<div dir="ltr"><div><div><div>Hi Noel<br></div>I managed to make it work, just recreate all of certs following steps here:<a href="https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA">https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA</a><br><br></div>and I have no idea why my last configuration does not work.<br><br></div><div>the difference is --outform pem I used before.<br><pre><a href="https://gist.githubusercontent.com/songchenwen/">https://gist.githubusercontent.com/songchenwen/</a><span class="">14</span>c1c663ea65d5d4a28b/raw/cef8d8bafe6168388b105f780c442412e6f8ede7/server_key.sh<br><a href="https://gist.githubusercontent.com/songchenwen/">https://gist.githubusercontent.com/songchenwen/</a><span class="">14</span>c1c663ea65d5d4a28b/raw/<span class="">54843</span>ae2e5e6d1159134<span class="">cd</span>9a90a08c31ff5a253d/client_key.sh<br></pre></div><div>I use those 2 shell to create all certs before.<br></div><div><br>this will cause new question , I want to migrate this configuration to my another VPS which has the pem form certs for now.<br><br></div><div>How can I make that work?<br><br></div><div>thanks<br><br></div><div>Eric<br></div><div> <br></div><br><div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 26, 2014 at 9:27 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Eric,<br>
<br>
</span>Do you have a passthrough policy configured on your router for localNet to localNet?<br>
Also, please read [1]. DId you except IPsec traffic from NAT? If you did, please<br>
show me your current iptables rules. Do you have a complete log of that failure?<br>
If not, please reproduce it with logging enabled.<br>
<br>
[1]  <a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
<span class=""><br>
<br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
</span>Am 26.12.2014 um 10:40 schrieb Eric Y. Zhang:<br>
<span class="">> on client :ipsec start --nofork<br>
> end up like this<br>
</span>> 09[KNL] creating acquire job for policy <a href="http://192.168.89.1/32[icmp]" target="_blank">192.168.89.1/32[icmp]</a> <<a href="http://192.168.89.1/32[icmp]" target="_blank">http://192.168.89.1/32[icmp]</a>> === <a href="http://192.168.87.1/32[icmp]" target="_blank">192.168.87.1/32[icmp]</a> <<a href="http://192.168.87.1/32[icmp]" target="_blank">http://192.168.87.1/32[icmp]</a>> with reqid {1}<br>
<span class="">> 05[CFG] ignoring acquire, connection attempt pending<br>
> 06[KNL] creating delete job for ESP CHILD_SA with SPI c24d7360 and reqid {1}<br>
> 06[JOB] CHILD_SA with reqid 1 not found for delete<br>
> 03[IKE] giving up after 5 retransmits<br>
> 03[IKE] establishing IKE_SA failed, peer not responding<br>
><br>
><br>
</span>> On Fri, Dec 26, 2014 at 5:27 PM, Eric Y. Zhang <<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a>>> wrote:<br>
><br>
>     vpn-2-ctu-openwrt:   child:  <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> PASS<br>
<span class="">>     Security Associations (1 up, 0 connecting):<br>
>     vpn-2-ctu-openwrt[1]: ESTABLISHED 57 seconds ago, 192.99.70.158[C=CH, O=strongSwan, CN=192.99.70.158]...110.188.32.238[C=CH, O=strongSwan, CN=192.168.89.1]<br>
>     vpn-2-ctu-openwrt[1]: IKEv2 SPIs: 4eafbff72188a47c_i 396f31d11faa1052_r*, public key reauthentication in 53 minutes<br>
>     vpn-2-ctu-openwrt[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
>     vpn-2-ctu-openwrt{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c04787a2_i cb4f91c5_o<br>
>     vpn-2-ctu-openwrt{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes<br>
</span>>     vpn-2-ctu-openwrt{1}:   <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>><br>
<span class="">><br>
>     after sign the openwrt server cert with same root ca as in VPS, it looks like the tunnel is up, but still cannot ping .<br>
><br>
</span>>     On Fri, Dec 26, 2014 at 3:46 PM, Eric Y. Zhang <<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a>>> wrote:<br>
><br>
>         04[KNL] creating acquire job for policy <a href="http://192.168.89.1/32[icmp]" target="_blank">192.168.89.1/32[icmp]</a> <<a href="http://192.168.89.1/32%5Bicmp%5D" target="_blank">http://192.168.89.1/32%5Bicmp%5D</a>> === <a href="http://192.168.87.1/32[icmp]" target="_blank">192.168.87.1/32[icmp]</a> <<a href="http://192.168.87.1/32%5Bicmp%5D" target="_blank">http://192.168.87.1/32%5Bicmp%5D</a>> with reqid {1}<br>
