[strongSwan] Newbie: setting up VPN server for mobile devices using strongswan 5.x
Ashwin Rao
ashwin.shirvanthe at gmail.com
Fri Jun 29 02:56:45 CEST 2012
Hi,
I have updated my certificates and yet I am not able to establish a
vpn connection. There are no rules currently in my iptables and I have
flushed them using iptables --flush. The output of iptables --list is
as follows.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This message also contains the output of ipsec start --nofork
--debug-all; it contains my ipsec.conf file.
As I said before I would like my mobile devices to access the Internet
via this vpn server. I would like to use xauthrsasig for this setup.
I would also like to know why am I still seeing "certificate status is
not available" in the log file for the client. I have configures
strongswan using the following command.
./configure --sysconfdir=/home/arao/etc --prefix=/home/arao/usr/
--libexecdir=/home/arao/usr/lib --enable-openssl --enable-agent
--enable-xauth-generic --enable-gcrypt --enable-integrity-test
--enable-openssl --enable-eap-gtc --enable-eap-md5
--enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2
--enable-eap-identity --enable-md4 --enable-eap-radius
--enable-xauth-eap
I have updated my LD_LIBRARY_PATH and LD_RUN_PATH variables before running ipsec
--
Starting strongSwan 5.0.0rc1 IPsec [starter]...
Loading config setup
Loading conn 'rw'
auto=add
authby=xauthrsasig
xauth=server
keyexchange=ikev1
left=%defaultroute
right=%any
leftcert=serverCert.pem
leftid=@snowmane.mydomain.edu
rightid="C=US, O=snowmane, CN=client"
rightcert=clientCert.pem
leftfirewall=no
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
found netkey IPsec stack
plugin 'kernel-netlink': loaded successfully
listening on interfaces:
eth1
sss.sss.4.186
fefe::abc:defg:pqrs:fedf
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.0.0rc1)
00[KNL] listening on interfaces:
00[KNL] eth1
00[KNL] sss.sss.4.186
00[KNL] abcd::efg:hijk:lmno:pqrs
00[CFG] loaded 0 RADIUS server configurations
00[CFG] loading ca certificates from '/home/arao/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
from '/home/arao/etc/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/home/arao/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/home/arao/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/home/arao/etc/ipsec.d/acerts'
00[CFG] loading crls from '/home/arao/etc/ipsec.d/crls'
00[CFG] loading secrets from '/home/arao/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/home/arao/etc/ipsec.d/private/serverKey.pem'
00[CFG] loaded RSA private key from
'/home/arao/etc/ipsec.d/private/clientKey.pem'
00[CFG] loaded EAP secret for test
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2
eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-eap
00[JOB] spawning 16 worker threads
charon (6440) started after 40 ms
08[CFG] received stroke: add connection 'rw'
08[KNL] getting interface name for %any
08[KNL] %any is not a local address
08[KNL] getting interface name for %any
08[KNL] %any is not a local address
08[CFG] left nor right host is our side, assuming left=local
08[CFG] loaded certificate "C=US, O=snowmane,
CN=snowmane.mydomain.edu" from 'serverCert.pem'
08[CFG] loaded certificate "C=US, O=snowmane, CN=client" from 'clientCert.pem'
08[CFG] added configuration 'rw'
11[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
11[IKE] received NAT-T (RFC 3947) vendor ID
11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
11[IKE] received XAuth vendor ID
11[IKE] received Cisco Unity vendor ID
11[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
11[IKE] received DPD vendor ID
11[IKE] ccc.ccc.7.68 is initiating a Main Mode IKE_SA
11[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
11[ENC] generating ID_PROT response 0 [ SA V V V ]
11[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
10[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9fa90
10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n
10[IKE] 16: 80 D0 04 BA 01 F4 ......
10[IKE] natd_hash => 20 bytes @ 0x7fa76c000d50
10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh
10[IKE] 16: 15 26 9B E2 .&..
10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9fa90
10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n
10[IKE] 16: AC 1C 07 44 01 F4 ...D..
