[strongSwan] Question on IKEv2

Chris Arnold carnold at electrichendrix.com
Wed Apr 4 02:02:44 CEST 2012 

Can you do this with the IPSec pki command line?

Sent from my iPhone

On Apr 3, 2012, at 2:35 AM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:

> Hello Chris,
> 
> I think you misconfigured your certificates:
> 
> You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.
> 
> Then you should create two X.509 end entity certificates with
> matching private keys, one for strongSwan and one for sonicwall,
> and sign both certificates with the private key of the CA.
> 
> The private strongSwan key you put into /etc/ipsec.d/private/ and
> the strongSwan certificate into /etc/ipsec.d/certs/.
> 
> Then you package the private sonicwall key, sonicwall certificate
> and CA certificate into a PKCS#12 file (*.p12) and import it into
> your sonicwall box.
> 
> The certificate request strongSwan sends should then be for the CA.
> 
> RSA keys and certificates can be generated using either openssl-based
> tools
> 
>  http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs
> 
> or the ipsec pki command
> 
>  http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
> 
> Regards
> 
> Andreas
> 
> On 04/03/2012 05:11 AM, Chris Arnold wrote:
>> I uninstalled strongswan and started over again with strongswan. This time i followed this:
>> http://www.strongswan.org/uml/testre...psk/index.html
>> under the sun heading. This time i try to ping the remote network from the subnet behind the sonicwall; i get a whole different set of logs:
>> 3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax 
>> 4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 
>> 5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN; 
>> 6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device 
>> 7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa 
>> 8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 
>> 9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
>> 
>> According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?
>> 
>> On the strongswan side:
>> added configuration 'teknerds'
>> 03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
>> 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
>> 03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
>> 03[IKE] sonicwall.public.ip is initiating an IKE_SA
>> 03[IKE] local host is behind NAT, sending keep alives
>> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
>> 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> 03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
>> 06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
>> 06[ENC] invalid X509 hash length (0) in certreq
>> 06[ENC] CERTIFICATE_REQUEST verification failed
>> 06[ENC] encrypted payload could not be decrypted and parsed
>> 06[ENC] could not decrypt payloads
>> 06[IKE] message parsing failed
>> 06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
>> 06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
>> 06[IKE] IKE_AUTH request with message ID 1 processing failed
>> 
>> When it says this:
>> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
>> should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?
>> 
>> At this point i would like to know if you have to use certs with ikev2 and strongswan?
>> 
>> 
>> 
>> ----- Original Message -----
>> From: "Chris Arnold" <carnold at electrichendrix.com>
>> To: users at lists.strongswan.org
>> Sent: Monday, April 2, 2012 6:24:41 PM
>> Subject: Re: [strongSwan] Question on IKEv2
>> 
>> 
>> On Apr 2, 2012, at 5:47 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
>> 
>>> Hi Chris,
>>> 
>>> why do you go six years back in time?
>>> 
>> Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?
>> 
>> Just have a look at our
>>> 
>>> configuration examples:
>>> 
>>> 
>>> 
>>> On 04/02/2012 10:34 PM, Chris Arnold wrote:
>>>> I have been trying to get a tunnel between strongSwan 4.4.x and a
>>>> sonicwall TZ180W to no avail. I have tried every combination known on
>>>> the sonicwall and every combination i know on the strongSwan side. My
>>>> last try was ikev2 and i think this might be the problem. This was
>>>> found this on a StrongSong thread found
>>>> http://download.strongswan.org/CHANGES42.txt
>>>> 
>>>> strongswan-4.0.0 ----------------
>>>> 
>>>> - initial support of the IKEv2 protocol. Connections in ipsec.conf
>>>> designated by keyexchange=ikev2 are negotiated by the new IKEv2
>>>> charon keying daemon whereas those marked by keyexchange=ikev1 or the
>>>> default keyexchange=ike are handled thy the IKEv1 pluto keying
>>>> daemon. Currently only a limited subset of functions are available
>>>> with IKEv2 (Default AES encryption, authentication based on locally 
>>>> imported X.509 certificates, unencrypted private RSA keys in PKCS#1
>>>> file format, limited functionality of the ipsec status command).
>>>> 
>>>> AES encryption, authentication based on locally imported X.509
>>>> certificates, unencrypted private RSA keys in PKCS#1 file format,
>>>> limited functionality of the ipsec status command, is this a AND/OR
>>>> list? Do you have to have certs to use ikev2 or can you do 1 of the
>>>> other auth in the list?
>>> 
>>> ======================================================================
>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[ITA-HSR]==
>> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> -- 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list