[strongSwan] received invalid IKE header (OSX to Linux)
Craig Day
craigday at gmail.com
Wed Jun 20 12:11:52 CEST 2012
Hi Users,
I am trying to setup a VPN between OSX (client) and Linux (server). I have
generated and successfully installed all the required keys and certificates
i.e. a CA cert, and a cert for both the client and the server (signed with
the CA cert). Wrapped up the client and CA cert into pkcs12 and
successfully installed and trusted them on the OSX client side. I am using
the built in OSX VPN client, configured to use the client cert for user
auth and machine auth. All looks good. On the server side:
root at lwlserver:~/strongswan-4.6.4# ipsec --version
Linux strongSwan U4.6.4/K2.6.35-32-server
ipsec.conf:
config setup
crlcheckinterval=180
strictcrlpolicy=no
ca livewireca
cacert=LivewireCACert.pem
auto=add
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn rw
left=203.161.119.62
leftcert=VPNServerCert.pem
leftid="C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
CN=Livewire Labs VPNServer"
leftsubnet=192.168.20.0/24
rightid="C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
CN=Livewire Labs VPNClient"
auto=add
ipsec.secrets:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA VPNServerKey.pem "its a secret"
Running ipsec statusall before connect attempt give me:
root at lwlserver:~/strongswan-4.6.4# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.6.4):
uptime: 7 seconds, since Jun 20 17:35:27 2012
malloc: sbrk 405504, mmap 0, used 285632, free 119872
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
pubkey pkcs1 pkcs8 pgp pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac
attr kernel-netlink resolve socket-default stroke updown eap-identity
eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
Listening IP addresses:
192.168.20.2
Connections:
rw: 203.161.119.62...%any
rw: local: [C=AU, ST=Western Australia, O=Livewire Labs Pty
Ltd, CN=Livewire Labs VPNServer] uses public key authentication
rw: cert: "C=AU, ST=Western Australia, O=Livewire Labs Pty
Ltd, CN=Livewire Labs VPNServer"
rw: remote: [C=AU, ST=Western Australia, O=Livewire Labs Pty
Ltd, CN=Livewire Labs VPNClient] uses any authentication
rw: child: 192.168.20.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
Heres the log of the startup and subsequent failed connection attempt:
root at lwlserver:/etc/ipsec.d/private# grep -v ASN /var/log/charon.log
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)
00[LIB] plugin 'aes': loaded successfully
00[LIB] plugin 'des': loaded successfully
00[LIB] plugin 'sha1': loaded successfully
00[LIB] plugin 'sha2': loaded successfully
00[LIB] plugin 'md5': loaded successfully
00[LIB] plugin 'random': loaded successfully
00[LIB] plugin 'x509': loaded successfully
00[LIB] plugin 'revocation': loaded successfully
00[LIB] plugin 'constraints': loaded successfully
00[LIB] plugin 'pubkey': loaded successfully
00[LIB] plugin 'pkcs1': loaded successfully
00[LIB] plugin 'pkcs8': loaded successfully
00[LIB] plugin 'pgp': loaded successfully
00[LIB] plugin 'pem': loaded successfully
00[LIB] plugin 'openssl': loaded successfully
00[LIB] plugin 'gcrypt': loaded successfully
00[LIB] plugin 'fips-prf': loaded successfully
00[LIB] plugin 'gmp': loaded successfully
00[LIB] plugin 'agent': loaded successfully
00[LIB] plugin 'xcbc': loaded successfully
00[LIB] plugin 'cmac': loaded successfully
