[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support

TrippyBoy.com trippyboy at trippyboy.com
Tue Jun 19 11:25:12 CEST 2012 

Hello Martin,

Thank you for your quick response.

>> 1: Does Strongswan support Hybrid Authentication?
>> 2: Does Strongswan support Hybrid Authentication with RSA?
>
> Yes, we support Hybrid Mode in our experimental 5.0 pre-release.

Thank you for this information.
Now I know I was right to stop trying installing hybrid on Strongswan 4.6.4.

>> 3: What kind of configration does Strongswan look for when the client
>> ask for "HybridInitRSA"?
>
>>        left=linux.hogehoge.jp
>>        leftcert=serverCert.pem
>>        leftauth=xauth
>>        right=%any
>>        rightsourceip=192.168.246.230/24
>>        rightcert=clientCert.pem
>>        rightauth=pubkey
>
> Left seems to be your responder. In Hybrid mode, the responder
> authenticates with a public key, the initiator with XAuth only. Try it
> the other way round:
>
>   leftauth=pubkey
>   rightauth=xauth

Yes, left is my responder which is my server. I say left for "Local".

I put "leftauth=pubkey" to let left authenticates with a public key,
thank you for your suggestion. And I put "rightauth=xauth" to allow
right peer to use xauth to authenticate with my VPN server.

I gave it a try.. I'm afraid I see no success :(

-- my new config

conn hybridrsasig
        keyexchange=ikev2
        left=linux.fj-ngmt.jp
        leftcert=serverCert.pem
        leftauth=pubkey
        right=%any
        rightsourceip=192.168.246.230/24
        rightcert=clientCert.pem
        rightauth=xauth
        pfs=no
        auto=add

-- start and stop strongswan, we call it restart.
[root at linux ipsec.d]# ipsec stop
Stopping strongSwan IPsec...
[root at linux ipsec.d]#
[root at linux ipsec.d]# ipsec start
Starting strongSwan 5.0.0dr1 IPsec [starter]...
[root at linux ipsec.d]#

-- ipsec statusall
[root at linux ipsec.d]# ipsec statusall | grep hybrid
  hybridrsasig: 255/0/0
hybridrsasig:  linux.fj-ngmt.jp...%any  IKEv2
hybridrsasig:   local:  [C=JP, O=Strongswan, CN=linux.hogehoge.jp]
uses public key authentication
hybridrsasig:    cert:  "C=JP, O=Strongswan, CN=linux.hogehoge.jp"
hybridrsasig:   remote: [C=JP, O=Strongswan, CN=client] uses XAuth
authentication: any
hybridrsasig:    cert:  "C=JP, O=Strongswan, CN=client"
hybridrsasig:   child:  dynamic === dynamic TUNNEL
[root at linux ipsec.d]#


I still get "no peer config found".

Jun 19 17:58:35 11[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 17:58:35 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 19 17:58:35 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 19 17:58:35 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 19 17:58:35 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 19 17:58:35 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 19 17:58:35 11[IKE] received XAuth vendor ID
Jun 19 17:58:35 11[IKE] received Cisco Unity vendor ID
Jun 19 17:58:35 11[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Jun 19 17:58:35 11[IKE] received DPD vendor ID
Jun 19 17:58:35 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
Jun 19 17:58:35 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 19 17:58:35 11[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 17:58:35 12[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 17:58:35 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 19 17:58:35 12[IKE] faking NAT situation to enforce UDP encapsulation
Jun 19 17:58:35 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 19 17:58:35 12[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 17:58:35 13[NET] received packet: from 192.168.248.101[4500] to
192.168.246.210[4500]
Jun 19 17:58:35 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 19 17:58:35 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 17:58:35 13[IKE] no peer config found
Jun 19 17:58:35 13[ENC] generating INFORMATIONAL_V1 request 1053667702
[ HASH N(AUTH_FAILED) ]
Jun 19 17:58:35 13[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]

I will give it a try with a client that used "Hybrid" authentication
without RSA and see if this works.

Also I will give it some tries if I can create "HybridInitRSA"
connection adding some left/rightauth2 field.

I would love you have more suggestions and support. :)

>
> Regards
> Martin
>

Regards
Yukihisa Kitagawa

-- 
TrippyBoy.com http://trippyboy.com/

More information about the Users mailing list