<span class="">>         04[IKE] initiating IKE_SA net-net[1] to 192.99.70.158<br>
>         04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
>         04[NET] sending packet: from 192.168.88.101[500] to 192.99.70.158[500] (676 bytes)<br>
>         02[NET] received packet: from 192.99.70.158[500] to 192.168.88.101[500] (465 bytes)<br>
>         02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
>         02[IKE] local host is behind NAT, sending keep alives<br>
>         02[IKE] received 1 cert requests for an unknown ca<br>
>         02[IKE] sending cert request for "C=CH, O=strongSwan, CN=192.168.89.1"<br>
>         02[IKE] authentication of 'C=CH, O=strongSwan, CN=192.168.89.1' (myself) with RSA signature successful<br>
>         02[IKE] sending end entity cert "C=CH, O=strongSwan, CN=192.168.89.1"<br>
>         02[IKE] establishing CHILD_SA net-net{1}<br>
>         02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]<br>
>         02[NET] sending packet: from 192.168.88.101[4500] to 192.99.70.158[4500] (1868 bytes)<br>
>         01[NET] received packet: from 192.99.70.158[4500] to 192.168.88.101[4500] (76 bytes)<br>
>         01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
>         01[IKE] received AUTHENTICATION_FAILED notify error<br>
><br>
><br>
</span><span class="">>         On Fri, Dec 26, 2014 at 1:18 PM, Eric Y. Zhang <<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a>>> wrote:<br>
><br>
>             conn net-net<br>
>                     left=%defaultroute<br>
</span>>                     leftsubnet=<a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>><br>
<span class="">>                     leftcert=vpnHostCert.pem<br>
>                     leftid="C=CH, O=strongSwan, CN=192.168.89.1"<br>
>                     leftfirewall=yes<br>
>                     right=VPS IP<br>
</span>>                     #rightsubnet=<a href="http://192.168.87.0/24" target="_blank">192.168.87.0/24</a> <<a href="http://192.168.87.0/24" target="_blank">http://192.168.87.0/24</a>><br>
>                     rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<span class="">>                     rightid="C=CH, O=strongSwan, CN=VPS IP"<br>
>                     auto=route<br>
><br>
>             ipsec statusall<br>
>              net-net:  %any...vps ip  IKEv2<br>
>                  net-net:   local:  [C=CH, O=strongSwan, CN=192.168.89.1] uses public key authentication<br>
>                  net-net:    cert:  "C=CH, O=strongSwan, CN=192.168.89.1"<br>
>                  net-net:   remote: [C=CH, O=strongSwan, CN=vps ip] uses public key a                                                                       uthentication<br>
</span>>                  net-net:   child:  <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> TUNNEL<br>
>             Shunted Connections:<br>
>                local-net:  <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> PASS<br>
<span class="">>             Routed Connections:<br>
>                  net-net{1}:  ROUTED, TUNNEL<br>
</span>>                  net-net{1}:   <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<span class="">>             Security Associations (0 up, 0 connecting):<br>
>               none<br>
><br>
>             but I can not ping my VPS via ipsec tunnel.<br>
><br>
>             any idea?<br>
><br>
><br>
</span><span class="">>             On Fri, Dec 26, 2014 at 8:45 AM, Eric Zhang <<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a>>> wrote:<br>
><br>
>                 You mean I have to use vps side's root ca to issue and sign server cert and user cert for openwrt side?<br>
><br>
>                 Sent from Mobile<br>
><br>
><br>
</span><span class="">>                 > On 2014年12月26日, at 03:36, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
>                 ><br>
>                 ><br>
> Hello Eric,<br>
><br>
> You can use email adresses in the DN and the SAN fields of the certificate of the router to authenticate it against the server.<br>
</span>> Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=<a href="mailto:bar@baz.de">bar@baz.de</a> <mailto:<a href="mailto:bar@baz.de">bar@baz.de</a>>" --san "<a href="mailto:bar@baz.de">bar@baz.de</a> <mailto:<a href="mailto:bar@baz.de">bar@baz.de</a>>"<br>
<span class="">><br>
> Then set the email address in the rightid on the server.<br>
><br>
> Mit freundlichen Grüßen/Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
