<div dir="ltr">Hi Noel,<br><br><div>Unfortunately that wasn't the ticket</div><div><br></div><div>







<p class="p1">14[CFG]   candidate "chromebook", match: 1/19/28 (me/other/ike)</p>
<p class="p1">14[IKE] no peer config found</p>
<p class="p1">14[IKE] queueing INFORMATIONAL task</p>
<p class="p1">14[IKE] activating new tasks</p>
<p class="p1">14[IKE]   activating INFORMATIONAL task</p>
<p class="p1">14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH N(AUTH_FAILED) ]</p></div><div><br></div><div>ipsec,conf</div><div>







<p class="p1">conn chromebook</p>
<p class="p1">    keyexchange=ikev1</p>
<p class="p1">    authby=rsasig</p>
<p class="p1">    rekey=no</p>
<p class="p1">    keyingtries=2</p>
<p class="p1">    left=%defaultroute</p>
<p class="p1">    leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p class="p1">    leftprotoport=udp/l2tp</p>
<p class="p1">    leftcert=server.pem</p>
<p class="p1">    right=%any</p>
<p class="p1">    rightprotoport=udp/%any</p>
<p class="p1">    rightrsasigkey=%cert</p>
<p class="p1">    rightid="CN=*, OU=1957, O=<a href="http://mydomain.com">mydomain.com</a>, C=US"</p>
<p class="p1">    auto=add</p>
<p class="p1">    aggressive=yes</p></div></div><br><div class="gmail_quote">On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Ilan,<br>
<br>
That could be the client trying to use agressive mode.<br>
Enable it in the conn section and see if it works with it.<br>
<br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
Am 05.02.2015 um 19:17 schrieb Ilan Caspi:<br>
> Hi,<br>
><br>
> I'm trying to connect a chromebook to Linux strongSwan U5.1.2/K3.13.0-43-generic with not much luck.<br>
><br>
> Using a secret the connection is just fine but when moving the authentication using a CA things are going wrong. The certs should be ok because they work with a different connection<br>
><br>
> From reading the logs the authentication is going well but things are starting to go wrong here:<br>
><br>
> 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]<br>
><br>
> 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)<br>
><br>
> 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]<br>
><br>
> 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]<br>
><br>
> 03[NET] waiting for data on sockets<br>
><br>
> 06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)<br>
><br>
> 06[ENC] invalid HASH_V1 payload length, decryption failed?<br>
><br>
> 06[ENC] could not decrypt payloads<br>
><br>
> 06[IKE] message parsing failed<br>
><br>
> 06[IKE] ignore malformed INFORMATIONAL request<br>
><br>
> ipsec.conf<br>
><br>
> config setup<br>
><br>
>     charondebug="cfg 2, dmn 2, ike 2, net 2"<br>
><br>
>     uniqueids=never<br>
><br>
> conn %default<br>
><br>
> authby=rsasig<br>
><br>
>  leftrsasigkey=%cert<br>
><br>
>  rightrsasigkey=%cert<br>
><br>
>  keyingtries=1<br>
><br>
>  keylife=60m<br>
><br>
>  ikelifetime=240m<br>
><br>
> rightdns=8.8.8.8<br>
><br>
><br>
> conn ios<br>
><br>
>     keyexchange=ikev1<br>
><br>
>     xauth=server<br>
><br>
>     left=%defaultroute<br>
><br>
