[strongSwan] received invalid IKE header (OSX to Linux)
Craig Day
craigday at gmail.com
Wed Jun 20 15:15:29 CEST 2012
configured rc1 with:
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
--enable-openssl --enable-nm --enable-agent --enable-gcrypt
--enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-aka
--enable-eap-aka-3gpp2 --enable-eap-identity
and am getting the following message:
00[LIB] feature PRIVKEY:DSA in 'pem' plugin has unsatisfied dependency:
PRIVKEY:DSA
00[LIB] feature PUBKEY:DSA in 'pem' plugin has unsatisfied dependency:
PUBKEY:DSA
00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in 'pem' plugin has
unsatisfied dependency: CERT_DECODE:X509_OCSP_REQUEST
Cant work out which options I am missing?
Cheers
Craig
On Wed, Jun 20, 2012 at 8:23 PM, Craig Day <craigday at gmail.com> wrote:
> Thanks Andreas. rc1, here I come!!
>
> Sent from my iPhone
>
> On 20/06/2012, at 7:54 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>
> > Hi Craig,
> >
> > the OSX client sends an IKEv1 message but the strongSwan 4.6.4 charon
> > daemon expects an IKEv2 negotiation and therefore ignores all
> > IKEv1 messages.
> >
> > Workarounds:
> >
> > - Define keyexchange=ikev1 in ipsec.conf and start the pluto
> > IKEv1 daemon by setting plutostart=yes in the config setup
> > section of ipsec.conf.
> >
> > or
> >
> > - Download strongswan-5.0.0rc1 which has a combined IKEv1/IKEv2
> > charon daemon. You can omit the keyexchange parameter altogether
> > so that the charon daemon will be able to handle both IKEv1
> > and IKEv2 connections.
> >
> > http://www.strongswan.org/uml/testresults5rc/ike/rw-cert/moon.statusall
> >
> > Best regards
> >
> > Andreas
> >
> > On 06/20/2012 12:11 PM, Craig Day wrote:
> >> Hi Users,
> >>
> >> I am trying to setup a VPN between OSX (client) and Linux (server). I
> >> have generated and successfully installed all the required keys and
> >> certificates i.e. a CA cert, and a cert for both the client and the
> >> server (signed with the CA cert). Wrapped up the client and CA cert into
> >> pkcs12 and successfully installed and trusted them on the OSX client
> >> side. I am using the built in OSX VPN client, configured to use the
> >> client cert for user auth and machine auth. All looks good. On the
> >> server side:
> >>
> >> root at lwlserver:~/strongswan-4.6.4# ipsec --version
> >> Linux strongSwan U4.6.4/K2.6.35-32-server
> >>
> >> ipsec.conf:
> >>
> >> config setup
> >> crlcheckinterval=180
> >> strictcrlpolicy=no
> >>
> >> ca livewireca
> >> cacert=LivewireCACert.pem
> >> auto=add
> >>
> >> conn %default
> >> ikelifetime=60m
> >> keylife=20m
> >> rekeymargin=3m
> >> keyingtries=1
> >>
> >> conn rw
> >> left=203.161.119.62
> >> leftcert=VPNServerCert.pem
> >> leftid="C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
> >> CN=Livewire Labs VPNServer"
> >> leftsubnet=192.168.20.0/24 <http://192.168.20.0/24>
> >> rightid="C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
> >> CN=Livewire Labs VPNClient"
> >> auto=add
> >>
> >> ipsec.secrets:
> >>
> >> # /etc/ipsec.secrets - strongSwan IPsec secrets file
> >>
> >> : RSA VPNServerKey.pem "its a secret"
> >>
> >> Running ipsec statusall before connect attempt give me:
> >>
> >> root at lwlserver:~/strongswan-4.6.4# ipsec statusall
> >> Status of IKEv2 charon daemon (strongSwan 4.6.4):
> >> uptime: 7 seconds, since Jun 20 17:35:27 2012
> >> malloc: sbrk 405504, mmap 0, used 285632, free 119872
> >> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> >> scheduled: 0
> >> loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> >> constraints pubkey pkcs1 pkcs8 pgp pem openssl gcrypt fips-prf gmp agent
> >> xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown
> >> eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
> >> Listening IP addresses:
> >> 192.168.20.2
> >> Connections:
> >> rw: 203.161.119.62...%any