10[IKE] natd_hash => 20 bytes @ 0x7fa76c000d00
10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T.
10[IKE] 16: 6A DF 67 A0 j.g.
10[IKE] precalculated src_hash => 20 bytes @ 0x7fa76c000d00
10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T.
10[IKE] 16: 6A DF 67 A0 j.g.
10[IKE] precalculated dst_hash => 20 bytes @ 0x7fa76c000d50
10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh
10[IKE] 16: 15 26 9B E2 .&..
10[IKE] received dst_hash => 20 bytes @ 0x7fa76c000c00
10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh
10[IKE] 16: 15 26 9B E2 .&..
10[IKE] received src_hash => 20 bytes @ 0x7fa76c000cc0
10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T.
10[IKE] 16: 6A DF 67 A0 j.g.
10[IKE] sending cert request for "C=US, O=snowmane, CN=snowmane CA"
10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9faa0
10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n
10[IKE] 16: AC 1C 07 44 01 F4 ...D..
10[IKE] natd_hash => 20 bytes @ 0x7fa76c0013d0
10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T.
10[IKE] 16: 6A DF 67 A0 j.g.
10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9faa0
10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n
10[IKE] 16: 80 D0 04 BA 01 F4 ......
10[IKE] natd_hash => 20 bytes @ 0x7fa76c0027a0
10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh
10[IKE] 16: 15 26 9B E2 .&..
10[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
10[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
13[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
13[IKE] received retransmit of request with ID 0, retransmitting response
13[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
12[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
12[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
12[IKE] received end entity cert "C=US, O=snowmane, CN=client"
12[CFG] looking for XAuthInitRSA peer configs matching
sss.sss.4.186...ccc.ccc.7.68[C=US, O=snowmane, CN=client]
12[CFG] selected peer config "rw"
12[IKE] HASH_I data => 615 bytes @ 0x7fa764002740
12[IKE] 0: 85 DD 3D EB BF 44 D5 6B F4 DB CD 2F 96 75 63 CA ..=..D.k.../.uc.
12[IKE] 16: E3 C8 6C EB 33 A4 98 4B D4 91 9A 0B ED 3C 96 EC ..l.3..K.....<..
12[IKE] 32: 1A D5 99 0B FF E3 FC B1 94 54 80 75 DC FE 01 E5 .........T.u....
12[IKE] 48: 8E 0A A5 77 A9 A4 43 6A F2 5D AB A6 50 06 76 51 ...w..Cj.]..P.vQ
12[IKE] 64: 79 8B 53 4A B1 6E 02 B0 82 57 23 89 FA 7F C1 23 y.SJ.n...W#....#
12[IKE] 80: 91 5A EC 6B BC 28 16 D2 A2 52 00 AC 5B 99 77 39 .Z.k.(...R..[.w9
12[IKE] 96: 7C FE 3C 3F 5B 5D 17 BF 1F 15 09 B1 3F 6F B0 EF |.<?[]......?o..
12[IKE] 112: 3D E3 34 A3 6C 39 BE E9 A7 06 5D 4C F5 4E 6B 19 =.4.l9....]L.Nk.
12[IKE] 128: 20 09 80 78 B1 B1 0D F0 1D 56 B0 01 68 31 2C 84 ..x.....V..h1,.
12[IKE] 144: E1 44 A4 BD 56 90 8C 6E 79 55 99 CA 6E D7 CD 01 .D..V..nyU..n...
12[IKE] 160: 40 B7 94 0C 28 52 E0 07 0A 18 2F D7 EC A7 F5 9F @...(R..../.....
12[IKE] 176: F6 31 3F FA 2F FC 19 7F 64 B5 BD 41 9F FC F2 9F .1?./...d..A....
12[IKE] 192: 91 63 E9 21 09 AF 72 46 9E 67 CB FB D5 E3 65 52 .c.!..rF.g....eR
12[IKE] 208: EE 4A F1 E6 E2 4D A3 CD 4A D1 2A 91 98 A3 C8 CE .J...M..J.*.....
