[strongSwan] strongSwan on Maemo (Nokia N900)

Peter Winterer winterer at informatik.uni-freiburg.de
Fri Sep 2 12:43:21 CEST 2011 

Hi,
>>>> [IKE] unable to allocate SPIs from kernel
>>>
>>> Unfortunately, the stock N900 kernel does not support the required IPsec
>>> modules. You'll have to install the "kernel-power" [1] package. It seems
>>> that such a hint is missing on our wiki page, I'll fix that.
>>
>> Hm, that's strange since the Maemo strongswan package actually has a
>> dependency on kernel-power (>= 2.6.28-maemo42).  Peter, did you restart
>> your device after installing the packages?
> 
> That's it, installing the "kernel-power" [1] package, solves the issue
> with "unable to allocate SPIs from kernel" on the device.

Although, I'm able to establish vpn-connection with "EAP NetworkManager
Client", I'm not able to connect with my N900 Device to our strongSwan
gateway. Something seems to be wrong with the gateway peer config. Both
clients(n900 and EAP NM) are configured with the "gateway-certificate".
The "Subject Alternative Name" of the gateway-certificate is
"email:root at vpn.server.de"

here is the gateway peer-config:
conn eap-intern
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    rekey=no
    left=10.1.0.2
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=cert.pem
    leftid=@vpn.server.de
    rightauth=eap-radius
    rightsendcert=never
    eap_identity=%any
    auto=add


here is the gateway-log, when I try to connect with the n900 device:

08[NET] received packet: from 10.205.1.129[4500] to 10.1.0.2[4500]
08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS)
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
[CFG] looking for peer configs matching
10.1.0.2[vpn.server.de]...10.205.1.129[wipe at mopo]
08[CFG] no matching peer config found
...
08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]


here the gateway-log, when I connect with "EAP NetworkManager" Client:

04[CFG] looking for peer configs matching 10.1.0.2[C=DE, O=MoPo WLAN Uni
Freiburg, CN=vpn.server.de]...10.205.1.1[wipe at mopo]
04[CFG]   candidate "eap-intern", match: 20/1/5 (me/other/ike)
04[CFG] selected peer config 'mopo-eap-intern'
04[IKE] initiating EAP-Identity request
...
04[IKE] authentication of 'C=DE, O=MoPo WLAN Uni Freiburg,
CN=vpn.server.de' (myself) with RSA signature successful
04[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
...
14[IKE] received EAP identity 'wipe at mopo'
...
14[IKE] initiating EAP_RADIUS method
14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
...
08[IKE] authentication of 'wipe at mopo' with EAP successful
....



Maybe this issue deals with the "SubjectAltName", configured in the
gateway-certificate?

Thanks for any help!
peter

More information about the Users mailing list