[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support

Andreas Steffen andreas.steffen at strongswan.org
Tue Jun 19 11:08:42 CEST 2012 

Hello,

strongswan-5.0.0rc1 which was released today comes with an IKEv1 Hybrid
Mode example scenario:

  www.strongswan.org/uml/testresults5rc/ikev1/xauth-id-rsa-hybrid/

Regards

Andreas

On 06/19/2012 08:06 AM, TrippyBoy.com wrote:
> Hello,
>
> I would like to know how to configure Strongswan with "IPSec Hybrid
> authentication with RSA" support.
>
> # My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine.
>
> I believe Strongswan supports "Hybrid authentication", as it is
> mentioned in the following link.
>
> ----------------------------------------
> CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for
> Linux, Android, FreeBSD, Mac OS X
> http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1
>
> "To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey."
> ----------------------------------------
>
> I configured my Strongswan, ver5.0.0dr1, and installed it with the
> options bellow.
>
> ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
> --with-random-device=/dev/urandom --enable-cisco-quirks
> --enable-xauth-generic --enable-xauth-eap
> make&&  make install
>
> I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan.
> After that, I executed "ipsec statusall" to see how my connections are
> recognised
> Then I tried to connect to my VPN server with Hybrid+RSA auth.
> I checked /var/log/charon.log.
>
> The log says
> --
> Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
> matching 192.168.246.210...192.168.248.101[192.168.248.101]
> Jun 19 14:11:58 13[IKE] no peer config found
> --
>
> My questions are
> 1: Does Strongswan support Hybrid Authentication?
> 2: Does Strongswan support Hybrid Authentication with RSA?
> 3: What kind of configration does Strongswan look for when the client
> ask for "HybridInitRSA"?
>
> If 1st or 2nd of the questions avobe returns "YES", I would like to
> know the way to do so.
>
>
> ==== My Strongswan's profile ====
>
> + /etc/ipsec.conf
> config setup
>         plutodebug=all
>         plutostderrlog=/var/log/pluto.log
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>
> include /etc/ipsec.d/*.conf
>
> +/etc/ipsec.d/hybrid-rsa.conf
> conn hybridrsasig
>         keyexchange=ikev2
>         left=linux.hogehoge.jp
>         leftcert=serverCert.pem
>         leftauth=xauth
>         right=%any
>         rightsourceip=192.168.246.230/24
>         rightcert=clientCert.pem
>         rightauth=pubkey
>         pfs=no
>         auto=add
>
> +/etc/ipsec.d/xauth-psk.conf
> conn xauthpsk
>         keyexchange=ikev1
>         xauth=server
>         authby=xauthpsk
>         left=linux.fj-ngmt.jp
>         leftsubnet=0.0.0.0/0
>         right=%any
>         #rightauth=eap
>         rightsourceip=192.168.246.210/24
>         pfs=no
>         auto=add
>
> +/etc/ipsec.d/xauth-rsa.conf
> conn xauthrsasig
>         keyexchange=ikev1
>         xauth=server
>         authby=xauthrsasig
>         left=linux.fj-ngmt.jp
>         leftcert=serverCert.pem
>         right=%any
>         rightsourceip=192.168.246.220/24
>         rightcert=clientCert.pem
>         pfs=no
>         auto=add
>
>
> +/var/log/charon.log
> Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to
> 192.168.246.210[500]
> Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID
> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> Jun 19 14:11:58 11[IKE] received XAuth vendor ID
> Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID
> Jun 19 14:11:58 11[ENC] received unknown vendor ID:
> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
> Jun 19 14:11:58 11[IKE] received DPD vendor ID
> Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
> Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ]
> Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to
> 192.168.248.101[500]
> Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to
> 192.168.246.210[500]
> Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to
> 192.168.248.101[500]
> Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to
> 192.168.246.210[500]
> Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
> Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
> matching 192.168.246.210...192.168.248.101[192.168.248.101]
> Jun 19 14:11:58 13[IKE] no peer config found
> Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946
> [ HASH N(AUTH_FAILED) ]
> Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to
> 192.168.248.101[500]
>
>
> Thank you for your time in advance.
>
> Regards,
>
> Yukihisa kitagawa
> --
> TrippyBoy.com http://trippyboy.com/

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list