12[IKE] 224: CB B7 CD 7B B4 85 FA 49 68 68 E6 AF 14 85 32 AE ...{...Ihh....2.
12[IKE] 240: 6B 11 05 C6 B2 5B F0 10 E5 F7 B5 87 A8 11 D5 3C k....[.........<
12[IKE] 256: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n
12[IKE] 272: 00 00 00 01 00 00 00 01 00 00 01 18 01 01 00 08 ................
12[IKE] 288: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 70 80 ...$..........p.
12[IKE] 304: 80 01 00 07 80 0E 01 00 80 03 FD ED 80 02 00 02 ................
12[IKE] 320: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01 .......$........
12[IKE] 336: 80 0C 70 80 80 01 00 07 80 0E 01 00 80 03 FD ED ..p.............
12[IKE] 352: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00 ...........$....
12[IKE] 368: 80 0B 00 01 80 0C 70 80 80 01 00 07 80 0E 00 80 ......p.........
12[IKE] 384: 80 03 FD ED 80 02 00 02 80 04 00 02 03 00 00 24 ...............$
12[IKE] 400: 04 01 00 00 80 0B 00 01 80 0C 70 80 80 01 00 07 ..........p.....
12[IKE] 416: 80 0E 00 80 80 03 FD ED 80 02 00 01 80 04 00 02 ................
12[IKE] 432: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 448: 80 01 00 05 80 03 FD ED 80 02 00 02 80 04 00 02 ................
12[IKE] 464: 03 00 00 20 06 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 480: 80 01 00 05 80 03 FD ED 80 02 00 01 80 04 00 02 ................
12[IKE] 496: 03 00 00 20 07 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 512: 80 01 00 01 80 03 FD ED 80 02 00 02 80 04 00 02 ................
12[IKE] 528: 00 00 00 20 08 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 544: 80 01 00 01 80 03 FD ED 80 02 00 01 80 04 00 02 ................
12[IKE] 560: 09 00 00 00 30 31 31 0B 30 09 06 03 55 04 06 13 ....011.0...U...
12[IKE] 576: 02 55 53 31 11 30 0F 06 03 55 04 0A 13 08 73 6E .US1.0...U....sn
12[IKE] 592: 6F 77 6D 61 6E 65 31 0F 30 0D 06 03 55 04 03 13 owmane1.0...U...
12[IKE] 608: 06 63 6C 69 65 6E 74 .client
12[IKE] HASH_I => 20 bytes @ 0x7fa7640009f0
12[IKE] 0: C5 DF A1 3A AB 84 C1 67 72 61 A9 9A 17 40 38 62 ...:...gra... at 8b
12[IKE] 16: 56 B3 45 2D V.E-
12[CFG] using trusted ca certificate "C=US, O=snowmane, CN=snowmane CA"
12[CFG] checking certificate status of "C=US, O=snowmane, CN=client"
12[CFG] certificate status is not available
12[CFG] reached self-signed root ca with a path length of 0
12[CFG] using trusted certificate "C=US, O=snowmane, CN=client"
12[IKE] authentication of 'C=US, O=snowmane, CN=client' with RSA successful
12[IKE] HASH_R data => 590 bytes @ 0x7fa764003ce0
12[IKE] 0: 20 09 80 78 B1 B1 0D F0 1D 56 B0 01 68 31 2C 84 ..x.....V..h1,.
12[IKE] 16: E1 44 A4 BD 56 90 8C 6E 79 55 99 CA 6E D7 CD 01 .D..V..nyU..n...
12[IKE] 32: 40 B7 94 0C 28 52 E0 07 0A 18 2F D7 EC A7 F5 9F @...(R..../.....
12[IKE] 48: F6 31 3F FA 2F FC 19 7F 64 B5 BD 41 9F FC F2 9F .1?./...d..A....
12[IKE] 64: 91 63 E9 21 09 AF 72 46 9E 67 CB FB D5 E3 65 52 .c.!..rF.g....eR
12[IKE] 80: EE 4A F1 E6 E2 4D A3 CD 4A D1 2A 91 98 A3 C8 CE .J...M..J.*.....