> >> rw: local: [C=AU, ST=Western Australia, O=Livewire Labs Pty
> >> Ltd, CN=Livewire Labs VPNServer] uses public key authentication
> >> rw: cert: "C=AU, ST=Western Australia, O=Livewire Labs Pty
> >> Ltd, CN=Livewire Labs VPNServer"
> >> rw: remote: [C=AU, ST=Western Australia, O=Livewire Labs Pty
> >> Ltd, CN=Livewire Labs VPNClient] uses any authentication
> >> rw: child: 192.168.20.0/24 <http://192.168.20.0/24> ===
> >> dynamic TUNNEL
> >> Security Associations (0 up, 0 connecting):
> >> none
> >>
> >> Heres the log of the startup and subsequent failed connection attempt:
> >>
> >> root at lwlserver:/etc/ipsec.d/private# grep -v ASN /var/log/charon.log
> >> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)
> >> 00[LIB] plugin 'aes': loaded successfully
> >> 00[LIB] plugin 'des': loaded successfully
> >> 00[LIB] plugin 'sha1': loaded successfully
> >> 00[LIB] plugin 'sha2': loaded successfully
> >> 00[LIB] plugin 'md5': loaded successfully
> >> 00[LIB] plugin 'random': loaded successfully
> >> 00[LIB] plugin 'x509': loaded successfully
> >> 00[LIB] plugin 'revocation': loaded successfully
> >> 00[LIB] plugin 'constraints': loaded successfully
> >> 00[LIB] plugin 'pubkey': loaded successfully
> >> 00[LIB] plugin 'pkcs1': loaded successfully
> >> 00[LIB] plugin 'pkcs8': loaded successfully
> >> 00[LIB] plugin 'pgp': loaded successfully
> >> 00[LIB] plugin 'pem': loaded successfully
> >> 00[LIB] plugin 'openssl': loaded successfully
> >> 00[LIB] plugin 'gcrypt': loaded successfully
> >> 00[LIB] plugin 'fips-prf': loaded successfully
> >> 00[LIB] plugin 'gmp': loaded successfully
> >> 00[LIB] plugin 'agent': loaded successfully
> >> 00[LIB] plugin 'xcbc': loaded successfully
> >> 00[LIB] plugin 'cmac': loaded successfully
> >> 00[LIB] plugin 'hmac': loaded successfully
> >> 00[LIB] plugin 'attr': loaded successfully
> >> 00[LIB] plugin 'kernel-netlink': loaded successfully
> >> 00[KNL] listening on interfaces:
> >> 00[KNL] eth0
> >> 00[KNL] 192.168.20.2
> >> 00[KNL] fe80::21e:58ff:fe49:5037
> >> 00[LIB] plugin 'resolve': loaded successfully
> >> 00[LIB] plugin 'socket-default': loaded successfully
> >> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> >> 00[CFG] loaded ca certificate "C=AU, ST=Western Australia, L=Perth,
> >> O=Livewire Labs Pty Ltd, CN=Livewire Labs CA" from
> >> '/etc/ipsec.d/cacerts/LivewireCACert.pem'
> >> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> >> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> >> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> >> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> >> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> >> 00[CFG] loaded RSA private key from
> >> '/etc/ipsec.d/private/VPNServerKey.pem'
> >> 00[LIB] plugin 'stroke': loaded successfully
> >> 00[LIB] plugin 'updown': loaded successfully
> >> 00[LIB] plugin 'eap-identity': loaded successfully
> >> 00[LIB] plugin 'eap-aka': loaded successfully
> >> 00[LIB] plugin 'eap-aka-3gpp2': loaded successfully
> >> 00[LIB] plugin 'eap-md5': loaded successfully
> >> 00[LIB] plugin 'eap-gtc': loaded successfully
> >> 00[LIB] plugin 'eap-mschapv2': loaded successfully
> >> 00[CFG] DBUS binding failed
> >> 00[LIB] plugin 'nm': failed to load - nm_plugin_create returned NULL
> >> 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> >> constraints pubkey pkcs1 pkcs8 pgp pem openssl gcrypt fips-prf gmp agent
> >> xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown
> >> eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
> >> 00[JOB] spawning 16 worker threads
> >> 01[LIB] created thread 01 [11370]
> >> 01[JOB] started worker thread 01
> >> 02[LIB] created thread 02 [11371]
> >> 02[JOB] started worker thread 02
> >> 04[LIB] created thread 04 [11373]
> >> 03[LIB] created thread 03 [11372]
> >> 03[JOB] started worker thread 03