><br>
> >                 >> Am 25.12.2014 um 07:06 schrieb Eric Zhang:<br>
> >                 >> Yes,my local side is ADSL which has dynamic ip,can I setup certs to authenticate?<br>
> >                 >><br>
> >                 >> Sent from Mobile<br>
> >                 >><br>
> >                 >><br>
</span>> >                 >>> On 2014年12月24日, at 22:45, Zesen Qian <<a href="mailto:strongswan-users@riaqn.com">strongswan-users@riaqn.com</a> <mailto:<a href="mailto:strongswan-users@riaqn.com">strongswan-users@riaqn.com</a>>> wrote:<br>
<span class="">> >                 >>><br>
> >                 >>> Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> writes:<br>
> >                 >>><br>
> >                 >>>> Hello Eric,<br>
> >                 >>>><br>
> >                 >>>> See [1] for authentication using X509 certificates and site-to-site tunnels.<br>
> >                 >>>><br>
> >                 >>>> [1] <a href="http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/" target="_blank">http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/</a><br>
> >                 >>>><br>
> >                 >>>> Mit freundlichen Grüßen/Regards,<br>
> >                 >>>> Noel Kuntze<br>
> >                 >>>><br>
> >                 >>>> GPG Key ID: 0x63EC6658<br>
> >                 >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
> >                 >>>><br>
> >                 >>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:<br>
> >                 >>>>> How can I use  RSA authentication with X.509 certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?<br>
> >                 >>>>><br>
> >                 >>>>> Thanks<br>
> >                 >>>>><br>
> >                 >>>>> Eric<br>
> >                 >>>><br>
> >                 >>>><br>
> >                 >>>> _______________________________________________<br>
> >                 >>>> Users mailing list<br>
</span>> >                 >>>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
<span class="">> >                 >>>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
> >                 >>> Hello Noel,<br>
> >                 >>>     I guess the question Eric want to ask is mainly about site-to-site<br>
> >                 >>>     with "dynamic IP" on one side, while the other side has fixed IP.<br>
> >                 >>>     I 'm also eager to know since it's my situation too. :) My IPv6<br>
> >                 >>>     address is dynamic.<br>
> >                 >>>     If I ommit the left= paramter, which defaults to %any, it<br>
> >                 >>>     sometimes(and randomly) would use ::1 on local, which surely<br>
> >                 >>>     won't success. Other times it would use the global address which<br>
> >                 >>>     works just find.<br>
> >                 >>><br>
> >                 >>> --<br>
> >                 >>> Zesen Qian (钱泽森)<br>
> >                 >>> Undergraduate<br>
> >                 >>> School of Software<br>
> >                 >>> Shanghai Jiao Tong University<br>
><br>
>                 ><br>
>                 ><br>
><br>
><br>
><br>
><br>
</span><span class="">>             --<br>
>             Life is harsh<br>
><br>
><br>
><br>
><br>
>         --<br>
>         Life is harsh<br>
><br>
><br>
><br>
><br>
>     --<br>
>     Life is harsh<br>
><br>
><br>
><br>
><br>
> --<br>
> Life is harsh<br>
<br>
</span><span class="">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJUnWImAAoJEDg5KY9j7GZY+cEP/0qgdZoaHx0nqC1mwk57Kz7K<br>
6pKbQd8qXlJ5lzROoZuv4qwHVojSkTkCUjV/qm8ZjuqjRzvg0opOyxz32Q5EdGsz<br>
cYq5hKE9rhN7fiqwmGyfJcuRcQE53lExJiJDVy4aGlJkl0h0DBzvZ36ca2fb7DfJ<br>
L6ZdkzXPLIn6R4EapxMO5kUxJfpRez4Mq7U68vxunSW+YpYS1v3Ye86uWtd4KZb6<br>
Q9zVeGswiNbxt4cnV9TLTfKv2Y+2ml9lmHRaqFk729WDHKTMEmnSpQrEHrzWbMC2<br>
emxCIjtoknySiMCoANRdBGJieJTvJtral+Nbkhl46wSVhG99VtrNhkGA3HPwKyUo<br>
Ya0wXaKy90rVC6sncU+D8RJUur3Y8/1a+yy7L3QocJFDNizDGR2Gpd+7edYzO9TH<br>
loLh65WjWlSD0hw1dFVMH6i1s9uz5Hf5XwUYYtVnlGPN1Lp/A2HsdrJa0kPa2L4i<br>
MdJw0X5KxlV8yhUEUZZ2lgMXZTH5RoeHG5r//bK0EFQWyaReF5K1yEhHzLqoLygy<br>
voGAwLw/VO4cBB6daFOePpYphp2kQXSJ2XsVXlQEXXcRd/hF+kROkEo+FQ2laMf/<br>
VrW5XATp1XS5sTShRiqG3HM/B7bl+w2G8evCmrBIaSZSD+fZ2kJ5HwDiqKRhrle5<br>
xHW/ahNpaTg2/hDIX2qn<br>
=TPKc<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Life is harsh<div></div><div></div></div></div>
</div>