[strongSwan] Newbie: setting up VPN server for mobile devices using strongswan 5.x

Kimmo Koivisto koippa at gmail.com
Thu Jun 28 12:14:54 CEST 2012


Hello

My configuration for 5.0.0rc1 is as follows:

conn mobilephones
        keyexchange=ikev1
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=3
        left=my-public-ip
        leftsubnet=0.0.0.0/0
        leftcert=my-vpn-server.crt
        leftid=@server-cert-subject-cn
        leftauth=pubkey
        leftfirewall=no
        right=%any
        rightauth=pubkey
        rightauth2=xauth-eap
        rightsourceip=192.168.100.0/24
        auto=add

and strongswan.conf has:


charon {
    plugins {
     eap-radius {
       secret = secret-for-radius
       server = 192.168.200.10
     }
     attr {
       dns = 192.168.200.11
     }
   }
}


So, I'm using radius to authenticate users (IKEv1+Xauth using
certificates). I have created my own CA, server certificates and
client certificates.

Without Radius, you could store credentials to ipsec.secrets or you
might be able (don't know) use some other EAP method to use local
credentials from server.

Regards,
Kimmo

2012/6/28 Ashwin Rao <ashwin.shirvanthe at gmail.com>:
> Hi,
>
> I am using strongswan 5.0.0rc1 to setup a VPN tunnel between my mobile
> devices and server that has a public IPv4 address. I would like these
> mobile devices to access the Internet via my machine. I am seeing the
> messages (present at the end of the mail) while running my ipsec
> daemon. To summarise, my client is not able to connect with the VPN
> server, and I get the message
> * id 'snowmane' not confirmed by certificate, defaulting to 'C=US,
> O=snowmane, CN=snowmane.mydomain.edu'
> * no peer config found".
> I get the same errors while connecting my ipod touch and and android
> phone (v4.0) to the von server.
>
> I compiled strongswan using the following config params.
> ./configure --sysconfdir=/home/arao/etc --prefix=/home/arao/usr/
> --libexecdir=/home/arao/usr/lib --enable-openssl --enable-agent
> --enable-xauth-generic --enable-gcrypt --enable-integrity-test
> --enable-openssl --enable-eap-gtc --enable-eap-md5
> --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2
> --enable-eap-identity --enable-attr-sql  --enable-md4
>
> My ipsec.conf file is as follows
>
> #ipsec.conf
> config setup
>
> # Sample VPN connections
> conn rw
>        auto=add
>        authby=xauthrsasig
>        keyexchange=ikev1
>        xauth=server
>        left=%defaultroute
>        right=%any
>        leftcert=serverCert.pem
>        rightcert=clientCert.pem
>        leftid=snowmane
>        rightid=client
>        leftfirewall=yes
>        rightfirewall=no
>
> I have tried by removing leftid and rightid as well but it did not work.
>
> My strongswan.conf is as follows
> # for strongSwan 5.0.0+
> charon {
>    filelog {
>        /var/log/charon.log {
>            time_format = %b %e %T
>            append = no
>            default = 1
>            flush_line = yes
>        }
>        stderr {
>            ike = 2
>            knl = 3
>            ike_name = yes
>        }
>    }
>    syslog {
>        identifier = charon-custom
>         daemon {
>        }
>        auth {
>            default = -1
>            ike = 0
>        }
>    }
> }
>
> --- logs on running ipsec start --nofork --debug-all
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0rc1)
> 00[CFG] attr-sql plugin: database URI not set
> 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
> 00[KNL] listening on interfaces:
> 00[KNL]   eth1
> 00[KNL]     <snowmane.mydomain.edu-ip-address>
> 00[KNL]     <ipv6-address>
> 00[CFG] loading ca certificates from '/mypath/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
> from '/mypath/etc/ipsec.d/cacerts/caCert.pem'
> 00[CFG] loading aa certificates from '/mypath/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/mypath/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/mypath/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/mypath/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/mypath/etc/ipsec.secrets'
> 00[CFG]   loaded RSA private key from
> '/mypath/etc/ipsec.d/private/serverKey.pem'
> 00[CFG]   loaded EAP secret for test
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
> gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2
> eap-md5 eap-gtc eap-mschapv2 xauth-generic
> 00[JOB] spawning 16 worker threads
> charon (12264) started after 40 ms
> 11[CFG] received stroke: add connection 'rw'
> 11[KNL] getting interface name for %any
> 11[KNL] %any is not a local address
> 11[KNL] getting interface name for %any
> 11[KNL] %any is not a local address
> 11[CFG] left nor right host is our side, assuming left=local
> 11[CFG]   loaded certificate "C=US, O=snowmane,
> CN=snowmane.mydomain.edu" from 'serverCert.pem'
> 11[CFG]   id 'snowmane' not confirmed by certificate, defaulting to
> 'C=US, O=snowmane, CN=snowmane.mydomain.edu'
> 11[CFG]   loaded certificate "C=US, O=snowmane, CN=client" from 'clientCert.pem'
> 11[CFG]   id 'client' not confirmed by certificate, defaulting to
> 'C=US, O=snowmane, CN=client'
> 11[CFG] added configuration 'rw'
> 12[NET] <1> received packet: from <clients-ipv4-address>[500] to
> <snowmane.mydomain.edu-ip-address>[500]
> 12[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V ]
> 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> 12[IKE] <1> received XAuth vendor ID
> 12[IKE] <1> received Cisco Unity vendor ID
> 12[ENC] <1> received unknown vendor ID:
> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
> 12[IKE] <1> received DPD vendor ID
> 12[IKE] <1> <clients-ipv4-address> is initiating a Main Mode IKE_SA
> 12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> 12[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
> 12[NET] <1> sending packet: from
> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
> 13[NET] <1> received packet: from <clients-ipv4-address>[500] to
> <snowmane.mydomain.edu-ip-address>[500]
> 13[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> 13[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA"
> 13[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> 13[NET] <1> sending packet: from
> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
> 02[NET] <1> received packet: from <clients-ipv4-address>[500] to
> <snowmane.mydomain.edu-ip-address>[500]
> 02[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG ]
> 02[IKE] <1> received end entity cert "C=US, O=strongSwan, CN=client"
> 02[CFG] <1> looking for XAuthInitRSA peer configs matching
> <snowmane.mydomain.edu-ip-address>...<clients-ipv4-address>[C=US,
> O=strongSwan, CN=client]
> 02[IKE] <1> no peer config found
> 02[IKE] <1> queueing INFORMATIONAL task
> 02[IKE] <1> activating new tasks
> 02[IKE] <1>   activating INFORMATIONAL task
> 02[ENC] <1> generating INFORMATIONAL_V1 request 3114230574 [ HASH
> N(AUTH_FAILED) ]
> 02[NET] <1> sending packet: from
> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
> 02[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list