> >> 06[LIB] created thread 06 [11375]
> >> 06[JOB] started worker thread 06
> >> 08[LIB] created thread 08 [11377]
> >> 08[JOB] started worker thread 08
> >> 05[LIB] created thread 05 [11374]
> >> 13[LIB] created thread 13 [11382]
> >> 10[LIB] created thread 10 [11379]
> >> 15[LIB] created thread 15 [11384]
> >> 15[JOB] started worker thread 15
> >> 01[JOB] no events, waiting
> >> 11[LIB] created thread 11 [11380]
> >> 11[JOB] started worker thread 11
> >> 12[LIB] created thread 12 [11381]
> >> 12[JOB] started worker thread 12
> >> 11[NET] waiting for data on sockets
> >> 09[LIB] created thread 09 [11378]
> >> 09[JOB] started worker thread 09
> >> 14[LIB] created thread 14 [11383]
> >> 14[JOB] started worker thread 14
> >> 10[JOB] started worker thread 10
> >> 07[LIB] created thread 07 [11376]
> >> 07[JOB] started worker thread 07
> >> 13[JOB] started worker thread 13
> >> 04[JOB] started worker thread 04
> >> 05[JOB] started worker thread 05
> >> 16[LIB] created thread 16 [11385]
> >> 16[JOB] started worker thread 16
> >> 12[CFG] stroke message => 614 bytes @ 0x7f8eb7892a80
> >> ... (removed for brevity)
> >> 12[CFG] received stroke: add ca 'livewireca'
> >> 12[CFG] ca livewireca
> >> 12[CFG] cacert=LivewireCACert.pem
> >> 12[CFG] crluri=(null)
> >> 12[CFG] crluri2=(null)
> >> 12[CFG] ocspuri=(null)
> >> 12[CFG] ocspuri2=(null)
> >> 12[CFG] certuribase=(null)
> >> 12[CFG] added ca 'livewireca'
> >> 10[CFG] stroke message => 863 bytes @ 0x7f8eb8894990
> >> ... (removed for brevity)
> >> 10[CFG] received stroke: add connection 'rw'
> >> 10[CFG] conn rw
> >> 10[CFG] left=203.161.119.62
> >> 10[CFG] leftsubnet=192.168.20.0/24 <http://192.168.20.0/24>
> >> 10[CFG] leftsourceip=(null)
> >> 10[CFG] leftauth=(null)
> >> 10[CFG] leftauth2=(null)
> >> 10[CFG] leftid=C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
> >> CN=Livewire Labs VPNServer
> >> 10[CFG] leftid2=(null)
> >> 10[CFG] leftrsakey=(null)
> >> 10[CFG] leftcert=VPNServerCert.pem
> >> 10[CFG] leftcert2=(null)
> >> 10[CFG] leftca=(null)
> >> 10[CFG] leftca2=(null)
> >> 10[CFG] leftgroups=(null)
> >> 10[CFG] leftupdown=(null)
> >> 10[CFG] right=%any
> >> 10[CFG] rightsubnet=(null)
> >> 10[CFG] rightsourceip=(null)
> >> 10[CFG] rightauth=(null)
> >> 10[CFG] rightauth2=(null)
> >> 10[CFG] rightid=C=AU, ST=Western Australia, O=Livewire Labs Pty Ltd,
> >> CN=Livewire Labs VPNClient
> >> 10[CFG] rightid2=(null)
> >> 10[CFG] rightrsakey=(null)
> >> 10[CFG] rightcert=(null)
> >> 10[CFG] rightcert2=(null)
> >> 10[CFG] rightca=(null)
> >> 10[CFG] rightca2=(null)
> >> 10[CFG] rightgroups=(null)
> >> 10[CFG] rightupdown=(null)
> >> 10[CFG] eap_identity=(null)
> >> 10[CFG] aaa_identity=(null)
> >> 10[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
> >> 10[CFG] esp=aes128-sha1,3des-sha1
> >> 10[CFG] dpddelay=30
> >> 10[CFG] dpdaction=0
> >> 10[CFG] closeaction=0
> >> 10[CFG] mediation=no
> >> 10[CFG] mediated_by=(null)
> >> 10[CFG] me_peerid=(null)
> >> 10[KNL] getting interface name for %any
> >> 10[KNL] %any is not a local address
> >> 10[KNL] getting interface name for 203.161.119.62
> >> 10[KNL] 203.161.119.62 is not a local address
> >> 10[CFG] left nor right host is our side, assuming left=local
> >> 10[CFG] loaded certificate "C=AU, ST=Western Australia, O=Livewire
> >> Labs Pty Ltd, CN=Livewire Labs VPNServer" from 'VPNServerCert.pem'
> >> 10[CFG] added configuration 'rw'
> >> 07[CFG] stroke message => 584 bytes @ 0x7f8eba097aa0
> >> ... (removed for brevity)
> >> 07[CFG] proposing traffic selectors for us:
> >> 07[CFG] 192.168.20.0/24 <http://192.168.20.0/24> (derived from
> >> 192.168.20.0/24 <http://192.168.20.0/24>)
> >> 07[CFG] proposing traffic selectors for other:
> >> 07[CFG] dynamic (derived from dynamic)
> >> 11[NET] received packet => 476 bytes @ 0x7f8eb8091370
> >> 11[NET] 0: 22 6E D8 2A 38 A2 4A C2 00 00 00 00 00 00 00 00
> >> "n.*8.J.........
