[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support

北川 敬寿 trippyboy at trippyboy.com
Tue Jun 19 11:39:45 CEST 2012


Hello Andoreas,

Thank you for this information!
I will give it a try! :)

Regards,
Yukihisa Kitagawa



On 2012/06/19, at 18:08, Andreas Steffen <andreas.steffen at strongswan.org> wrote:

> Hello,
> 
> strongswan-5.0.0rc1 which was released today comes with an IKEv1 Hybrid
> Mode example scenario:
> 
> www.strongswan.org/uml/testresults5rc/ikev1/xauth-id-rsa-hybrid/
> 
> Regards
> 
> Andreas
> 
> On 06/19/2012 08:06 AM, TrippyBoy.com wrote:
>> Hello,
>> 
>> I would like to know how to configure Strongswan with "IPSec Hybrid
>> authentication with RSA" support.
>> 
>> # My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine.
>> 
>> I believe Strongswan supports "Hybrid authentication", as it is
>> mentioned in the following link.
>> 
>> ----------------------------------------
>> CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for
>> Linux, Android, FreeBSD, Mac OS X
>> http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1
>> 
>> "To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey."
>> ----------------------------------------
>> 
>> I configured my Strongswan, ver5.0.0dr1, and installed it with the
>> options bellow.
>> 
>> ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
>> --with-random-device=/dev/urandom --enable-cisco-quirks
>> --enable-xauth-generic --enable-xauth-eap
>> make&&  make install
>> 
>> I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan.
>> After that, I executed "ipsec statusall" to see how my connections are
>> recognised
>> Then I tried to connect to my VPN server with Hybrid+RSA auth.
>> I checked /var/log/charon.log.
>> 
>> The log says
>> --
>> Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
>> matching 192.168.246.210...192.168.248.101[192.168.248.101]
>> Jun 19 14:11:58 13[IKE] no peer config found
>> --
>> 
>> My questions are
>> 1: Does Strongswan support Hybrid Authentication?
>> 2: Does Strongswan support Hybrid Authentication with RSA?
>> 3: What kind of configration does Strongswan look for when the client
>> ask for "HybridInitRSA"?
>> 
>> If 1st or 2nd of the questions avobe returns "YES", I would like to
>> know the way to do so.
>> 
>> 
>> ==== My Strongswan's profile ====
>> 
>> + /etc/ipsec.conf
>> config setup
>>        plutodebug=all
>>        plutostderrlog=/var/log/pluto.log
>>        nat_traversal=yes
>>        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>> 
>> include /etc/ipsec.d/*.conf
>> 
>> +/etc/ipsec.d/hybrid-rsa.conf
>> conn hybridrsasig
>>        keyexchange=ikev2
>>        left=linux.hogehoge.jp
>>        leftcert=serverCert.pem
>>        leftauth=xauth
>>        right=%any
>>        rightsourceip=192.168.246.230/24
>>        rightcert=clientCert.pem
>>        rightauth=pubkey
>>        pfs=no
>>        auto=add
>> 
>> +/etc/ipsec.d/xauth-psk.conf
>> conn xauthpsk
>>        keyexchange=ikev1
>>        xauth=server
>>        authby=xauthpsk
>>        left=linux.fj-ngmt.jp
>>        leftsubnet=0.0.0.0/0
>>        right=%any
>>        #rightauth=eap
>>        rightsourceip=192.168.246.210/24
>>        pfs=no
>>        auto=add
>> 
>> +/etc/ipsec.d/xauth-rsa.conf
>> conn xauthrsasig
>>        keyexchange=ikev1
>>        xauth=server
>>        authby=xauthrsasig
>>        left=linux.fj-ngmt.jp
>>        leftcert=serverCert.pem
>>        right=%any
>>        rightsourceip=192.168.246.220/24
>>        rightcert=clientCert.pem
>>        pfs=no
>>        auto=add
>> 
>> 
>> +/var/log/charon.log
>> Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to
>> 192.168.246.210[500]
>> Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
>> Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID
>> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
>> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
>> Jun 19 14:11:58 11[IKE] received XAuth vendor ID
>> Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID
>> Jun 19 14:11:58 11[ENC] received unknown vendor ID:
>> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
>> Jun 19 14:11:58 11[IKE] received DPD vendor ID
>> Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
>> Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ]
>> Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to
>> 192.168.248.101[500]
>> Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to
>> 192.168.246.210[500]
>> Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
>> Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to
>> 192.168.248.101[500]
>> Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to
>> 192.168.246.210[500]
>> Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
>> Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
>> matching 192.168.246.210...192.168.248.101[192.168.248.101]
>> Jun 19 14:11:58 13[IKE] no peer config found
>> Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946
>> [ HASH N(AUTH_FAILED) ]
>> Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to
>> 192.168.248.101[500]
>> 
>> 
>> Thank you for your time in advance.
>> 
>> Regards,
>> 
>> Yukihisa kitagawa
>> --
>> TrippyBoy.com http://trippyboy.com/
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==




More information about the Users mailing list