
<div dir="ltr">Hi Noel,<br><br><div>Unfortunately that wasn't the ticket</div><div><br></div><div>


<p class="p1">14[CFG]   candidate "chromebook", match: 1/19/28 (me/other/ike)</p>

<p class="p1">14[IKE] no peer config found</p>

<p class="p1">14[IKE] queueing INFORMATIONAL task</p>

<p class="p1">14[IKE] activating new tasks</p>

<p class="p1">14[IKE]   activating INFORMATIONAL task</p>

<p class="p1">14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH N(AUTH_FAILED) ]</p></div><div><br></div><div>ipsec,conf</div><div>


<p class="p1">conn chromebook</p>

<p class="p1">    keyexchange=ikev1</p>

<p class="p1">    authby=rsasig</p>

<p class="p1">    rekey=no</p>

<p class="p1">    keyingtries=2</p>

<p class="p1">    left=%defaultroute</p>

<p class="p1">    leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>

<p class="p1">    leftprotoport=udp/l2tp</p>

<p class="p1">    leftcert=server.pem</p>

<p class="p1">    right=%any</p>

<p class="p1">    rightprotoport=udp/%any</p>

<p class="p1">    rightrsasigkey=%cert</p>

<p class="p1">    rightid="CN=*, OU=1957, O=<a href="http://mydomain.com">mydomain.com</a>, C=US"</p>

<p class="p1">    auto=add</p>

<p class="p1">    aggressive=yes</p></div></div><br><div class="gmail_quote">On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>

-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA256<br>

<br>

Hello Ilan,<br>

<br>

That could be the client trying to use agressive mode.<br>

Enable it in the conn section and see if it works with it.<br>

<br>

Mit freundlichen Grüßen/Regards,<br>

Noel Kuntze<br>

<br>

GPG Key ID: 0x63EC6658<br>

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>

<br>

Am 05.02.2015 um 19:17 schrieb Ilan Caspi:<br>

> Hi,<br>

><br>

> I'm trying to connect a chromebook to Linux strongSwan U5.1.2/K3.13.0-43-generic with not much luck.<br>

><br>

> Using a secret the connection is just fine but when moving the authentication using a CA things are going wrong. The certs should be ok because they work with a different connection<br>

><br>

> From reading the logs the authentication is going well but things are starting to go wrong here:<br>

><br>

> 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]<br>

><br>

> 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)<br>

><br>

> 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]<br>

><br>

> 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]<br>

><br>

> 03[NET] waiting for data on sockets<br>

><br>

> 06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)<br>

><br>

> 06[ENC] invalid HASH_V1 payload length, decryption failed?<br>

><br>

> 06[ENC] could not decrypt payloads<br>

><br>

> 06[IKE] message parsing failed<br>

><br>

> 06[IKE] ignore malformed INFORMATIONAL request<br>

><br>

> ipsec.conf<br>

><br>

> config setup<br>

><br>

>     charondebug="cfg 2, dmn 2, ike 2, net 2"<br>

><br>

>     uniqueids=never<br>

><br>

> conn %default<br>

><br>

> authby=rsasig<br>

><br>

>  leftrsasigkey=%cert<br>

><br>

>  rightrsasigkey=%cert<br>

><br>

>  keyingtries=1<br>

><br>

>  keylife=60m<br>

><br>

>  ikelifetime=240m<br>

><br>

> rightdns=8.8.8.8<br>

><br>

><br>

> conn ios<br>

><br>

>     keyexchange=ikev1<br>

><br>

>     xauth=server<br>

><br>

>     left=%defaultroute<br>

><br>

>     leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>

><br>

>     leftcert=server.pem<br>

><br>

>     right=%any<br>

><br>

>     rightid="CN=*, OU=1957, O=<a href="http://secretdomain.com" target="_blank">secretdomain.com</a> <<a href="http://pertino.com" target="_blank">http://pertino.com</a>>, C=US"<br>

><br>

>     rightsourceip=<a href="http://172.27.0.0/16" target="_blank">172.27.0.0/16</a> <<a href="http://172.27.0.0/16" target="_blank">http://172.27.0.0/16</a>><br>

