[strongSwan] Issues in setting up VPN connection(IKEv1) using iphone (Defult Cisco VPN client) and Strongswan 4.5.0 server
Kushagra Bhatnagar
kbhatnagar at sta.samsung.com
Thu Apr 26 23:48:27 CEST 2012
Hello All,
I am facing issues in setting up VPN connection(IKEv1) using iphone (Defult Cisco VPN client) and Strongswan 4.5.0 server.
Below is the set up:
Strongswan server is running on ubuntu linux machine which is connected to some wifi hotspot. Using the steps at following http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29 link, I generated CA, server and client certificate, with the only difference mentioned below.
"While generating server certificate, as per link CN=vpn.strongswan.org instead of this I changed CN name to CN=192.168.43.212."
Once certificates are generated, following (clientCert.p12 and caCert.pem) are sent to mobile via mail and installed on iphone. After installation I notice that certificates are considered as trusted also.
Below are the ip addresses assigned to various interfaces
Linux server wlan0 interface ip where server is running: 192.168.43.212
Iphone eth0 interface ip address: 192.168.43.72. iphone is also attached with the same wifi hotspot.
Below is the snapshot of client configurations.
Description Strong swan
Server 192.168.43.212
Account ipsecvpn
Password ***********
Use certificate ON
Certificate client
The above username and password are in sync with the ipsec.secrets file.
I am using the following ipsec.conf configuration:
# basic configuration
config setup
plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
# charonstart=yes
plutostart=yes
# Add connections here.
# Sample VPN connections
conn ios1
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=192.168.43.72
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
pfs=no
auto=add
With the above configurations when I enable VPN on iphone, it says "Could not able to verify server certificate".
I ran wireshark on linux server and observe that initially some ISAKMP message exchanges happens between client and server which are successful but before authorization, client is sending some informational message and soon after this client is showing error as popup "Could not able to verify server certificate".
Capture logs on Strongswan server and in server logs below errors are observed:
>From auth.log
Apr 25 20:16:08 Linux pluto[4025]: | ISAKMP version: ISAKMP Version 1.0
Apr 25 20:16:08 Linux pluto[4025]: | exchange type: ISAKMP_XCHG_INFO
Apr 25 20:16:08 Linux pluto[4025]: | flags: ISAKMP_FLAG_ENCRYPTION
Apr 25 20:16:08 Linux pluto[4025]: | message ID: 9d 1a ea 4d
Apr 25 20:16:08 Linux pluto[4025]: | length: 76
Apr 25 20:16:08 Linux pluto[4025]: | ICOOKIE: f6 b7 06 b2 b1 84 5b 93
Apr 25 20:16:08 Linux pluto[4025]: | RCOOKIE: 86 92 a0 c2 a6 2f ac be
Apr 25 20:16:08 Linux pluto[4025]: | peer: c0 a8 2b 48
Apr 25 20:16:08 Linux pluto[4025]: | state hash entry 8
Apr 25 20:16:08 Linux pluto[4025]: | state object not found
Apr 25 20:16:08 Linux pluto[4025]: packet from 192.168.43.72:500: Informational Exchange is for an unknown (expired?) SA
Apr 25 20:16:08 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 8 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: |
Apr 25 20:16:16 Linux pluto[4025]: | *time to handle event
Apr 25 20:16:16 Linux pluto[4025]: | event after this is EVENT_RETRANSMIT in 2 seconds
Apr 25 20:16:16 Linux pluto[4025]: | handling event EVENT_RETRANSMIT for 192.168.43.72 "ios1" #8
Apr 25 20:16:16 Linux pluto[4025]: | sending 76 bytes for EVENT_RETRANSMIT through wlan0 to 192.168.43.72:500:
Apr 25 20:16:16 Linux pluto[4025]: | a6 a5 86 41 4b fb ff 99 c9 18 34 61 01 7b f1 d9
Apr 25 20:16:16 Linux pluto[4025]: | 08 10 06 01 e9 1c ea 60 00 00 00 4c ba 7d c8 08
Apr 25 20:16:16 Linux pluto[4025]: | 13 47 95 18 19 31 45 30 2e 22 f9 4d 85 2c 27 bc
Apr 25 20:16:16 Linux pluto[4025]: | 9e 9b e1 ae 1e 35 51 6f ab 80 f5 73 3c 15 8d 20
Apr 25 20:16:16 Linux pluto[4025]: | 4b 46 47 86 50 24 3f 13 15 7d d5 17
Apr 25 20:16:16 Linux pluto[4025]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 2 seconds for #10
Apr 25 20:16:16 Linux pluto[4025]: | rejected packet:
Apr 25 20:16:16 Linux pluto[4025]: |
Apr 25 20:16:16 Linux pluto[4025]: | control:
Apr 25 20:16:16 Linux pluto[4025]: | 30 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: | 6f 00 00 00 02 03 03 00 00 00 00 00 00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: | 02 00 00 00 c0 a8 2b 48 00 00 00 00 00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: | name:
Apr 25 20:16:16 Linux pluto[4025]: | 02 00 01 f4 c0 a8 2b 48 00 00 00 00 00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: ERROR: asynchronous network error report on wlan0 for message to 192.168.43.72 port 500, complainant 192.168.43.72: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Anybody please provide some update about this error and how to solve this issue.
Thanks for support.
Thanks,
-Kushagra
More information about the Users
mailing list