12[IKE] 96: CB B7 CD 7B B4 85 FA 49 68 68 E6 AF 14 85 32 AE ...{...Ihh....2.
12[IKE] 112: 6B 11 05 C6 B2 5B F0 10 E5 F7 B5 87 A8 11 D5 3C k....[.........<
12[IKE] 128: 85 DD 3D EB BF 44 D5 6B F4 DB CD 2F 96 75 63 CA ..=..D.k.../.uc.
12[IKE] 144: E3 C8 6C EB 33 A4 98 4B D4 91 9A 0B ED 3C 96 EC ..l.3..K.....<..
12[IKE] 160: 1A D5 99 0B FF E3 FC B1 94 54 80 75 DC FE 01 E5 .........T.u....
12[IKE] 176: 8E 0A A5 77 A9 A4 43 6A F2 5D AB A6 50 06 76 51 ...w..Cj.]..P.vQ
12[IKE] 192: 79 8B 53 4A B1 6E 02 B0 82 57 23 89 FA 7F C1 23 y.SJ.n...W#....#
12[IKE] 208: 91 5A EC 6B BC 28 16 D2 A2 52 00 AC 5B 99 77 39 .Z.k.(...R..[.w9
12[IKE] 224: 7C FE 3C 3F 5B 5D 17 BF 1F 15 09 B1 3F 6F B0 EF |.<?[]......?o..
12[IKE] 240: 3D E3 34 A3 6C 39 BE E9 A7 06 5D 4C F5 4E 6B 19 =.4.l9....]L.Nk.
12[IKE] 256: B5 C7 24 76 F8 2C AD 6E EE D3 83 8C AA 1B A5 C3 ..$v.,.n........
12[IKE] 272: 00 00 00 01 00 00 00 01 00 00 01 18 01 01 00 08 ................
12[IKE] 288: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 70 80 ...$..........p.
12[IKE] 304: 80 01 00 07 80 0E 01 00 80 03 FD ED 80 02 00 02 ................
12[IKE] 320: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01 .......$........
12[IKE] 336: 80 0C 70 80 80 01 00 07 80 0E 01 00 80 03 FD ED ..p.............
12[IKE] 352: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00 ...........$....
12[IKE] 368: 80 0B 00 01 80 0C 70 80 80 01 00 07 80 0E 00 80 ......p.........
12[IKE] 384: 80 03 FD ED 80 02 00 02 80 04 00 02 03 00 00 24 ...............$
12[IKE] 400: 04 01 00 00 80 0B 00 01 80 0C 70 80 80 01 00 07 ..........p.....
12[IKE] 416: 80 0E 00 80 80 03 FD ED 80 02 00 01 80 04 00 02 ................
12[IKE] 432: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 448: 80 01 00 05 80 03 FD ED 80 02 00 02 80 04 00 02 ................
12[IKE] 464: 03 00 00 20 06 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 480: 80 01 00 05 80 03 FD ED 80 02 00 01 80 04 00 02 ................
12[IKE] 496: 03 00 00 20 07 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 512: 80 01 00 01 80 03 FD ED 80 02 00 02 80 04 00 02 ................
12[IKE] 528: 00 00 00 20 08 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p.
12[IKE] 544: 80 01 00 01 80 03 FD ED 80 02 00 01 80 04 00 02 ................
12[IKE] 560: 02 00 00 00 73 6E 6F 77 6D 61 6E 65 2E 00 00 00 ....snowmane.
12[IKE] 576: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 mydomain .edu
12[IKE] HASH_R => 20 bytes @ 0x7fa7640028a0
12[IKE] 0: 28 D4 0C A0 E4 62 90 46 64 98 76 E5 10 A4 45 F2 (....b.Fd.v...E.
12[IKE] 16: 7C EF AD B0 |...