>     leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
>     leftcert=server.pem<br>
><br>
>     right=%any<br>
><br>
>     rightid="CN=*, OU=1957, O=<a href="http://secretdomain.com" target="_blank">secretdomain.com</a> <<a href="http://pertino.com" target="_blank">http://pertino.com</a>>, C=US"<br>
><br>
>     rightsourceip=<a href="http://172.27.0.0/16" target="_blank">172.27.0.0/16</a> <<a href="http://172.27.0.0/16" target="_blank">http://172.27.0.0/16</a>><br>
><br>
>     rightsubnet=<a href="http://172.27.0.0/16" target="_blank">172.27.0.0/16</a> <<a href="http://172.27.0.0/16" target="_blank">http://172.27.0.0/16</a>><br>
><br>
>     rightauth2=xauth-noauth<br>
><br>
>     ike=aes128-sha1-modp2048,3des-<u></u>sha1-modp1536<br>
><br>
>     esp=aes128-sha1-modp2048,3des-<u></u>sha1-modp1536<br>
><br>
>     rekey=no<br>
><br>
>     reauth=no<br>
><br>
>     dpddelay=10<br>
><br>
>     dpdtimeout=30<br>
><br>
>     dpdaction=clear<br>
><br>
>     auto=add<br>
><br>
>     fragmentation=yes<br>
><br>
><br>
><br>
> conn chromebook<br>
><br>
>     keyexchange=ikev1<br>
><br>
>     authby=rsasig<br>
><br>
>     rekey=no<br>
><br>
>     keyingtries=2<br>
><br>
>     left=%defaultroute<br>
><br>
>     leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
>     leftprotoport=udp/l2tp<br>
><br>
>     leftcert=server.pem<br>
><br>
>     right=%any<br>
><br>
>     rightprotoport=udp/%any<br>
><br>
>     rightrsasigkey=%cert<br>
><br>
>     rightid="CN=*, OU=1957, O= <a href="http://secretdomain.com" target="_blank">secretdomain.com</a> <<a href="http://pertino.com" target="_blank">http://pertino.com</a>>, C=US"<br>
><br>
>     auto=add<br>
><br>
> ipsec.secrets<br>
><br>
> : RSA /etc/ipsec.d/private/<u></u>newserverkey.pem<br>
><br>
><br>
><br>
> ______________________________<u></u>_________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>mailman/listinfo/users</a><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJU0+<u></u>AqAAoJEDg5KY9j7GZYA9AP/<u></u>0ufz0Ur1gbiPMPjr9xZR9w7<br>
ciRsuuGKZ8njpt36rGacFXDrD9X2dR<u></u>tuYTa9UCkHo//e+nqZwB8JlK0f+<u></u>sKePCqG<br>
FodwUubzmT8maARmE5x33B6O1sG8XH<u></u>LdbWeNBoVY4N1Di1fjizPTqyxM1HCY<u></u>ZMtc<br>
WSN1FUQ2Rceo6NL6KGo8/IAtoIr+<u></u>ovX0ok1hX5Jzd98bTUeGfcOVcedyX5<u></u>auwEnZ<br>
efHqrkqaHwqCa6B3r/<u></u>iOmDpW0A877hIYK45mBc87mF2k40l4<u></u>zX97nbt/UM9BtSaX<br>
/xuhU4wS02HkGcSqp+z/<u></u>d6CMgOsVLAjhgesyPZgzY+<u></u>oNOvEHUDNOC0i5SV2uYBNY<br>
Z5mlL1ZPD/<u></u>2fr4jDR1vfmQXiqo7jsJHdWjMT+<u></u>X3zfptxDF1ek34PyyCc/fOq8zDK<br>
Xmk2hMi4Kr3ldE1+<u></u>se8eERh7S0S1gNVrqoDkRN6OklwpwK<u></u>iaJtgNT7OBZCl9Zhwn<br>
fuiB+0ilK6ADPtasSgw5IKXrLyNry+<u></u>oh6lCHgJ2mrngfOfgxjxgoZLymMr6A<u></u>d9wC<br>
zgAhU+<u></u>Ai4EJH3xQehfZYZV775KfDp22o5HCR<u></u>/Ho2PaFuKxLnTFeXsQHltog/Jd0L<br>
3seAqFSu7yEJ4DuDFzHCBiUdN9AQpY<u></u>qj5fgIYbH2vo3/<u></u>L7TqEDYqKUyylX3vvIYc<br>
02x4JkZxJIZMAZh8yvdH<br>
=oI9J<br>
-----END PGP SIGNATURE-----<br>
<br>
______________________________<u></u>_________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>mailman/listinfo/users</a></blockquote></div>