<div dir="ltr"><div>Hi all<br></div>based on my test, it turns out that pem format cert does not be supported on openWRT, did I miss anything about that?<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 26, 2014 at 10:00 PM, Eric Y. Zhang <span dir="ltr"><<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi Noel<br></div>I managed to make it work, just recreate all of certs following steps here:<a href="https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA</a><br><br></div>and I have no idea why my last configuration does not work.<br><br></div><div>the difference is --outform pem I used before.<br><pre><a href="https://gist.githubusercontent.com/songchenwen/" target="_blank">https://gist.githubusercontent.com/songchenwen/</a><span>14</span>c1c663ea65d5d4a28b/raw/cef8d8bafe6168388b105f780c442412e6f8ede7/server_key.sh<br><a href="https://gist.githubusercontent.com/songchenwen/" target="_blank">https://gist.githubusercontent.com/songchenwen/</a><span>14</span>c1c663ea65d5d4a28b/raw/<span>54843</span>ae2e5e6d1159134<span>cd</span>9a90a08c31ff5a253d/client_key.sh<br></pre></div><div>I use those 2 shell to create all certs before.<br></div><div><br>this will cause new question , I want to migrate this configuration to my another VPS which has the pem form certs for now.<br><br></div><div>How can I make that work?<br><br></div><div>thanks<br><br></div><div>Eric<br></div><div> <br></div><br><div><div><br></div></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Fri, Dec 26, 2014 at 9:27 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Eric,<br>
<br>
</span>Do you have a passthrough policy configured on your router for localNet to localNet?<br>
Also, please read [1]. DId you except IPsec traffic from NAT? If you did, please<br>
show me your current iptables rules. Do you have a complete log of that failure?<br>
If not, please reproduce it with logging enabled.<br>
<br>
[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
<span><br>
<br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
</span>Am 26.12.2014 um 10:40 schrieb Eric Y. Zhang:<br>
<span>> on client :ipsec start --nofork<br>
> end up like this<br>
</span>> 09[KNL] creating acquire job for policy <a href="http://192.168.89.1/32%5Bicmp%5D" target="_blank">192.168.89.1/32[icmp]</a> <<a href="http://192.168.89.1/32%5Bicmp%5D" target="_blank">http://192.168.89.1/32[icmp]</a>> === <a href="http://192.168.87.1/32%5Bicmp%5D" target="_blank">192.168.87.1/32[icmp]</a> <<a href="http://192.168.87.1/32%5Bicmp%5D" target="_blank">http://192.168.87.1/32[icmp]</a>> with reqid {1}<br>
<span>> 05[CFG] ignoring acquire, connection attempt pending<br>
> 06[KNL] creating delete job for ESP CHILD_SA with SPI c24d7360 and reqid {1}<br>
> 06[JOB] CHILD_SA with reqid 1 not found for delete<br>
> 03[IKE] giving up after 5 retransmits<br>
> 03[IKE] establishing IKE_SA failed, peer not responding<br>
><br>
><br>
</span>> On Fri, Dec 26, 2014 at 5:27 PM, Eric Y. Zhang <<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a>>> wrote:<br>
><br>
> vpn-2-ctu-openwrt: child: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> PASS<br>
<span>> Security Associations (1 up, 0 connecting):<br>
> vpn-2-ctu-openwrt[1]: ESTABLISHED 57 seconds ago, 192.99.70.158[C=CH, O=strongSwan, CN=192.99.70.158]...110.188.32.238[C=CH, O=strongSwan, CN=192.168.89.1]<br>
> vpn-2-ctu-openwrt[1]: IKEv2 SPIs: 4eafbff72188a47c_i 396f31d11faa1052_r*, public key reauthentication in 53 minutes<br>
> vpn-2-ctu-openwrt[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
> vpn-2-ctu-openwrt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c04787a2_i cb4f91c5_o<br>
> vpn-2-ctu-openwrt{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes<br>
</span>> vpn-2-ctu-openwrt{1}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>><br>
<span>><br>
> after sign the openwrt server cert with same root ca as in VPS, it looks like the tunnel is up, but still cannot ping .<br>