12[IKE] authentication of 'snowmane.mydomain.edu' (myself) successful
12[IKE] queueing XAUTH task
12[ENC] generating ID_PROT response 0 [ ID SIG ]
12[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
12[IKE] activating new tasks
12[IKE] activating XAUTH task
12[IKE] Hash => 20 bytes @ 0x7fa7640064b0
12[IKE] 0: 14 5E CA D8 33 AD 53 76 0F A4 90 6A 82 F7 54 E1 .^..3.Sv...j..T.
12[IKE] 16: 49 8D AD 86 I...
12[ENC] generating TRANSACTION request 3975168956 [ HASH CP ]
12[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
15[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
02[IKE] sending retransmit 1 of request message ID 3975168956, seq 1
02[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
16[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
16[IKE] received retransmit of request with ID 0, retransmitting response
16[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
09[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
09[IKE] received retransmit of request with ID 0, retransmitting response
09[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
08[IKE] sending retransmit 2 of request message ID 3975168956, seq 1
08[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
11[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
11[IKE] received retransmit of request with ID 0, retransmitting response
11[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
10[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
10[IKE] received retransmit of request with ID 0, retransmitting response
10[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
13[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
13[IKE] received retransmit of request with ID 0, retransmitting response
13[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
12[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
12[IKE] received retransmit of request with ID 0, retransmitting response
12[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
15[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500]
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
02[IKE] sending retransmit 3 of request message ID 3975168956, seq 1
02[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500]
16[JOB] deleting half open IKE_SA after timeout
16[IKE] IKE_SA rw[1] state change: CONNECTING => DESTROYING
> Hello
>
> My configuration for 5.0.0rc1 is as follows:
>
> conn mobilephones
> keyexchange=ikev1
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=3
> left=my-public-ip
> leftsubnet=0.0.0.0/0
> leftcert=my-vpn-server.crt
> leftid=@server-cert-subject-cn
> leftauth=pubkey
> leftfirewall=no
> right=%any
> rightauth=pubkey
> rightauth2=xauth-eap
> rightsourceip=192.168.100.0/24
> auto=add
>
> and strongswan.conf has:
>
>
> charon {
> plugins {
> eap-radius {
> secret = secret-for-radius
> server = 192.168.200.10
> }
> attr {
> dns = 192.168.200.11
> }
> }
> }
>
>
> So, I'm using radius to authenticate users (IKEv1+Xauth using
> certificates). I have created my own CA, server certificates and
> client certificates.
>
> Without Radius, you could store credentials to ipsec.secrets or you
> might be able (don't know) use some other EAP method to use local
> credentials from server.
>
> Regards,
> Kimmo
>
> 2012/6/28 Ashwin Rao <ashwin.shirvanthe at gmail.com>:
>> Hi,
>>
>> I am using strongswan 5.0.0rc1 to setup a VPN tunnel between my mobile
>> devices and server that has a public IPv4 address. I would like these
>> mobile devices to access the Internet via my machine. I am seeing the
>> messages (present at the end of the mail) while running my ipsec
>> daemon. To summarise, my client is not able to connect with the VPN
>> server, and I get the message
>> * id 'snowmane' not confirmed by certificate, defaulting to 'C=US,
>> O=snowmane, CN=snowmane.mydomain.edu'
>> * no peer config found".
>> I get the same errors while connecting my ipod touch and and android
>> phone (v4.0) to the von server.
>>
>> I compiled strongswan using the following config params.
>> ./configure --sysconfdir=/home/arao/etc --prefix=/home/arao/usr/
>> --libexecdir=/home/arao/usr/lib --enable-openssl --enable-agent
>> --enable-xauth-generic --enable-gcrypt --enable-integrity-test
>> --enable-openssl --enable-eap-gtc --enable-eap-md5
>> --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2
>> --enable-eap-identity --enable-attr-sql --enable-md4
>>
>> My ipsec.conf file is as follows
>>
>> #ipsec.conf
>> config setup
>>
>> # Sample VPN connections
>> conn rw
>> auto=add
>> authby=xauthrsasig
>> keyexchange=ikev1
>> xauth=server
>> left=%defaultroute
>> right=%any
>> leftcert=serverCert.pem
>> rightcert=clientCert.pem
>> leftid=snowmane
>> rightid=client
>> leftfirewall=yes
>> rightfirewall=no
>>
>> I have tried by removing leftid and rightid as well but it did not work.
