<div dir="ltr">Maybe this will shed some light on the subject. The chrombook is using the following configuration:<br><br><div>ipsec.conf</div><div>
<p class="p1">ike="3des-sha1-modp1024"</p>
<p class="p1"> esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"</p>
<p class="p1"> keyexchange="ikev1"</p>
<p class="p1"> rekey=yes</p>
<p class="p1"> left="%defaultroute"</p>
<p class="p1"> leftcert="%smartcard1@crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878"</p>
<p class="p1"> leftprotoport="17/1701"</p>
<p class="p1"> leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown"</p>
<p class="p1"> right="162.243.137.92"</p>
<p class="p1"> rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"</p>
<p class="p1"> rightid="%any"</p>
<p class="p1"> rightprotoport="17/1701"</p>
<p class="p1"> type="transport"</p>
<p class="p1"> auto="start"</p><p class="p1">strongswan.conf</p><p class="p1">libstrongswan {</p><p class="p1"> plugins {</p><p class="p1"> pkcs11 {</p><p class="p1"> modules {</p><p class="p1"> crypto_module {</p><p class="p1"> path = /usr/lib/libchaps.so</p><p class="p1"> }</p><p class="p1"> }</p><p class="p1"> }</p><p class="p1"> }</p><p class="p1">}</p><p class="p1">charon {</p><p class="p1"> accept_unencrypted_mainmode_messages = yes</p><p class="p1"> ignore_routing_tables = 0</p><p class="p1"> install_routes = no</p><p class="p1"> routing_table = 0</p><p class="p1">
</p><p class="p1">}</p><p class="p1"><br></p><p class="p1">ipsec.secrets</p><p class="p1">
</p><p class="p1">10.0.1.135 162.243.137.92 : PIN %smartcard1@crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878 "111111"</p><p class="p1">I'm trying to dig into the chromium code and understand if this the only config chromeos will generate but assuming that is the case how can I set the strongswan server to answer that client config?</p><p class="p1">Thanks again for all the help</p><p class="p1">Ilan</p></div></div><br><div class="gmail_quote">On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <<a href="mailto:ilan.caspi@gmail.com">ilan.caspi@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Noel,<br><br><div>Unfortunately that wasn't the ticket</div><div><br></div><div>
<p>14[CFG] candidate "chromebook", match: 1/19/28 (me/other/ike)</p>
<p>14[IKE] no peer config found</p>
<p>14[IKE] queueing INFORMATIONAL task</p>
<p>14[IKE] activating new tasks</p>
<p>14[IKE] activating INFORMATIONAL task</p>
<p>14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH N(AUTH_FAILED) ]</p></div><div><br></div><div>ipsec,conf</div><div></div></div><div dir="ltr"><div>
<p>conn chromebook</p>
<p> keyexchange=ikev1</p>
<p> authby=rsasig</p>
<p> rekey=no</p>
<p> keyingtries=2</p>
<p> left=%defaultroute</p>
<p> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></p>
</div></div><div dir="ltr"><div><p> leftprotoport=udp/l2tp</p>
<p> leftcert=server.pem</p>
<p> right=%any</p>
<p> rightprotoport=udp/%any</p>
<p> rightrsasigkey=%cert</p>
<p> rightid="CN=*, OU=1957, O=<a href="http://mydomain.com" target="_blank">mydomain.com</a>, C=US"</p>
<p> auto=add</p>
<p> aggressive=yes</p></div></div><br><div class="gmail_quote">On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Ilan,<br>
<br>
That could be the client trying to use agressive mode.<br>
Enable it in the conn section and see if it works with it.<br>
<br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
Am 05.02.2015 um 19:17 schrieb Ilan Caspi:<br>
> Hi,<br>
><br>
> I'm trying to connect a chromebook to Linux strongSwan U5.1.2/K3.13.0-43-generic with not much luck.<br>
><br>
> Using a secret the connection is just fine but when moving the authentication using a CA things are going wrong. The certs should be ok because they work with a different connection<br>
><br>
> From reading the logs the authentication is going well but things are starting to go wrong here:<br>
><br>
> 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]<br>
><br>
> 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)<br>
><br>
> 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]<br>
