[strongSwan] Question on IKEv2

Andreas Steffen andreas.steffen at strongswan.org
Tue Apr 3 08:35:20 CEST 2012


Hello Chris,

I think you misconfigured your certificates:

You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.

Then you should create two X.509 end entity certificates with
matching private keys, one for strongSwan and one for sonicwall,
and sign both certificates with the private key of the CA.

The private strongSwan key you put into /etc/ipsec.d/private/ and
the strongSwan certificate into /etc/ipsec.d/certs/.

Then you package the private sonicwall key, sonicwall certificate
and CA certificate into a PKCS#12 file (*.p12) and import it into
your sonicwall box.

The certificate request strongSwan sends should then be for the CA.

RSA keys and certificates can be generated using either openssl-based
tools

  http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs

or the ipsec pki command

  http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

Regards

Andreas

On 04/03/2012 05:11 AM, Chris Arnold wrote:
> I uninstalled strongswan and started over again with strongswan. This time i followed this:
> http://www.strongswan.org/uml/testre...psk/index.html
> under the sun heading. This time i try to ping the remote network from the subnet behind the sonicwall; i get a whole different set of logs:
> 3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax 
> 4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 
> 5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN; 
> 6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device 
> 7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa 
> 8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 
> 9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
> 
> According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?
> 
> On the strongswan side:
> added configuration 'teknerds'
> 03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
> 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
> 03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
> 03[IKE] sonicwall.public.ip is initiating an IKE_SA
> 03[IKE] local host is behind NAT, sending keep alives
> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
> 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
> 06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
> 06[ENC] invalid X509 hash length (0) in certreq
> 06[ENC] CERTIFICATE_REQUEST verification failed
> 06[ENC] encrypted payload could not be decrypted and parsed
> 06[ENC] could not decrypt payloads
> 06[IKE] message parsing failed
> 06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
> 06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
> 06[IKE] IKE_AUTH request with message ID 1 processing failed
> 
> When it says this:
> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
> should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?
> 
> At this point i would like to know if you have to use certs with ikev2 and strongswan?
> 
> 
> 
> ----- Original Message -----
> From: "Chris Arnold" <carnold at electrichendrix.com>
> To: users at lists.strongswan.org
> Sent: Monday, April 2, 2012 6:24:41 PM
> Subject: Re: [strongSwan] Question on IKEv2
> 
> 
> On Apr 2, 2012, at 5:47 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
> 
>> Hi Chris,
>>
>> why do you go six years back in time?
>>
> Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?
> 
>  Just have a look at our
>>
>> configuration examples:
>>
>>
>>
>> On 04/02/2012 10:34 PM, Chris Arnold wrote:
>>> I have been trying to get a tunnel between strongSwan 4.4.x and a
>>> sonicwall TZ180W to no avail. I have tried every combination known on
>>> the sonicwall and every combination i know on the strongSwan side. My
>>> last try was ikev2 and i think this might be the problem. This was
>>> found this on a StrongSong thread found
>>> http://download.strongswan.org/CHANGES42.txt
>>>
>>> strongswan-4.0.0 ----------------
>>>
>>> - initial support of the IKEv2 protocol. Connections in ipsec.conf
>>> designated by keyexchange=ikev2 are negotiated by the new IKEv2
>>> charon keying daemon whereas those marked by keyexchange=ikev1 or the
>>> default keyexchange=ike are handled thy the IKEv1 pluto keying
>>> daemon. Currently only a limited subset of functions are available
>>> with IKEv2 (Default AES encryption, authentication based on locally 
>>> imported X.509 certificates, unencrypted private RSA keys in PKCS#1
>>> file format, limited functionality of the ipsec status command).
>>>
>>> AES encryption, authentication based on locally imported X.509
>>> certificates, unencrypted private RSA keys in PKCS#1 file format,
>>> limited functionality of the ipsec status command, is this a AND/OR
>>> list? Do you have to have certs to use ikev2 or can you do 1 of the
>>> other auth in the list?
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list