[strongSwan] Question on IKEv2
Chris Arnold
carnold at electrichendrix.com
Thu Apr 5 00:25:31 CEST 2012
Thank you all for not calling me an id10t!! I read, completely, the email Andreas sent and saw where you can use the pki tool....
So, I followed the instructions and on the import of caCert.der into the sonicwall, I get the error, invalid format. Please use der or pem. The other 2 files import fine into the sonicwall and they too are der format.
Sent from my iPhone
On Apr 4, 2012, at 10:40 AM, Chris Arnold <carnold at electrichendrix.com> wrote:
> Is this possible with the IPSec pki tool?
>
> Sent from my iPhone
>
> On Apr 3, 2012, at 2:35 AM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
>
>> Hello Chris,
>>
>> I think you misconfigured your certificates:
>>
>> You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.
>>
>> Then you should create two X.509 end entity certificates with
>> matching private keys, one for strongSwan and one for sonicwall,
>> and sign both certificates with the private key of the CA.
>>
>> The private strongSwan key you put into /etc/ipsec.d/private/ and
>> the strongSwan certificate into /etc/ipsec.d/certs/.
>>
>> Then you package the private sonicwall key, sonicwall certificate
>> and CA certificate into a PKCS#12 file (*.p12) and import it into
>> your sonicwall box.
>>
>> The certificate request strongSwan sends should then be for the CA.
>>
>> RSA keys and certificates can be generated using either openssl-based
>> tools
>>
>> http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs
>>
>> or the ipsec pki command
>>
>> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>>
>> Regards
>>
>> Andreas
>>
>> On 04/03/2012 05:11 AM, Chris Arnold wrote:
>>> I uninstalled strongswan and started over again with strongswan. This time i followed this:
>>> http://www.strongswan.org/uml/testre...psk/index.html
>>> under the sun heading. This time i try to ping the remote network from the subnet behind the sonicwall; i get a whole different set of logs:
>>> 3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax
>>> 4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
>>> 5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN;
>>> 6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device
>>> 7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa
>>> 8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
>>> 9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
>>>
>>> According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?
>>>
>>> On the strongswan side:
>>> added configuration 'teknerds'
>>> 03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
>>> 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
>>> 03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
>>> 03[IKE] sonicwall.public.ip is initiating an IKE_SA
>>> 03[IKE] local host is behind NAT, sending keep alives
>>> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
>>> 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>>> 03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
>>> 06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
>>> 06[ENC] invalid X509 hash length (0) in certreq
>>> 06[ENC] CERTIFICATE_REQUEST verification failed
>>> 06[ENC] encrypted payload could not be decrypted and parsed
>>> 06[ENC] could not decrypt payloads
>>> 06[IKE] message parsing failed
>>> 06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
>>> 06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
>>> 06[IKE] IKE_AUTH request with message ID 1 processing failed
>>>
>>> When it says this:
>>> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user at corp.com"
>>> should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?
>>>
>>> At this point i would like to know if you have to use certs with ikev2 and strongswan?
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "Chris Arnold" <carnold at electrichendrix.com>
>>> To: users at lists.strongswan.org
>>> Sent: Monday, April 2, 2012 6:24:41 PM
>>> Subject: Re: [strongSwan] Question on IKEv2
>>>
>>>
>>> On Apr 2, 2012, at 5:47 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
>>>
>>>> Hi Chris,
>>>>
>>>> why do you go six years back in time?
>>>>
>>> Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?
>>>
>>> Just have a look at our
>>>>
>>>> configuration examples:
>>>>
>>>>
>>>>
>>>> On 04/02/2012 10:34 PM, Chris Arnold wrote:
>>>>> I have been trying to get a tunnel between strongSwan 4.4.x and a
>>>>> sonicwall TZ180W to no avail. I have tried every combination known on
>>>>> the sonicwall and every combination i know on the strongSwan side. My
>>>>> last try was ikev2 and i think this might be the problem. This was
>>>>> found this on a StrongSong thread found
>>>>> http://download.strongswan.org/CHANGES42.txt
>>>>>
>>>>> strongswan-4.0.0 ----------------
>>>>>
>>>>> - initial support of the IKEv2 protocol. Connections in ipsec.conf
>>>>> designated by keyexchange=ikev2 are negotiated by the new IKEv2
>>>>> charon keying daemon whereas those marked by keyexchange=ikev1 or the
>>>>> default keyexchange=ike are handled thy the IKEv1 pluto keying
>>>>> daemon. Currently only a limited subset of functions are available
>>>>> with IKEv2 (Default AES encryption, authentication based on locally
>>>>> imported X.509 certificates, unencrypted private RSA keys in PKCS#1
>>>>> file format, limited functionality of the ipsec status command).
>>>>>
>>>>> AES encryption, authentication based on locally imported X.509
>>>>> certificates, unencrypted private RSA keys in PKCS#1 file format,
>>>>> limited functionality of the ipsec status command, is this a AND/OR
>>>>> list? Do you have to have certs to use ikev2 or can you do 1 of the
>>>>> other auth in the list?
>>>>
>>>> ======================================================================
>>>> Andreas Steffen andreas.steffen at strongswan.org
>>>> strongSwan - the Linux VPN Solution! www.strongswan.org
>>>> Institute for Internet Technologies and Applications
>>>> University of Applied Sciences Rapperswil
>>>> CH-8640 Rapperswil (Switzerland)
>>>> ===========================================================[ITA-HSR]==
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> --
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list