><br>
> 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]<br>
><br>
> 03[NET] waiting for data on sockets<br>
><br>
> 06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)<br>
><br>
> 06[ENC] invalid HASH_V1 payload length, decryption failed?<br>
><br>
> 06[ENC] could not decrypt payloads<br>
><br>
> 06[IKE] message parsing failed<br>
><br>
> 06[IKE] ignore malformed INFORMATIONAL request<br>
><br>
> ipsec.conf<br>
><br>
> config setup<br>
><br>
> charondebug="cfg 2, dmn 2, ike 2, net 2"<br>
><br>
> uniqueids=never<br>
><br>
> conn %default<br>
><br>
> authby=rsasig<br>
><br>
> leftrsasigkey=%cert<br>
><br>
> rightrsasigkey=%cert<br>
><br>
> keyingtries=1<br>
><br>
> keylife=60m<br>
><br>
> ikelifetime=240m<br>
><br>
> rightdns=8.8.8.8<br>
><br>
><br>
> conn ios<br>
><br>
> keyexchange=ikev1<br>
><br>
> xauth=server<br>
><br>
> left=%defaultroute<br>
><br>
> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> leftcert=server.pem<br>
><br>
> right=%any<br>
><br>
> rightid="CN=*, OU=1957, O=<a href="http://secretdomain.com" target="_blank">secretdomain.com</a> <<a href="http://pertino.com" target="_blank">http://pertino.com</a>>, C=US"<br>
><br>
> rightsourceip=<a href="http://172.27.0.0/16" target="_blank">172.27.0.0/16</a> <<a href="http://172.27.0.0/16" target="_blank">http://172.27.0.0/16</a>><br>
><br>
> rightsubnet=<a href="http://172.27.0.0/16" target="_blank">172.27.0.0/16</a> <<a href="http://172.27.0.0/16" target="_blank">http://172.27.0.0/16</a>><br>
><br>
> rightauth2=xauth-noauth<br>
><br>
> ike=aes128-sha1-modp2048,<u></u>3des-<u></u>sha1-modp1536<br>
><br>
> esp=aes128-sha1-modp2048,<u></u>3des-<u></u>sha1-modp1536<br>
><br>
> rekey=no<br>
><br>
> reauth=no<br>
><br>
> dpddelay=10<br>
><br>
> dpdtimeout=30<br>
><br>
> dpdaction=clear<br>
><br>
> auto=add<br>
><br>
> fragmentation=yes<br>
><br>
><br>
><br>
> conn chromebook<br>
><br>
> keyexchange=ikev1<br>
><br>
> authby=rsasig<br>
><br>
> rekey=no<br>
><br>
> keyingtries=2<br>
><br>
> left=%defaultroute<br>
><br>
> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> leftprotoport=udp/l2tp<br>
><br>
> leftcert=server.pem<br>
><br>
> right=%any<br>
><br>
> rightprotoport=udp/%any<br>
><br>
> rightrsasigkey=%cert<br>
><br>
> rightid="CN=*, OU=1957, O= <a href="http://secretdomain.com" target="_blank">secretdomain.com</a> <<a href="http://pertino.com" target="_blank">http://pertino.com</a>>, C=US"<br>
><br>
> auto=add<br>
><br>
> ipsec.secrets<br>
><br>
> : RSA /etc/ipsec.d/private/<u></u>newserver<u></u>key.pem<br>
><br>
><br>
><br>
> ______________________________<u></u><u></u>_________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>m<u></u>ailman/listinfo/users</a><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJU0+<u></u>AqAAoJEDg5KY<u></u>9j7GZYA9AP/<u></u>0ufz0Ur1gbiPMPjr9xZ<u></u>R9w7<br>
ciRsuuGKZ8njpt36rGacFXDrD9X2dR<u></u><u></u>tuYTa9UCkHo//e+nqZwB8JlK0f+<u></u>sKe<u></u>PCqG<br>
FodwUubzmT8maARmE5x33B6O1sG8XH<u></u><u></u>LdbWeNBoVY4N1Di1fjizPTqyxM1HCY<u></u><u></u>ZMtc<br>
WSN1FUQ2Rceo6NL6KGo8/IAtoIr+<u></u>ov<u></u>X0ok1hX5Jzd98bTUeGfcOVcedyX5<u></u>au<u></u>wEnZ<br>
efHqrkqaHwqCa6B3r/<u></u>iOmDpW0A877h<u></u>IYK45mBc87mF2k40l4<u></u>zX97nbt/<u></u>UM9BtSaX<br>
/xuhU4wS02HkGcSqp+z/<u></u>d6CMgOsVLA<u></u>jhgesyPZgzY+<u></u>oNOvEHUDNOC0i5SV2u<u></u>YBNY<br>
Z5mlL1ZPD/<u></u>2fr4jDR1vfmQXiqo7jsJ<u></u>HdWjMT+<u></u>X3zfptxDF1ek34PyyCc/<u></u>fOq8zDK<br>
Xmk2hMi4Kr3ldE1+<u></u>se8eERh7S0S1gN<u></u>VrqoDkRN6OklwpwK<u></u>iaJtgNT7OBZCl9<u></u>Zhwn<br>
fuiB+0ilK6ADPtasSgw5IKXrLyNry+<u></u><u></u>oh6lCHgJ2mrngfOfgxjxgoZLymMr6A<u></u><u></u>d9wC<br>
zgAhU+<u></u>Ai4EJH3xQehfZYZV775KfDp2<u></u>2o5HCR<u></u>/Ho2PaFuKxLnTFeXsQHltog/<u></u>Jd0L<br>
3seAqFSu7yEJ4DuDFzHCBiUdN9AQpY<u></u><u></u>qj5fgIYbH2vo3/<u></u>L7TqEDYqKUyylX3v<u></u>vIYc<br>
02x4JkZxJIZMAZh8yvdH<br>
=oI9J<br>
-----END PGP SIGNATURE-----<br>
<br>
______________________________<u></u><u></u>_________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>m<u></u>ailman/listinfo/users</a></blockquote></div></blockquote></div>