[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support

TrippyBoy.com trippyboy at trippyboy.com
Tue Jun 19 08:06:24 CEST 2012


Hello,

I would like to know how to configure Strongswan with "IPSec Hybrid
authentication with RSA" support.

# My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine.

I believe Strongswan supports "Hybrid authentication", as it is
mentioned in the following link.

----------------------------------------
CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for
Linux, Android, FreeBSD, Mac OS X
http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1

"To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey."
----------------------------------------

I configured my Strongswan, ver5.0.0dr1, and installed it with the
options bellow.

./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
--with-random-device=/dev/urandom --enable-cisco-quirks
--enable-xauth-generic --enable-xauth-eap
make && make install

I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan.
After that, I executed "ipsec statusall" to see how my connections are
recognised
Then I tried to connect to my VPN server with Hybrid+RSA auth.
I checked /var/log/charon.log.

The log says
--
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
--

My questions are
1: Does Strongswan support Hybrid Authentication?
2: Does Strongswan support Hybrid Authentication with RSA?
3: What kind of configration does Strongswan look for when the client
ask for "HybridInitRSA"?

If 1st or 2nd of the questions avobe returns "YES", I would like to
know the way to do so.


==== My Strongswan's profile ====

+ /etc/ipsec.conf
config setup
       plutodebug=all
       plutostderrlog=/var/log/pluto.log
       nat_traversal=yes
       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

include /etc/ipsec.d/*.conf

+/etc/ipsec.d/hybrid-rsa.conf
conn hybridrsasig
       keyexchange=ikev2
       left=linux.hogehoge.jp
       leftcert=serverCert.pem
       leftauth=xauth
       right=%any
       rightsourceip=192.168.246.230/24
       rightcert=clientCert.pem
       rightauth=pubkey
       pfs=no
       auto=add

+/etc/ipsec.d/xauth-psk.conf
conn xauthpsk
       keyexchange=ikev1
       xauth=server
       authby=xauthpsk
       left=linux.fj-ngmt.jp
       leftsubnet=0.0.0.0/0
       right=%any
       #rightauth=eap
       rightsourceip=192.168.246.210/24
       pfs=no
       auto=add

+/etc/ipsec.d/xauth-rsa.conf
conn xauthrsasig
       keyexchange=ikev1
       xauth=server
       authby=xauthrsasig
       left=linux.fj-ngmt.jp
       leftcert=serverCert.pem
       right=%any
       rightsourceip=192.168.246.220/24
       rightcert=clientCert.pem
       pfs=no
       auto=add


+/var/log/charon.log
Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 19 14:11:58 11[IKE] received XAuth vendor ID
Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID
Jun 19 14:11:58 11[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Jun 19 14:11:58 11[IKE] received DPD vendor ID
Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946
[ HASH N(AUTH_FAILED) ]
Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]


Thank you for your time in advance.

Regards,

Yukihisa kitagawa
--
TrippyBoy.com http://trippyboy.com/




More information about the Users mailing list