[strongSwan] Issues in setting up VPN connection(IKEv1) using iphone (Defult Cisco VPN client) and Strongswan 4.5.0 server

Kushagra Bhatnagar kbhatnagar at sta.samsung.com
Thu Apr 26 23:48:27 CEST 2012


Hello All,

I am facing issues in setting up VPN connection(IKEv1) using iphone (Defult Cisco VPN client) and Strongswan 4.5.0 server.

Below is the set up:

Strongswan server is running on ubuntu linux machine which is connected to some wifi hotspot. Using the steps at following http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29 link, I generated CA, server and client certificate, with the only difference mentioned below.

"While generating server certificate, as per link CN=vpn.strongswan.org instead of this I changed CN name to CN=192.168.43.212."

Once certificates are generated, following (clientCert.p12 and caCert.pem) are sent to mobile via mail and installed on iphone. After installation I notice that certificates are considered as trusted also.

Below are the ip addresses assigned to various interfaces 

Linux server wlan0 interface ip where server is running: 192.168.43.212
Iphone eth0 interface ip address: 192.168.43.72. iphone is also attached with the same wifi hotspot.

Below is the snapshot of client configurations.

Description		Strong swan
Server			192.168.43.212
Account 		ipsecvpn
Password		***********
Use certificate 		ON
Certificate 		client

The above username and password are in sync with the ipsec.secrets file.
I am using the following ipsec.conf configuration:

# basic configuration
config setup
        plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=yes
        # charonstart=yes
        plutostart=yes

# Add connections here.
# Sample VPN connections
conn ios1
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=192.168.43.72
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.2
        rightcert=clientCert.pem
        pfs=no
        auto=add

With the above configurations when I enable VPN on iphone, it says "Could not able to verify server certificate".
I ran wireshark on linux server and observe that initially some ISAKMP message exchanges happens between client and server which are successful but before authorization, client is sending some informational message and soon after this client is showing error as popup "Could not able to verify server certificate".
 
Capture logs on Strongswan server and in server logs below errors are observed:

>From auth.log
Apr 25 20:16:08 Linux pluto[4025]: |    ISAKMP version: ISAKMP Version 1.0
Apr 25 20:16:08 Linux pluto[4025]: |    exchange type: ISAKMP_XCHG_INFO
Apr 25 20:16:08 Linux pluto[4025]: |    flags: ISAKMP_FLAG_ENCRYPTION
Apr 25 20:16:08 Linux pluto[4025]: |    message ID:  9d 1a ea 4d
Apr 25 20:16:08 Linux pluto[4025]: |    length: 76
Apr 25 20:16:08 Linux pluto[4025]: | ICOOKIE:  f6 b7 06 b2  b1 84 5b 93
Apr 25 20:16:08 Linux pluto[4025]: | RCOOKIE:  86 92 a0 c2  a6 2f ac be
Apr 25 20:16:08 Linux pluto[4025]: | peer:  c0 a8 2b 48
Apr 25 20:16:08 Linux pluto[4025]: | state hash entry 8
Apr 25 20:16:08 Linux pluto[4025]: | state object not found
Apr 25 20:16:08 Linux pluto[4025]: packet from 192.168.43.72:500: Informational Exchange is for an unknown (expired?) SA
Apr 25 20:16:08 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 8 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: | 
Apr 25 20:16:16 Linux pluto[4025]: | *time to handle event
Apr 25 20:16:16 Linux pluto[4025]: | event after this is EVENT_RETRANSMIT in 2 seconds
Apr 25 20:16:16 Linux pluto[4025]: | handling event EVENT_RETRANSMIT for 192.168.43.72 "ios1" #8
Apr 25 20:16:16 Linux pluto[4025]: | sending 76 bytes for EVENT_RETRANSMIT through wlan0 to 192.168.43.72:500:
Apr 25 20:16:16 Linux pluto[4025]: |   a6 a5 86 41  4b fb ff 99  c9 18 34 61  01 7b f1 d9
Apr 25 20:16:16 Linux pluto[4025]: |   08 10 06 01  e9 1c ea 60  00 00 00 4c  ba 7d c8 08
Apr 25 20:16:16 Linux pluto[4025]: |   13 47 95 18  19 31 45 30  2e 22 f9 4d  85 2c 27 bc
Apr 25 20:16:16 Linux pluto[4025]: |   9e 9b e1 ae  1e 35 51 6f  ab 80 f5 73  3c 15 8d 20
Apr 25 20:16:16 Linux pluto[4025]: |   4b 46 47 86  50 24 3f 13  15 7d d5 17
Apr 25 20:16:16 Linux pluto[4025]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 2 seconds for #10
Apr 25 20:16:16 Linux pluto[4025]: | rejected packet:
Apr 25 20:16:16 Linux pluto[4025]: | 
Apr 25 20:16:16 Linux pluto[4025]: | control:
Apr 25 20:16:16 Linux pluto[4025]: |   30 00 00 00  00 00 00 00  00 00 00 00  0b 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: |   6f 00 00 00  02 03 03 00  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: |   02 00 00 00  c0 a8 2b 48  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: | name:
Apr 25 20:16:16 Linux pluto[4025]: |   02 00 01 f4  c0 a8 2b 48  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: ERROR: asynchronous network error report on wlan0 for message to 192.168.43.72 port 500, complainant 192.168.43.72: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Anybody please provide some update about this error and how to solve this issue.
Thanks for support.

Thanks,
-Kushagra





More information about the Users mailing list