[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support
TrippyBoy.com
trippyboy at trippyboy.com
Tue Jun 19 08:06:24 CEST 2012
Hello,
I would like to know how to configure Strongswan with "IPSec Hybrid
authentication with RSA" support.
# My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine.
I believe Strongswan supports "Hybrid authentication", as it is
mentioned in the following link.
----------------------------------------
CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for
Linux, Android, FreeBSD, Mac OS X
http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1
"To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey."
----------------------------------------
I configured my Strongswan, ver5.0.0dr1, and installed it with the
options bellow.
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
--with-random-device=/dev/urandom --enable-cisco-quirks
--enable-xauth-generic --enable-xauth-eap
make && make install
I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan.
After that, I executed "ipsec statusall" to see how my connections are
recognised
Then I tried to connect to my VPN server with Hybrid+RSA auth.
I checked /var/log/charon.log.
The log says
--
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
--
My questions are
1: Does Strongswan support Hybrid Authentication?
2: Does Strongswan support Hybrid Authentication with RSA?
3: What kind of configration does Strongswan look for when the client
ask for "HybridInitRSA"?
If 1st or 2nd of the questions avobe returns "YES", I would like to
know the way to do so.
==== My Strongswan's profile ====
+ /etc/ipsec.conf
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
include /etc/ipsec.d/*.conf
+/etc/ipsec.d/hybrid-rsa.conf
conn hybridrsasig
keyexchange=ikev2
left=linux.hogehoge.jp
leftcert=serverCert.pem
leftauth=xauth
right=%any
rightsourceip=192.168.246.230/24
rightcert=clientCert.pem
rightauth=pubkey
pfs=no
auto=add
+/etc/ipsec.d/xauth-psk.conf
conn xauthpsk
keyexchange=ikev1
xauth=server
authby=xauthpsk
left=linux.fj-ngmt.jp
leftsubnet=0.0.0.0/0
right=%any
#rightauth=eap
rightsourceip=192.168.246.210/24
pfs=no
auto=add
+/etc/ipsec.d/xauth-rsa.conf
conn xauthrsasig
keyexchange=ikev1
xauth=server
authby=xauthrsasig
left=linux.fj-ngmt.jp
leftcert=serverCert.pem
right=%any
rightsourceip=192.168.246.220/24
rightcert=clientCert.pem
pfs=no
auto=add
+/var/log/charon.log
Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 19 14:11:58 11[IKE] received XAuth vendor ID
Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID
Jun 19 14:11:58 11[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Jun 19 14:11:58 11[IKE] received DPD vendor ID
Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946
[ HASH N(AUTH_FAILED) ]
Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Thank you for your time in advance.
Regards,
Yukihisa kitagawa
--
TrippyBoy.com http://trippyboy.com/
More information about the Users
mailing list