><br>
</span>> On Fri, Dec 26, 2014 at 3:46 PM, Eric Y. Zhang <<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a>>> wrote:<br>
><br>
> 04[KNL] creating acquire job for policy <a href="http://192.168.89.1/32%5Bicmp%5D" target="_blank">192.168.89.1/32[icmp]</a> <<a href="http://192.168.89.1/32%5Bicmp%5D" target="_blank">http://192.168.89.1/32%5Bicmp%5D</a>> === <a href="http://192.168.87.1/32%5Bicmp%5D" target="_blank">192.168.87.1/32[icmp]</a> <<a href="http://192.168.87.1/32%5Bicmp%5D" target="_blank">http://192.168.87.1/32%5Bicmp%5D</a>> with reqid {1}<br>
<span>> 04[IKE] initiating IKE_SA net-net[1] to 192.99.70.158<br>
> 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> 04[NET] sending packet: from 192.168.88.101[500] to 192.99.70.158[500] (676 bytes)<br>
> 02[NET] received packet: from 192.99.70.158[500] to 192.168.88.101[500] (465 bytes)<br>
> 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
> 02[IKE] local host is behind NAT, sending keep alives<br>
> 02[IKE] received 1 cert requests for an unknown ca<br>
> 02[IKE] sending cert request for "C=CH, O=strongSwan, CN=192.168.89.1"<br>
> 02[IKE] authentication of 'C=CH, O=strongSwan, CN=192.168.89.1' (myself) with RSA signature successful<br>
> 02[IKE] sending end entity cert "C=CH, O=strongSwan, CN=192.168.89.1"<br>
> 02[IKE] establishing CHILD_SA net-net{1}<br>
> 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]<br>
> 02[NET] sending packet: from 192.168.88.101[4500] to 192.99.70.158[4500] (1868 bytes)<br>
> 01[NET] received packet: from 192.99.70.158[4500] to 192.168.88.101[4500] (76 bytes)<br>
> 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
> 01[IKE] received AUTHENTICATION_FAILED notify error<br>
><br>
><br>
</span><span>> On Fri, Dec 26, 2014 at 1:18 PM, Eric Y. Zhang <<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a>>> wrote:<br>
><br>
> conn net-net<br>
> left=%defaultroute<br>
</span>> leftsubnet=<a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>><br>
<span>> leftcert=vpnHostCert.pem<br>
> leftid="C=CH, O=strongSwan, CN=192.168.89.1"<br>
> leftfirewall=yes<br>
> right=VPS IP<br>
</span>> #rightsubnet=<a href="http://192.168.87.0/24" target="_blank">192.168.87.0/24</a> <<a href="http://192.168.87.0/24" target="_blank">http://192.168.87.0/24</a>><br>
> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<span>> rightid="C=CH, O=strongSwan, CN=VPS IP"<br>
> auto=route<br>
><br>
> ipsec statusall<br>
> net-net: %any...vps ip IKEv2<br>
> net-net: local: [C=CH, O=strongSwan, CN=192.168.89.1] uses public key authentication<br>
> net-net: cert: "C=CH, O=strongSwan, CN=192.168.89.1"<br>
> net-net: remote: [C=CH, O=strongSwan, CN=vps ip] uses public key a uthentication<br>
</span>> net-net: child: <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> TUNNEL<br>
> Shunted Connections:<br>
> local-net: <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> PASS<br>
<span>> Routed Connections:<br>
> net-net{1}: ROUTED, TUNNEL<br>
</span>> net-net{1}: <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<span>> Security Associations (0 up, 0 connecting):<br>
> none<br>
><br>
> but I can not ping my VPS via ipsec tunnel.<br>
><br>
> any idea?<br>
><br>
><br>
</span><span>> On Fri, Dec 26, 2014 at 8:45 AM, Eric Zhang <<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a>>> wrote:<br>
><br>
> You mean I have to use vps side's root ca to issue and sign server cert and user cert for openwrt side?<br>
><br>
> Sent from Mobile<br>
><br>
><br>
</span><span>> > On 2014年12月26日, at 03:36, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>>> wrote:<br>
> ><br>
> ><br>
> Hello Eric,<br>
><br>
> You can use email adresses in the DN and the SAN fields of the certificate of the router to authenticate it against the server.<br>