> >> 11[NET] 16: 01 10 02 00 00 00 00 00 00 00 01 DC 0D 00 00 E4
> >> ................
> >> 11[NET] 32: 00 00 00 01 00 00 00 01 00 00 00 D8 01 01 00 06
> >> ................
> >> 11[NET] 48: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 0E 10
> >> ...$............
> >> 11[NET] 64: 80 01 00 07 80 0E 01 00 80 03 00 03 80 02 00 02
> >> ................
> >> 11[NET] 80: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01
> >> .......$........
> >> 11[NET] 96: 80 0C 0E 10 80 01 00 07 80 0E 01 00 80 03 00 03
> >> ................
> >> 11[NET] 112: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00
> >> ...........$....
> >> 11[NET] 128: 80 0B 00 01 80 0C 0E 10 80 01 00 07 80 0E 00 80
> >> ................
> >> 11[NET] 144: 80 03 00 03 80 02 00 02 80 04 00 02 03 00 00 24
> >> ...............$
> >> 11[NET] 160: 04 01 00 00 80 0B 00 01 80 0C 0E 10 80 01 00 07
> >> ................
> >> 11[NET] 176: 80 0E 00 80 80 03 00 03 80 02 00 01 80 04 00 02
> >> ................
> >> 11[NET] 192: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 0E 10 ...
> >> ............
> >> 11[NET] 208: 80 01 00 05 80 03 00 03 80 02 00 02 80 04 00 02
> >> ................
> >> 11[NET] 224: 00 00 00 20 06 01 00 00 80 0B 00 01 80 0C 0E 10 ...
> >> ............
> >> 11[NET] 240: 80 01 00 05 80 03 00 03 80 02 00 01 80 04 00 02
> >> ................
> >> 11[NET] 256: 0D 00 00 14 4A 13 1C 81 07 03 58 45 5C 57 28 F2
> >> ....J.....XE\W(.
> >> 11[NET] 272: 0E 95 45 2F 0D 00 00 14 4D F3 79 28 E9 FC 4F D1
> >> ..E/....M.y(..O.
> >> 11[NET] 288: B3 26 21 70 D5 15 C6 62 0D 00 00 14 8F 8D 83 82
> >> .&!p...b........
> >> 11[NET] 304: 6D 24 6B 6F C7 A8 A6 A4 28 C1 1D E8 0D 00 00 14
> >> m$ko....(.......
> >> 11[NET] 320: 43 9B 59 F8 BA 67 6C 4C 77 37 AE 22 EA B8 F5 82
> >> C.Y..glLw7."....
> >> 11[NET] 336: 0D 00 00 14 4D 1E 0E 13 6D EA FA 34 C4 F3 EA 9F
> >> ....M...m..4....
> >> 11[NET] 352: 02 EC 72 85 0D 00 00 14 80 D0 BB 3D EF 54 56 5E
> >> ..r........=.TV^
> >> 11[NET] 368: E8 46 45 D4 C8 5C E3 EE 0D 00 00 14 99 09 B6 4E
> >> .FE..\.........N
> >> 11[NET] 384: ED 93 7C 65 73 DE 52 AC E9 52 FA 6B 0D 00 00 14
> >> ..|es.R..R.k....
> >> 11[NET] 400: 7D 94 19 A6 53 10 CA 6F 2C 17 9D 92 15 52 9D 56
> >> }...S..o,....R.V
> >> 11[NET] 416: 0D 00 00 14 CD 60 46 43 35 DF 21 F8 7C FD B2 FC
> >> .....`FC5.!.|...