00[LIB] plugin 'hmac': loaded successfully
00[LIB] plugin 'attr': loaded successfully
00[LIB] plugin 'kernel-netlink': loaded successfully
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 192.168.20.2
00[KNL] fe80::21e:58ff:fe49:5037
00[LIB] plugin 'resolve': loaded successfully
00[LIB] plugin 'socket-default': loaded successfully
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=AU, ST=Western Australia, L=Perth,
O=Livewire Labs Pty Ltd, CN=Livewire Labs CA" from
'/etc/ipsec.d/cacerts/LivewireCACert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/VPNServerKey.pem'
00[LIB] plugin 'stroke': loaded successfully
00[LIB] plugin 'updown': loaded successfully
00[LIB] plugin 'eap-identity': loaded successfully
00[LIB] plugin 'eap-aka': loaded successfully
00[LIB] plugin 'eap-aka-3gpp2': loaded successfully
00[LIB] plugin 'eap-md5': loaded successfully
00[LIB] plugin 'eap-gtc': loaded successfully
00[LIB] plugin 'eap-mschapv2': loaded successfully
00[CFG] DBUS binding failed
00[LIB] plugin 'nm': failed to load - nm_plugin_create returned NULL
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
constraints pubkey pkcs1 pkcs8 pgp pem openssl gcrypt fips-prf gmp agent
xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown
eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
00[JOB] spawning 16 worker threads
01[LIB] created thread 01 [11370]
01[JOB] started worker thread 01
02[LIB] created thread 02 [11371]
02[JOB] started worker thread 02
04[LIB] created thread 04 [11373]
03[LIB] created thread 03 [11372]
03[JOB] started worker thread 03
06[LIB] created thread 06 [11375]
06[JOB] started worker thread 06
08[LIB] created thread 08 [11377]
08[JOB] started worker thread 08
05[LIB] created thread 05 [11374]
13[LIB] created thread 13 [11382]
10[LIB] created thread 10 [11379]
15[LIB] created thread 15 [11384]
15[JOB] started worker thread 15
01[JOB] no events, waiting
11[LIB] created thread 11 [11380]
11[JOB] started worker thread 11
12[LIB] created thread 12 [11381]
12[JOB] started worker thread 12
11[NET] waiting for data on sockets
09[LIB] created thread 09 [11378]
09[JOB] started worker thread 09
14[LIB] created thread 14 [11383]
14[JOB] started worker thread 14
10[JOB] started worker thread 10
07[LIB] created thread 07 [11376]
07[JOB] started worker thread 07
13[JOB] started worker thread 13
04[JOB] started worker thread 04
05[JOB] started worker thread 05
16[LIB] created thread 16 [11385]
16[JOB] started worker thread 16
12[CFG] stroke message => 614 bytes @ 0x7f8eb7892a80
... (removed for brevity)
12[CFG] received stroke: add ca 'livewireca'
12[CFG] ca livewireca
12[CFG] cacert=LivewireCACert.pem
12[CFG] crluri=(null)
12[CFG] crluri2=(null)
12[CFG] ocspuri=(null)
12[CFG] ocspuri2=(null)
12[CFG] certuribase=(null)
12[CFG] added ca 'livewireca'
10[CFG] stroke message => 863 bytes @ 0x7f8eb8894990
... (removed for brevity)
10[CFG] received stroke: add connection 'rw'
10[CFG] conn rw
10[CFG] left=203.161.119.62
10[CFG] leftsubnet=192.168.20.0/24
10[CFG] leftsourceip=(null)
10[CFG] leftauth=(null)
10[CFG] leftauth2=(null)
10[CFG] leftid=C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
CN=Livewire Labs VPNServer
10[CFG] leftid2=(null)
10[CFG] leftrsakey=(null)
10[CFG] leftcert=VPNServerCert.pem
10[CFG] leftcert2=(null)
10[CFG] leftca=(null)
10[CFG] leftca2=(null)
10[CFG] leftgroups=(null)
10[CFG] leftupdown=(null)
10[CFG] right=%any