><br>

>     rightsubnet=<a href="http://172.27.0.0/16" target="_blank">172.27.0.0/16</a> <<a href="http://172.27.0.0/16" target="_blank">http://172.27.0.0/16</a>><br>

><br>

>     rightauth2=xauth-noauth<br>

><br>

>     ike=aes128-sha1-modp2048,3des-<u></u>sha1-modp1536<br>

><br>

>     esp=aes128-sha1-modp2048,3des-<u></u>sha1-modp1536<br>

><br>

>     rekey=no<br>

><br>

>     reauth=no<br>

><br>

>     dpddelay=10<br>

><br>

>     dpdtimeout=30<br>

><br>

>     dpdaction=clear<br>

><br>

>     auto=add<br>

><br>

>     fragmentation=yes<br>

><br>

><br>

><br>

> conn chromebook<br>

><br>

>     keyexchange=ikev1<br>

><br>

>     authby=rsasig<br>

><br>

>     rekey=no<br>

><br>

>     keyingtries=2<br>

><br>

>     left=%defaultroute<br>

><br>

>     leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>

><br>

>     leftprotoport=udp/l2tp<br>

><br>

>     leftcert=server.pem<br>

><br>

>     right=%any<br>

><br>

>     rightprotoport=udp/%any<br>

><br>

>     rightrsasigkey=%cert<br>

><br>

>     rightid="CN=*, OU=1957, O= <a href="http://secretdomain.com" target="_blank">secretdomain.com</a> <<a href="http://pertino.com" target="_blank">http://pertino.com</a>>, C=US"<br>

><br>

>     auto=add<br>

><br>

> ipsec.secrets<br>

><br>

> : RSA /etc/ipsec.d/private/<u></u>newserverkey.pem<br>

><br>

><br>

><br>

> ______________________________<u></u>_________________<br>

> Users mailing list<br>

> <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>

> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>mailman/listinfo/users</a><br>

<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v2<br>

<br>

iQIcBAEBCAAGBQJU0+<u></u>AqAAoJEDg5KY9j7GZYA9AP/<u></u>0ufz0Ur1gbiPMPjr9xZR9w7<br>

ciRsuuGKZ8njpt36rGacFXDrD9X2dR<u></u>tuYTa9UCkHo//e+nqZwB8JlK0f+<u></u>sKePCqG<br>

FodwUubzmT8maARmE5x33B6O1sG8XH<u></u>LdbWeNBoVY4N1Di1fjizPTqyxM1HCY<u></u>ZMtc<br>

WSN1FUQ2Rceo6NL6KGo8/IAtoIr+<u></u>ovX0ok1hX5Jzd98bTUeGfcOVcedyX5<u></u>auwEnZ<br>

efHqrkqaHwqCa6B3r/<u></u>iOmDpW0A877hIYK45mBc87mF2k40l4<u></u>zX97nbt/UM9BtSaX<br>

/xuhU4wS02HkGcSqp+z/<u></u>d6CMgOsVLAjhgesyPZgzY+<u></u>oNOvEHUDNOC0i5SV2uYBNY<br>

Z5mlL1ZPD/<u></u>2fr4jDR1vfmQXiqo7jsJHdWjMT+<u></u>X3zfptxDF1ek34PyyCc/fOq8zDK<br>

Xmk2hMi4Kr3ldE1+<u></u>se8eERh7S0S1gNVrqoDkRN6OklwpwK<u></u>iaJtgNT7OBZCl9Zhwn<br>

fuiB+0ilK6ADPtasSgw5IKXrLyNry+<u></u>oh6lCHgJ2mrngfOfgxjxgoZLymMr6A<u></u>d9wC<br>

zgAhU+<u></u>Ai4EJH3xQehfZYZV775KfDp22o5HCR<u></u>/Ho2PaFuKxLnTFeXsQHltog/Jd0L<br>

3seAqFSu7yEJ4DuDFzHCBiUdN9AQpY<u></u>qj5fgIYbH2vo3/<u></u>L7TqEDYqKUyylX3vvIYc<br>

02x4JkZxJIZMAZh8yvdH<br>

=oI9J<br>

-----END PGP SIGNATURE-----<br>

<br>

______________________________<u></u>_________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>

<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>mailman/listinfo/users</a></blockquote></div>