> >> 11[NET] 432: 68 B6 A4 48 0D 00 00 14 90 CB 80 91 3E BB 69 6E
> >> h..H........>.in
> >> 11[NET] 448: 08 63 81 B5 EC 42 7B 1F 00 00 00 14 AF CA D7 13
> >> .c...B{.........
> >> 11[NET] 464: 68 A1 F1 C9 6B 86 96 FC 77 57 01 00
> h...k...wW..
> >> 11[NET] received packet: from 192.168.20.3[500] to 192.168.20.2[500]
> >> 11[ENC] parsing header of message
> >> 11[ENC] parsing HEADER payload, 476 bytes left
> >> 11[ENC] parsing payload from => 476 bytes @ 0x7f8eb0000d20
> >> 11[ENC] 0: 22 6E D8 2A 38 A2 4A C2 00 00 00 00 00 00 00 00
> >> "n.*8.J.........
> >> 11[ENC] 16: 01 10 02 00 00 00 00 00 00 00 01 DC 0D 00 00 E4
> >> ................
> >> 11[ENC] 32: 00 00 00 01 00 00 00 01 00 00 00 D8 01 01 00 06
> >> ................
> >> 11[ENC] 48: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 0E 10
> >> ...$............
> >> 11[ENC] 64: 80 01 00 07 80 0E 01 00 80 03 00 03 80 02 00 02
> >> ................
> >> 11[ENC] 80: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01
> >> .......$........
> >> 11[ENC] 96: 80 0C 0E 10 80 01 00 07 80 0E 01 00 80 03 00 03
> >> ................
> >> 11[ENC] 112: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00
> >> ...........$....
> >> 11[ENC] 128: 80 0B 00 01 80 0C 0E 10 80 01 00 07 80 0E 00 80
> >> ................
> >> 11[ENC] 144: 80 03 00 03 80 02 00 02 80 04 00 02 03 00 00 24
> >> ...............$
> >> 11[ENC] 160: 04 01 00 00 80 0B 00 01 80 0C 0E 10 80 01 00 07
> >> ................
> >> 11[ENC] 176: 80 0E 00 80 80 03 00 03 80 02 00 01 80 04 00 02
> >> ................
> >> 11[ENC] 192: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 0E 10 ...
> >> ............
> >> 11[ENC] 208: 80 01 00 05 80 03 00 03 80 02 00 02 80 04 00 02
> >> ................
> >> 11[ENC] 224: 00 00 00 20 06 01 00 00 80 0B 00 01 80 0C 0E 10 ...
> >> ............
> >> 11[ENC] 240: 80 01 00 05 80 03 00 03 80 02 00 01 80 04 00 02
> >> ................
> >> 11[ENC] 256: 0D 00 00 14 4A 13 1C 81 07 03 58 45 5C 57 28 F2
> >> ....J.....XE\W(.
> >> 11[ENC] 272: 0E 95 45 2F 0D 00 00 14 4D F3 79 28 E9 FC 4F D1
> >> ..E/....M.y(..O.
> >> 11[ENC] 288: B3 26 21 70 D5 15 C6 62 0D 00 00 14 8F 8D 83 82
> >> .&!p...b........
> >> 11[ENC] 304: 6D 24 6B 6F C7 A8 A6 A4 28 C1 1D E8 0D 00 00 14
> >> m$ko....(.......
> >> 11[ENC] 320: 43 9B 59 F8 BA 67 6C 4C 77 37 AE 22 EA B8 F5 82
> >> C.Y..glLw7."....
> >> 11[ENC] 336: 0D 00 00 14 4D 1E 0E 13 6D EA FA 34 C4 F3 EA 9F
> >> ....M...m..4....
> >> 11[ENC] 352: 02 EC 72 85 0D 00 00 14 80 D0 BB 3D EF 54 56 5E
> >> ..r........=.TV^
> >> 11[ENC] 368: E8 46 45 D4 C8 5C E3 EE 0D 00 00 14 99 09 B6 4E
> >> .FE..\.........N
> >> 11[ENC] 384: ED 93 7C 65 73 DE 52 AC E9 52 FA 6B 0D 00 00 14
> >> ..|es.R..R.k....
> >> 11[ENC] 400: 7D 94 19 A6 53 10 CA 6F 2C 17 9D 92 15 52 9D 56
> >> }...S..o,....R.V
> >> 11[ENC] 416: 0D 00 00 14 CD 60 46 43 35 DF 21 F8 7C FD B2 FC
> >> .....`FC5.!.|...