10[CFG] rightsubnet=(null)
10[CFG] rightsourceip=(null)
10[CFG] rightauth=(null)
10[CFG] rightauth2=(null)
10[CFG] rightid=C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
CN=Livewire Labs VPNClient
10[CFG] rightid2=(null)
10[CFG] rightrsakey=(null)
10[CFG] rightcert=(null)
10[CFG] rightcert2=(null)
10[CFG] rightca=(null)
10[CFG] rightca2=(null)
10[CFG] rightgroups=(null)
10[CFG] rightupdown=(null)
10[CFG] eap_identity=(null)
10[CFG] aaa_identity=(null)
10[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
10[CFG] esp=aes128-sha1,3des-sha1
10[CFG] dpddelay=30
10[CFG] dpdaction=0
10[CFG] closeaction=0
10[CFG] mediation=no
10[CFG] mediated_by=(null)
10[CFG] me_peerid=(null)
10[KNL] getting interface name for %any
10[KNL] %any is not a local address
10[KNL] getting interface name for 203.161.119.62
10[KNL] 203.161.119.62 is not a local address
10[CFG] left nor right host is our side, assuming left=local
10[CFG] loaded certificate "C=AU, ST=Western Australia, O=Livewire Labs
Pty Ltd, CN=Livewire Labs VPNServer" from 'VPNServerCert.pem'
10[CFG] added configuration 'rw'
07[CFG] stroke message => 584 bytes @ 0x7f8eba097aa0
... (removed for brevity)
07[CFG] proposing traffic selectors for us:
07[CFG] 192.168.20.0/24 (derived from 192.168.20.0/24)
07[CFG] proposing traffic selectors for other:
07[CFG] dynamic (derived from dynamic)
11[NET] received packet => 476 bytes @ 0x7f8eb8091370
11[NET] 0: 22 6E D8 2A 38 A2 4A C2 00 00 00 00 00 00 00 00
"n.*8.J.........
11[NET] 16: 01 10 02 00 00 00 00 00 00 00 01 DC 0D 00 00 E4
................
11[NET] 32: 00 00 00 01 00 00 00 01 00 00 00 D8 01 01 00 06
................
11[NET] 48: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 0E 10
...$............
11[NET] 64: 80 01 00 07 80 0E 01 00 80 03 00 03 80 02 00 02
................
11[NET] 80: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01
.......$........
11[NET] 96: 80 0C 0E 10 80 01 00 07 80 0E 01 00 80 03 00 03
................
11[NET] 112: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00
...........$....
11[NET] 128: 80 0B 00 01 80 0C 0E 10 80 01 00 07 80 0E 00 80
................
11[NET] 144: 80 03 00 03 80 02 00 02 80 04 00 02 03 00 00 24
...............$
11[NET] 160: 04 01 00 00 80 0B 00 01 80 0C 0E 10 80 01 00 07
................
11[NET] 176: 80 0E 00 80 80 03 00 03 80 02 00 01 80 04 00 02
................
11[NET] 192: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 0E 10 ...
............
11[NET] 208: 80 01 00 05 80 03 00 03 80 02 00 02 80 04 00 02
................
11[NET] 224: 00 00 00 20 06 01 00 00 80 0B 00 01 80 0C 0E 10 ...
............
11[NET] 240: 80 01 00 05 80 03 00 03 80 02 00 01 80 04 00 02
................
11[NET] 256: 0D 00 00 14 4A 13 1C 81 07 03 58 45 5C 57 28 F2
....J.....XE\W(.
11[NET] 272: 0E 95 45 2F 0D 00 00 14 4D F3 79 28 E9 FC 4F D1
..E/....M.y(..O.
11[NET] 288: B3 26 21 70 D5 15 C6 62 0D 00 00 14 8F 8D 83 82
.&!p...b........
11[NET] 304: 6D 24 6B 6F C7 A8 A6 A4 28 C1 1D E8 0D 00 00 14
m$ko....(.......
11[NET] 320: 43 9B 59 F8 BA 67 6C 4C 77 37 AE 22 EA B8 F5 82
C.Y..glLw7."....
11[NET] 336: 0D 00 00 14 4D 1E 0E 13 6D EA FA 34 C4 F3 EA 9F
....M...m..4....
11[NET] 352: 02 EC 72 85 0D 00 00 14 80 D0 BB 3D EF 54 56 5E
..r........=.TV^
11[NET] 368: E8 46 45 D4 C8 5C E3 EE 0D 00 00 14 99 09 B6 4E
.FE..\.........N
11[NET] 384: ED 93 7C 65 73 DE 52 AC E9 52 FA 6B 0D 00 00 14
..|es.R..R.k....