</span>> Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=<a href="mailto:bar@baz.de" target="_blank">bar@baz.de</a> <mailto:<a href="mailto:bar@baz.de" target="_blank">bar@baz.de</a>>" --san "<a href="mailto:bar@baz.de" target="_blank">bar@baz.de</a> <mailto:<a href="mailto:bar@baz.de" target="_blank">bar@baz.de</a>>"<br>
<span>><br>
> Then set the email address in the rightid on the server.<br>
><br>
> Mit freundlichen Grüßen/Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
><br>
> > >> Am 25.12.2014 um 07:06 schrieb Eric Zhang:<br>
> > >> Yes,my local side is ADSL which has dynamic ip,can I setup certs to authenticate?<br>
> > >><br>
> > >> Sent from Mobile<br>
> > >><br>
> > >><br>
</span>> > >>> On 2014年12月24日, at 22:45, Zesen Qian <<a href="mailto:strongswan-users@riaqn.com" target="_blank">strongswan-users@riaqn.com</a> <mailto:<a href="mailto:strongswan-users@riaqn.com" target="_blank">strongswan-users@riaqn.com</a>>> wrote:<br>
<span>> > >>><br>
> > >>> Noel Kuntze <<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>>> writes:<br>
> > >>><br>
> > >>>> Hello Eric,<br>
> > >>>><br>
> > >>>> See [1] for authentication using X509 certificates and site-to-site tunnels.<br>
> > >>>><br>
> > >>>> [1] <a href="http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/" target="_blank">http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/</a><br>
> > >>>><br>
> > >>>> Mit freundlichen Grüßen/Regards,<br>
> > >>>> Noel Kuntze<br>
> > >>>><br>
> > >>>> GPG Key ID: 0x63EC6658<br>
> > >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
> > >>>><br>
> > >>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:<br>
> > >>>>> How can I use RSA authentication with X.509 certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?<br>
> > >>>>><br>
> > >>>>> Thanks<br>
> > >>>>><br>
> > >>>>> Eric<br>
> > >>>><br>
> > >>>><br>
> > >>>> _______________________________________________<br>
> > >>>> Users mailing list<br>
</span>> > >>>> <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a>><br>
<span>> > >>>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
> > >>> Hello Noel,<br>
> > >>> I guess the question Eric want to ask is mainly about site-to-site<br>
> > >>> with "dynamic IP" on one side, while the other side has fixed IP.<br>
> > >>> I 'm also eager to know since it's my situation too. :) My IPv6<br>
> > >>> address is dynamic.<br>
> > >>> If I ommit the left= paramter, which defaults to %any, it<br>
> > >>> sometimes(and randomly) would use ::1 on local, which surely<br>
> > >>> won't success. Other times it would use the global address which<br>
> > >>> works just find.<br>
> > >>><br>
> > >>> --<br>
> > >>> Zesen Qian (钱泽森)<br>
> > >>> Undergraduate<br>
> > >>> School of Software<br>
> > >>> Shanghai Jiao Tong University<br>
><br>
> ><br>
> ><br>
><br>
><br>
><br>
><br>
</span><span>> --<br>
> Life is harsh<br>
><br>
><br>
><br>
><br>
> --<br>
> Life is harsh<br>
><br>
><br>
><br>
><br>
> --<br>
> Life is harsh<br>
><br>
><br>
><br>
><br>
> --<br>
> Life is harsh<br>
<br>
</span><span>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJUnWImAAoJEDg5KY9j7GZY+cEP/0qgdZoaHx0nqC1mwk57Kz7K<br>
6pKbQd8qXlJ5lzROoZuv4qwHVojSkTkCUjV/qm8ZjuqjRzvg0opOyxz32Q5EdGsz<br>
cYq5hKE9rhN7fiqwmGyfJcuRcQE53lExJiJDVy4aGlJkl0h0DBzvZ36ca2fb7DfJ<br>
L6ZdkzXPLIn6R4EapxMO5kUxJfpRez4Mq7U68vxunSW+YpYS1v3Ye86uWtd4KZb6<br>
Q9zVeGswiNbxt4cnV9TLTfKv2Y+2ml9lmHRaqFk729WDHKTMEmnSpQrEHrzWbMC2<br>
emxCIjtoknySiMCoANRdBGJieJTvJtral+Nbkhl46wSVhG99VtrNhkGA3HPwKyUo<br>
Ya0wXaKy90rVC6sncU+D8RJUur3Y8/1a+yy7L3QocJFDNizDGR2Gpd+7edYzO9TH<br>
loLh65WjWlSD0hw1dFVMH6i1s9uz5Hf5XwUYYtVnlGPN1Lp/A2HsdrJa0kPa2L4i<br>
MdJw0X5KxlV8yhUEUZZ2lgMXZTH5RoeHG5r//bK0EFQWyaReF5K1yEhHzLqoLygy<br>
voGAwLw/VO4cBB6daFOePpYphp2kQXSJ2XsVXlQEXXcRd/hF+kROkEo+FQ2laMf/<br>
VrW5XATp1XS5sTShRiqG3HM/B7bl+w2G8evCmrBIaSZSD+fZ2kJ5HwDiqKRhrle5<br>
xHW/ahNpaTg2/hDIX2qn<br>
=TPKc<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div dir="ltr">Life is harsh<div></div><div></div></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Life is harsh<div></div><div></div></div></div>
</div>