[strongSwan] Newbie: setting up VPN server for mobile devices using strongswan 5.x

Ashwin Rao ashwin.shirvanthe at gmail.com
Thu Jun 28 04:43:54 CEST 2012


Hi,

I am using strongswan 5.0.0rc1 to setup a VPN tunnel between my mobile
devices and server that has a public IPv4 address. I would like these
mobile devices to access the Internet via my machine. I am seeing the
messages (present at the end of the mail) while running my ipsec
daemon. To summarise, my client is not able to connect with the VPN
server, and I get the message
* id 'snowmane' not confirmed by certificate, defaulting to 'C=US,
O=snowmane, CN=snowmane.mydomain.edu'
* no peer config found".
I get the same errors while connecting my ipod touch and and android
phone (v4.0) to the von server.

I compiled strongswan using the following config params.
./configure --sysconfdir=/home/arao/etc --prefix=/home/arao/usr/
--libexecdir=/home/arao/usr/lib --enable-openssl --enable-agent
--enable-xauth-generic --enable-gcrypt --enable-integrity-test
--enable-openssl --enable-eap-gtc --enable-eap-md5
--enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2
--enable-eap-identity --enable-attr-sql  --enable-md4

My ipsec.conf file is as follows

#ipsec.conf
config setup

# Sample VPN connections
conn rw
        auto=add
        authby=xauthrsasig
        keyexchange=ikev1
        xauth=server
        left=%defaultroute
        right=%any
        leftcert=serverCert.pem
        rightcert=clientCert.pem
        leftid=snowmane
        rightid=client
        leftfirewall=yes
        rightfirewall=no

I have tried by removing leftid and rightid as well but it did not work.

My strongswan.conf is as follows
# for strongSwan 5.0.0+
charon {
    filelog {
        /var/log/charon.log {
            time_format = %b %e %T
            append = no
            default = 1
            flush_line = yes
        }
        stderr {
            ike = 2
            knl = 3
            ike_name = yes
        }
    }
    syslog {
        identifier = charon-custom
         daemon {
        }
        auth {
            default = -1
            ike = 0
        }
    }
}

--- logs on running ipsec start --nofork --debug-all
00[DMN] Starting IKE charon daemon (strongSwan 5.0.0rc1)
00[CFG] attr-sql plugin: database URI not set
00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
00[KNL] listening on interfaces:
00[KNL]   eth1
00[KNL]     <snowmane.mydomain.edu-ip-address>
00[KNL]     <ipv6-address>
00[CFG] loading ca certificates from '/mypath/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
from '/mypath/etc/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/mypath/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/mypath/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/mypath/etc/ipsec.d/acerts'
00[CFG] loading crls from '/mypath/etc/ipsec.d/crls'
00[CFG] loading secrets from '/mypath/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from
'/mypath/etc/ipsec.d/private/serverKey.pem'
00[CFG]   loaded EAP secret for test
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2
eap-md5 eap-gtc eap-mschapv2 xauth-generic
00[JOB] spawning 16 worker threads
charon (12264) started after 40 ms
11[CFG] received stroke: add connection 'rw'
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[CFG] left nor right host is our side, assuming left=local
11[CFG]   loaded certificate "C=US, O=snowmane,
CN=snowmane.mydomain.edu" from 'serverCert.pem'
11[CFG]   id 'snowmane' not confirmed by certificate, defaulting to
'C=US, O=snowmane, CN=snowmane.mydomain.edu'
11[CFG]   loaded certificate "C=US, O=snowmane, CN=client" from 'clientCert.pem'
11[CFG]   id 'client' not confirmed by certificate, defaulting to
'C=US, O=snowmane, CN=client'
11[CFG] added configuration 'rw'
12[NET] <1> received packet: from <clients-ipv4-address>[500] to
<snowmane.mydomain.edu-ip-address>[500]
12[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V ]
12[IKE] <1> received NAT-T (RFC 3947) vendor ID
12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
12[IKE] <1> received XAuth vendor ID
12[IKE] <1> received Cisco Unity vendor ID
12[ENC] <1> received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
12[IKE] <1> received DPD vendor ID
12[IKE] <1> <clients-ipv4-address> is initiating a Main Mode IKE_SA
12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
12[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
12[NET] <1> sending packet: from
<snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
13[NET] <1> received packet: from <clients-ipv4-address>[500] to
<snowmane.mydomain.edu-ip-address>[500]
13[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
13[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA"
13[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
13[NET] <1> sending packet: from
<snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
02[NET] <1> received packet: from <clients-ipv4-address>[500] to
<snowmane.mydomain.edu-ip-address>[500]
02[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG ]
02[IKE] <1> received end entity cert "C=US, O=strongSwan, CN=client"
02[CFG] <1> looking for XAuthInitRSA peer configs matching
<snowmane.mydomain.edu-ip-address>...<clients-ipv4-address>[C=US,
O=strongSwan, CN=client]
02[IKE] <1> no peer config found
02[IKE] <1> queueing INFORMATIONAL task
02[IKE] <1> activating new tasks
02[IKE] <1>   activating INFORMATIONAL task
02[ENC] <1> generating INFORMATIONAL_V1 request 3114230574 [ HASH
N(AUTH_FAILED) ]
02[NET] <1> sending packet: from
<snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
02[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING




More information about the Users mailing list