> >> 11[ENC] 432: 68 B6 A4 48 0D 00 00 14 90 CB 80 91 3E BB 69 6E
> >> h..H........>.in
> >> 11[ENC] 448: 08 63 81 B5 EC 42 7B 1F 00 00 00 14 AF CA D7 13
> >> .c...B{.........
> >> 11[ENC] 464: 68 A1 F1 C9 6B 86 96 FC 77 57 01 00
> h...k...wW..
> >> 11[ENC] parsing rule 0 IKE_SPI
> >> 11[ENC] => => 8 bytes @ 0x7f8eb0001280
> >> 11[ENC] 0: 22 6E D8 2A 38 A2 4A C2 "n.*8.J.
> >> 11[ENC] parsing rule 1 IKE_SPI
> >> 11[ENC] => => 8 bytes @ 0x7f8eb0001288
> >> 11[ENC] 0: 00 00 00 00 00 00 00 00 ........
> >> 11[ENC] parsing rule 2 U_INT_8
> >> 11[ENC] => 1
> >> 11[ENC] parsing rule 3 U_INT_4
> >> 11[ENC] => 1
> >> 11[ENC] parsing rule 4 U_INT_4
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 5 U_INT_8
> >> 11[ENC] => 2
> >> 11[ENC] parsing rule 6 RESERVED_BIT
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 7 RESERVED_BIT
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 8 FLAG
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 9 FLAG
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 10 FLAG
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 11 RESERVED_BIT
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 12 RESERVED_BIT
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 13 RESERVED_BIT
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 14 U_INT_32
> >> 11[ENC] => 0
> >> 11[ENC] parsing rule 15 HEADER_LENGTH
> >> 11[ENC] => 476
> >> 11[ENC] parsing HEADER payload finished
> >> 11[ENC] header verification failed
> >> 11[NET] received invalid IKE header from 192.168.20.3 - ignored
> >> 11[NET] waiting for data on sockets
> >> 11[NET] received packet => 476 bytes @ 0x7f8eb8091370
> >> 11[NET] 0: 22 6E D8 2A 38 A2 4A C2 00 00 00 00 00 00 00 00
> >> "n.*8.J.........
> >>
> >> This last chunk of entries is repeated 3 times as the OSX client
> retries.
> >>
> >> The OSX log matches the behaviour:
> >>
> >> 20/06/12 5:49:33.357 PM configd: SCNC: start, triggered by System
> >> Preferen, type L2TP, status 0
> >> 20/06/12 5:49:33.399 PM pppd: pppd 2.4.2 (Apple version 560.13) started
> >> by craig, uid 501
> >> 20/06/12 5:49:33.413 PM pppd: L2TP connecting to server '192.168.20.2'
> >> (192.168.20.2)...
> >> 20/06/12 5:49:33.415 PM pppd: IPSec connection started
> >> 20/06/12 5:49:33.493 PM racoon: Connecting.
> >> 20/06/12 5:49:33.493 PM racoon: IPSec Phase1 started (Initiated by me).
> >> 20/06/12 5:49:33.494 PM racoon: IKE Packet: transmit success.
> >> (Initiator, Main-Mode message 1).
> >> 20/06/12 5:49:36.497 PM racoon: IKE Packet: transmit success. (Phase1
> >> Retransmit).
> >> 20/06/12 5:49:39.500 PM racoon: IKE Packet: transmit success. (Phase1
> >> Retransmit).
> >> 20/06/12 5:49:42.503 PM racoon: IKE Packet: transmit success. (Phase1
> >> Retransmit).
> >> 20/06/12 5:49:43.494 PM pppd: IPSec connection failed
> >>
> >> Can anyone help with my problem? FWIW I would be happy to write up the
> >> process I went through for the wiki if I can just get over this final
> >> hump. I can't believe I am the only one out there trying to get OSX
> >> talking to Strongswan (maybe I am the only one failing though :) )
> >>
> >> Cheers
> >> Craig
> >>
> >> p.s. I tried the built in Vpn client on a Windows 7 box and it appeared
> >> to get a lot further, though I didn't bother setting up the auth/certs
> >> correctly. It definitely managed to send headers and subsequent messages
> >> that Strongswan was able to parse.
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > --
> > ======================================================================
> > Andreas Steffen andreas.steffen at strongswan.org
> > strongSwan - the Linux VPN Solution! www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120620/287e4f3f/attachment.html>
More information about the Users
mailing list