11[NET] 400: 7D 94 19 A6 53 10 CA 6F 2C 17 9D 92 15 52 9D 56
}...S..o,....R.V
11[NET] 416: 0D 00 00 14 CD 60 46 43 35 DF 21 F8 7C FD B2 FC
.....`FC5.!.|...
11[NET] 432: 68 B6 A4 48 0D 00 00 14 90 CB 80 91 3E BB 69 6E
h..H........>.in
11[NET] 448: 08 63 81 B5 EC 42 7B 1F 00 00 00 14 AF CA D7 13
.c...B{.........
11[NET] 464: 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 h...k...wW..
11[NET] received packet: from 192.168.20.3[500] to 192.168.20.2[500]
11[ENC] parsing header of message
11[ENC] parsing HEADER payload, 476 bytes left
11[ENC] parsing payload from => 476 bytes @ 0x7f8eb0000d20
11[ENC] 0: 22 6E D8 2A 38 A2 4A C2 00 00 00 00 00 00 00 00
"n.*8.J.........
11[ENC] 16: 01 10 02 00 00 00 00 00 00 00 01 DC 0D 00 00 E4
................
11[ENC] 32: 00 00 00 01 00 00 00 01 00 00 00 D8 01 01 00 06
................
11[ENC] 48: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 0E 10
...$............
11[ENC] 64: 80 01 00 07 80 0E 01 00 80 03 00 03 80 02 00 02
................
11[ENC] 80: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01
.......$........
11[ENC] 96: 80 0C 0E 10 80 01 00 07 80 0E 01 00 80 03 00 03
................
11[ENC] 112: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00
...........$....
11[ENC] 128: 80 0B 00 01 80 0C 0E 10 80 01 00 07 80 0E 00 80
................
11[ENC] 144: 80 03 00 03 80 02 00 02 80 04 00 02 03 00 00 24
...............$
11[ENC] 160: 04 01 00 00 80 0B 00 01 80 0C 0E 10 80 01 00 07
................
11[ENC] 176: 80 0E 00 80 80 03 00 03 80 02 00 01 80 04 00 02
................
11[ENC] 192: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 0E 10 ...
............
11[ENC] 208: 80 01 00 05 80 03 00 03 80 02 00 02 80 04 00 02
................
11[ENC] 224: 00 00 00 20 06 01 00 00 80 0B 00 01 80 0C 0E 10 ...
............
11[ENC] 240: 80 01 00 05 80 03 00 03 80 02 00 01 80 04 00 02
................
11[ENC] 256: 0D 00 00 14 4A 13 1C 81 07 03 58 45 5C 57 28 F2
....J.....XE\W(.
11[ENC] 272: 0E 95 45 2F 0D 00 00 14 4D F3 79 28 E9 FC 4F D1
..E/....M.y(..O.
11[ENC] 288: B3 26 21 70 D5 15 C6 62 0D 00 00 14 8F 8D 83 82
.&!p...b........
11[ENC] 304: 6D 24 6B 6F C7 A8 A6 A4 28 C1 1D E8 0D 00 00 14
m$ko....(.......
11[ENC] 320: 43 9B 59 F8 BA 67 6C 4C 77 37 AE 22 EA B8 F5 82
C.Y..glLw7."....
11[ENC] 336: 0D 00 00 14 4D 1E 0E 13 6D EA FA 34 C4 F3 EA 9F
....M...m..4....
11[ENC] 352: 02 EC 72 85 0D 00 00 14 80 D0 BB 3D EF 54 56 5E
..r........=.TV^
11[ENC] 368: E8 46 45 D4 C8 5C E3 EE 0D 00 00 14 99 09 B6 4E
.FE..\.........N
11[ENC] 384: ED 93 7C 65 73 DE 52 AC E9 52 FA 6B 0D 00 00 14
..|es.R..R.k....
11[ENC] 400: 7D 94 19 A6 53 10 CA 6F 2C 17 9D 92 15 52 9D 56
}...S..o,....R.V
11[ENC] 416: 0D 00 00 14 CD 60 46 43 35 DF 21 F8 7C FD B2 FC
.....`FC5.!.|...
