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>That's about certificates:</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial># Making selfsigned CA authourity</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --gen --outform pem >
caKey.pem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --self --in caKey.pem --dn "C=US, O=Acme,
CN=CA_issuer" --ca --outform pem > caCert.pem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial># Making server keypair</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --gen --outform pem >
serverKey.pem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --pub --in serverKey.pem | ipsec pki
--issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme,
CN=<STRONG>ServerPublicIP</STRONG>" --san="<STRONG>ServerPublicIP</STRONG>"
--flag serverAuth --flag ikeIntermediate --outform pem >
serverCert.pem</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial># Making client keypair for conn
laptop</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --gen --outform pem >
clientKey.pem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --pub --in clientKey.pem | ipsec pki
--issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme, CN=client"
--outform pem > clientCert.pem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial># Making pkcs12 container for import on Win 7
machine</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>openssl pkcs12 -export -inkey clientKey.pem -in
clientCert.pem -name "client" -certfile caCert.pem -caname "CA_issuer" -out
clientCert.p12</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial># It's a second keipair maked a couple of monthes
later. I tried it for <BR># Blackberry first, but it didn't work, that's why it
has such strange <BR># client name, its own filename, and so on<BR># but it
works good on Windows 8.1<BR># Actually I generated client certificate only.
Everything other include<BR># clientKey.pem I got before</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --pub --in clientKey.pem | ipsec pki
--issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme, CN=My_BB"
--outform pem > My_BB.pem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial># Making pkcs12 container for import on Win 8.1
machine</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>openssl pkcs12 -export -inkey clientKey.pem -in
My_BB.pem -name "Blackberry" -certfile caCert.pem -caname "Acme" -out
Blackberry0.p12</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial># And that's my last client cetificate for
Blackberry PKI connect which<BR># I can't establish<BR># Again, I use everything
include clientKey from initiate certs generate</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ipsec pki --pub --in clientKey.pem | ipsec pki
--issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme, CN=user" --san
"<A href="mailto:user@ServerPublicIP">user@ServerPublicIP</A>" --flag serverAuth
--outform pem > user_BB.pem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial># Making pkcs12 container for import on Blackberry
10 device</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>openssl pkcs12 -export -inkey clientKey.pem -in
user_BB.pem -name "Blackberry" -certfile caCert.pem -caname "Acme" -out
Blackberry1.p12<BR></FONT></DIV>
<DIV><FONT size=2 face=Arial>Blackberry 10 settings are:</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>Server Address: ServerPublicIP</FONT></DIV>
<DIV><FONT size=2 face=Arial>Gateway Type: Generic IKEv2 VPN Server</FONT></DIV>
<DIV><FONT size=2 face=Arial>Authentication Type: PKI</FONT></DIV>
<DIV><FONT size=2 face=Arial>Authentication ID Type: Identity Certificate
Distinguished Name</FONT></DIV>
<DIV><FONT size=2 face=Arial>Client Cetifucate: selected from dropdown and named
"<STRONG>user</STRONG>"</FONT></DIV>
<DIV><FONT size=2 face=Arial>Gateway Auth Type: PKI</FONT></DIV>
<DIV><FONT size=2 face=Arial>Gateway Auth ID Type: Identity Certificate
Distinguished Name</FONT></DIV>
<DIV><FONT size=2 face=Arial>Gateway CA Certificate: selected from dropdown and
named "<STRONG>CA_issuer</STRONG>"</FONT></DIV>
<DIV><FONT size=2 face=Arial>Everything else I leave default</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>So, funny part I don't understand is VPN doesn't
establish, all I have is "Connection Timeout" and weirdest thing is under
log:</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>01 charon: 01[IKE] <STRONG>ClientPublicIP</STRONG>
is initiating an IKE_SA<BR>02 charon: 01[IKE] local host is behind NAT, sending
keep alives<BR>03 charon: 01[IKE] remote host is behind NAT<BR>04 charon:
01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]<BR>05 charon: 01[NET] sending packet: from
<STRONG>ServerPrivateIP</STRONG>[500] to <STRONG>ClientPublicIP</STRONG>[500]
(308 bytes)<BR>06 charon: 15[IKE] sending keep alive to
<STRONG>ClientPublicIP</STRONG>[500]<BR>07 charon: 09[JOB] deleting half open
IKE_SA after timeout</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>So, as I understand last two lines right,
Blackberry won't send back packet with certs list or it doesn't receive
something to initiate this send. I'm not extremly familiar with all those
things, so I suspect something wrong with certs for this connect, but haven't
absolutely any idea what exactly and how it can be resolved</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>Thanks in advance,</FONT></DIV>
<DIV><FONT size=2
face=Arial>
Urgen</FONT><FONT size=2 face=Arial></DIV></FONT></BODY></HTML>