[strongSwan] Question on IKEv2

Chris Arnold carnold at electrichendrix.com
Fri Apr 6 16:29:29 CEST 2012 

I got the 3 certs into the sonicwall and the tunnel appears to be up, stay up but i can not pass any traffic from either network. Ipsec statusall does not show any SA's:
ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.0):
  uptime: 17 minutes, since Apr 06 09:41:57 2012
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac gmp attr kernel-netlink socket-raw stroke updown resolve
Listening IP addresses:
  192.168.1.18
Connections:
    teknerds:  192.168.1.18...sonicwall.public.ip
    teknerds:   local:  [strongswan.id] uses pre-shared key authentication
    teknerds:   remote: [sonicwall.id] uses any authentication
    teknerds:   child:  192.168.1.0/24 === 192.168.123.0/24
Security Associations:
  none

I get the same output from ipsec up <conn> as when i did not have all 3 certs installed on the sonicwall:
initiating IKE_SA teknerds[1] to sonicwall.public.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]          
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]         
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]                          
peer didn't accept DH group MODP_2048, it requested MODP_1024          
initiating IKE_SA teknerds[1] to sonicwall.public.ip                        
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]          
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]         
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
received cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
sending cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
authentication of 'strongswan.id' (myself) with pre-shared key
establishing CHILD_SA teknerds
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.1.18[4500] to sonicwall.public.ip[4500]
received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(INIT_CONTACT) ]
authentication of 'sonicwall.id' with pre-shared key successful
constraint check failed: identity 'sonicwall.id' required
selected peer config 'teknerds' inacceptable
no alternative config found

----- Original Message -----
From: "Andreas Steffen" <andreas.steffen at strongswan.org>
To: "Chris Arnold" <carnold at electrichendrix.com>
Sent: Friday, April 6, 2012 5:02:24 AM
Subject: Re: [strongSwan] Question on IKEv2

Hello Chris,

I know what the problem is. The openssl pkcs12 command does not
accept keys and certificates in binary DER format. Therefore
if you generate keys and certificates with ipsec pki,
use the option  --outform pem (the default being der).

Alternatively, if you want to convert existing binary DER files you
can use:

   openssl rsa -inform der -in peerKey.der -out peerKey.pem

   openssl x509 -inform der -in peerCert.der -out peerCert.pem

Regards

Andreas

On 04/06/2012 01:23 AM, Chris Arnold wrote:
> Andreas, It is actually the peerKey.der that will not import.
> Attached are the peerCert.der, peerKey.der and caCert.der. I trust
> you will destroy these for security purposes. Thank you for your
> help. I tried to package the 3 files together using: openssl pkcs12
> -export -out sonicwall.p12 -inkey peerKey.der -in peerCert.der
> -certfile caCert.der
>
> and get unable to load private key. I wonder if something is wrong
> with the peerKey.der file..
>
>
> ----- Original Message ----- From: "Andreas
> Steffen"<andreas.steffen at strongswan.org> To: "Chris
> Arnold"<carnold at electrichendrix.com> Cc: users at lists.strongswan.org
> Sent: Thursday, April 5, 2012 3:57:10 AM Subject: Re: [strongSwan]
> Question on IKEv2
>
> Hi Chris,
>
> can you send me your caCert.der certificate?
>
> Andreas
>
> On 04/05/2012 12:25 AM, Chris Arnold wrote:
>> Thank you all for not calling me an id10t!! I read, completely,
>> the email Andreas sent and saw where you can use the pki tool....
>> So, I followed the instructions and on the import of caCert.der
>> into the sonicwall, I get the error, invalid format. Please use der
>> or pem. The other 2 files import fine into the sonicwall and they
>> too are der format.
>
> ======================================================================
>
>
Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!
> www.strongswan.org Institute for Internet Technologies and
> Applications University of Applied Sciences Rapperswil CH-8640
> Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==


--
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list