11[ENC] 432: 68 B6 A4 48 0D 00 00 14 90 CB 80 91 3E BB 69 6E
h..H........>.in
11[ENC] 448: 08 63 81 B5 EC 42 7B 1F 00 00 00 14 AF CA D7 13
.c...B{.........
11[ENC] 464: 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 h...k...wW..
11[ENC] parsing rule 0 IKE_SPI
11[ENC] => => 8 bytes @ 0x7f8eb0001280
11[ENC] 0: 22 6E D8 2A 38 A2 4A C2 "n.*8.J.
11[ENC] parsing rule 1 IKE_SPI
11[ENC] => => 8 bytes @ 0x7f8eb0001288
11[ENC] 0: 00 00 00 00 00 00 00 00 ........
11[ENC] parsing rule 2 U_INT_8
11[ENC] => 1
11[ENC] parsing rule 3 U_INT_4
11[ENC] => 1
11[ENC] parsing rule 4 U_INT_4
11[ENC] => 0
11[ENC] parsing rule 5 U_INT_8
11[ENC] => 2
11[ENC] parsing rule 6 RESERVED_BIT
11[ENC] => 0
11[ENC] parsing rule 7 RESERVED_BIT
11[ENC] => 0
11[ENC] parsing rule 8 FLAG
11[ENC] => 0
11[ENC] parsing rule 9 FLAG
11[ENC] => 0
11[ENC] parsing rule 10 FLAG
11[ENC] => 0
11[ENC] parsing rule 11 RESERVED_BIT
11[ENC] => 0
11[ENC] parsing rule 12 RESERVED_BIT
11[ENC] => 0
11[ENC] parsing rule 13 RESERVED_BIT
11[ENC] => 0
11[ENC] parsing rule 14 U_INT_32
11[ENC] => 0
11[ENC] parsing rule 15 HEADER_LENGTH
11[ENC] => 476
11[ENC] parsing HEADER payload finished
11[ENC] header verification failed
11[NET] received invalid IKE header from 192.168.20.3 - ignored
11[NET] waiting for data on sockets
11[NET] received packet => 476 bytes @ 0x7f8eb8091370
11[NET] 0: 22 6E D8 2A 38 A2 4A C2 00 00 00 00 00 00 00 00
"n.*8.J.........
This last chunk of entries is repeated 3 times as the OSX client retries.
The OSX log matches the behaviour:
20/06/12 5:49:33.357 PM configd: SCNC: start, triggered by System Preferen,
type L2TP, status 0
20/06/12 5:49:33.399 PM pppd: pppd 2.4.2 (Apple version 560.13) started by
craig, uid 501
20/06/12 5:49:33.413 PM pppd: L2TP connecting to server '192.168.20.2'
(192.168.20.2)...
20/06/12 5:49:33.415 PM pppd: IPSec connection started
20/06/12 5:49:33.493 PM racoon: Connecting.
20/06/12 5:49:33.493 PM racoon: IPSec Phase1 started (Initiated by me).
20/06/12 5:49:33.494 PM racoon: IKE Packet: transmit success. (Initiator,
Main-Mode message 1).
20/06/12 5:49:36.497 PM racoon: IKE Packet: transmit success. (Phase1
Retransmit).
20/06/12 5:49:39.500 PM racoon: IKE Packet: transmit success. (Phase1
Retransmit).
20/06/12 5:49:42.503 PM racoon: IKE Packet: transmit success. (Phase1
Retransmit).
20/06/12 5:49:43.494 PM pppd: IPSec connection failed
Can anyone help with my problem? FWIW I would be happy to write up the
process I went through for the wiki if I can just get over this final hump.
I can't believe I am the only one out there trying to get OSX talking to
Strongswan (maybe I am the only one failing though :) )
Cheers
Craig
p.s. I tried the built in Vpn client on a Windows 7 box and it appeared to
get a lot further, though I didn't bother setting up the auth/certs
correctly. It definitely managed to send headers and subsequent messages
that Strongswan was able to parse.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120620/ca38f0c6/attachment.html>
More information about the Users
mailing list