[strongSwan] Newbie: setting up VPN server for mobile devices using strongswan 5.x
Kimmo Koivisto
koippa at gmail.com
Thu Jun 28 12:14:54 CEST 2012
Hello
My configuration for 5.0.0rc1 is as follows:
conn mobilephones
keyexchange=ikev1
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=3
left=my-public-ip
leftsubnet=0.0.0.0/0
leftcert=my-vpn-server.crt
leftid=@server-cert-subject-cn
leftauth=pubkey
leftfirewall=no
right=%any
rightauth=pubkey
rightauth2=xauth-eap
rightsourceip=192.168.100.0/24
auto=add
and strongswan.conf has:
charon {
plugins {
eap-radius {
secret = secret-for-radius
server = 192.168.200.10
}
attr {
dns = 192.168.200.11
}
}
}
So, I'm using radius to authenticate users (IKEv1+Xauth using
certificates). I have created my own CA, server certificates and
client certificates.
Without Radius, you could store credentials to ipsec.secrets or you
might be able (don't know) use some other EAP method to use local
credentials from server.
Regards,
Kimmo
2012/6/28 Ashwin Rao <ashwin.shirvanthe at gmail.com>:
> Hi,
>
> I am using strongswan 5.0.0rc1 to setup a VPN tunnel between my mobile
> devices and server that has a public IPv4 address. I would like these
> mobile devices to access the Internet via my machine. I am seeing the
> messages (present at the end of the mail) while running my ipsec
> daemon. To summarise, my client is not able to connect with the VPN
> server, and I get the message
> * id 'snowmane' not confirmed by certificate, defaulting to 'C=US,
> O=snowmane, CN=snowmane.mydomain.edu'
> * no peer config found".
> I get the same errors while connecting my ipod touch and and android
> phone (v4.0) to the von server.
>
> I compiled strongswan using the following config params.
> ./configure --sysconfdir=/home/arao/etc --prefix=/home/arao/usr/
> --libexecdir=/home/arao/usr/lib --enable-openssl --enable-agent
> --enable-xauth-generic --enable-gcrypt --enable-integrity-test
> --enable-openssl --enable-eap-gtc --enable-eap-md5
> --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2
> --enable-eap-identity --enable-attr-sql --enable-md4
>
> My ipsec.conf file is as follows
>
> #ipsec.conf
> config setup
>
> # Sample VPN connections
> conn rw
> auto=add
> authby=xauthrsasig
> keyexchange=ikev1
> xauth=server
> left=%defaultroute
> right=%any
> leftcert=serverCert.pem
> rightcert=clientCert.pem
> leftid=snowmane
> rightid=client
> leftfirewall=yes
> rightfirewall=no
>
> I have tried by removing leftid and rightid as well but it did not work.
>
> My strongswan.conf is as follows
> # for strongSwan 5.0.0+
> charon {
> filelog {
> /var/log/charon.log {
> time_format = %b %e %T
> append = no
> default = 1
> flush_line = yes
> }
> stderr {
> ike = 2
> knl = 3
> ike_name = yes
> }
> }
> syslog {
> identifier = charon-custom
> daemon {
> }
> auth {
> default = -1
> ike = 0
> }
> }
> }
>
> --- logs on running ipsec start --nofork --debug-all
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0rc1)
> 00[CFG] attr-sql plugin: database URI not set
> 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
> 00[KNL] listening on interfaces:
> 00[KNL] eth1
> 00[KNL] <snowmane.mydomain.edu-ip-address>
> 00[KNL] <ipv6-address>
> 00[CFG] loading ca certificates from '/mypath/etc/ipsec.d/cacerts'
> 00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
> from '/mypath/etc/ipsec.d/cacerts/caCert.pem'
> 00[CFG] loading aa certificates from '/mypath/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/mypath/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/mypath/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/mypath/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/mypath/etc/ipsec.secrets'
> 00[CFG] loaded RSA private key from
> '/mypath/etc/ipsec.d/private/serverKey.pem'
> 00[CFG] loaded EAP secret for test
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
> gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2
> eap-md5 eap-gtc eap-mschapv2 xauth-generic
> 00[JOB] spawning 16 worker threads
> charon (12264) started after 40 ms
> 11[CFG] received stroke: add connection 'rw'
> 11[KNL] getting interface name for %any
> 11[KNL] %any is not a local address
> 11[KNL] getting interface name for %any
> 11[KNL] %any is not a local address
> 11[CFG] left nor right host is our side, assuming left=local
> 11[CFG] loaded certificate "C=US, O=snowmane,
> CN=snowmane.mydomain.edu" from 'serverCert.pem'
> 11[CFG] id 'snowmane' not confirmed by certificate, defaulting to
> 'C=US, O=snowmane, CN=snowmane.mydomain.edu'
> 11[CFG] loaded certificate "C=US, O=snowmane, CN=client" from 'clientCert.pem'
> 11[CFG] id 'client' not confirmed by certificate, defaulting to
> 'C=US, O=snowmane, CN=client'
> 11[CFG] added configuration 'rw'
> 12[NET] <1> received packet: from <clients-ipv4-address>[500] to
> <snowmane.mydomain.edu-ip-address>[500]
> 12[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V ]
> 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> 12[IKE] <1> received XAuth vendor ID
> 12[IKE] <1> received Cisco Unity vendor ID
> 12[ENC] <1> received unknown vendor ID:
> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
> 12[IKE] <1> received DPD vendor ID
> 12[IKE] <1> <clients-ipv4-address> is initiating a Main Mode IKE_SA
> 12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> 12[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
> 12[NET] <1> sending packet: from
> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
> 13[NET] <1> received packet: from <clients-ipv4-address>[500] to
> <snowmane.mydomain.edu-ip-address>[500]
> 13[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> 13[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA"
> 13[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> 13[NET] <1> sending packet: from
> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
> 02[NET] <1> received packet: from <clients-ipv4-address>[500] to
> <snowmane.mydomain.edu-ip-address>[500]
> 02[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG ]
> 02[IKE] <1> received end entity cert "C=US, O=strongSwan, CN=client"
> 02[CFG] <1> looking for XAuthInitRSA peer configs matching
> <snowmane.mydomain.edu-ip-address>...<clients-ipv4-address>[C=US,
> O=strongSwan, CN=client]
> 02[IKE] <1> no peer config found
> 02[IKE] <1> queueing INFORMATIONAL task
> 02[IKE] <1> activating new tasks
> 02[IKE] <1> activating INFORMATIONAL task
> 02[ENC] <1> generating INFORMATIONAL_V1 request 3114230574 [ HASH
> N(AUTH_FAILED) ]
> 02[NET] <1> sending packet: from
> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
> 02[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list