>>
>> My strongswan.conf is as follows
>> # for strongSwan 5.0.0+
>> charon {
>> filelog {
>> /var/log/charon.log {
>> time_format = %b %e %T
>> append = no
>> default = 1
>> flush_line = yes
>> }
>> stderr {
>> ike = 2
>> knl = 3
>> ike_name = yes
>> }
>> }
>> syslog {
>> identifier = charon-custom
>> daemon {
>> }
>> auth {
>> default = -1
>> ike = 0
>> }
>> }
>> }
>>
>> --- logs on running ipsec start --nofork --debug-all
>> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0rc1)
>> 00[CFG] attr-sql plugin: database URI not set
>> 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
>> 00[KNL] listening on interfaces:
>> 00[KNL] eth1
>> 00[KNL] <snowmane.mydomain.edu-ip-address>
>> 00[KNL] <ipv6-address>
>> 00[CFG] loading ca certificates from '/mypath/etc/ipsec.d/cacerts'
>> 00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
>> from '/mypath/etc/ipsec.d/cacerts/caCert.pem'
>> 00[CFG] loading aa certificates from '/mypath/etc/ipsec.d/aacerts'
>> 00[CFG] loading ocsp signer certificates from '/mypath/etc/ipsec.d/ocspcerts'
>> 00[CFG] loading attribute certificates from '/mypath/etc/ipsec.d/acerts'
>> 00[CFG] loading crls from '/mypath/etc/ipsec.d/crls'
>> 00[CFG] loading secrets from '/mypath/etc/ipsec.secrets'
>> 00[CFG] loaded RSA private key from
>> '/mypath/etc/ipsec.d/private/serverKey.pem'
>> 00[CFG] loaded EAP secret for test
>> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
>> gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
>> socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2
>> eap-md5 eap-gtc eap-mschapv2 xauth-generic
>> 00[JOB] spawning 16 worker threads
>> charon (12264) started after 40 ms
>> 11[CFG] received stroke: add connection 'rw'
>> 11[KNL] getting interface name for %any
>> 11[KNL] %any is not a local address
>> 11[KNL] getting interface name for %any
>> 11[KNL] %any is not a local address
>> 11[CFG] left nor right host is our side, assuming left=local
>> 11[CFG] loaded certificate "C=US, O=snowmane,
>> CN=snowmane.mydomain.edu" from 'serverCert.pem'
>> 11[CFG] id 'snowmane' not confirmed by certificate, defaulting to
>> 'C=US, O=snowmane, CN=snowmane.mydomain.edu'
>> 11[CFG] loaded certificate "C=US, O=snowmane, CN=client" from 'clientCert.pem'
>> 11[CFG] id 'client' not confirmed by certificate, defaulting to
>> 'C=US, O=snowmane, CN=client'
>> 11[CFG] added configuration 'rw'
>> 12[NET] <1> received packet: from <clients-ipv4-address>[500] to
>> <snowmane.mydomain.edu-ip-address>[500]
>> 12[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V ]
>> 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
>> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
>> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
>> 12[IKE] <1> received XAuth vendor ID
>> 12[IKE] <1> received Cisco Unity vendor ID
>> 12[ENC] <1> received unknown vendor ID:
>> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
>> 12[IKE] <1> received DPD vendor ID
>> 12[IKE] <1> <clients-ipv4-address> is initiating a Main Mode IKE_SA
>> 12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
>> 12[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
>> 12[NET] <1> sending packet: from
>> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
>> 13[NET] <1> received packet: from <clients-ipv4-address>[500] to
>> <snowmane.mydomain.edu-ip-address>[500]
>> 13[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> 13[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA"
>> 13[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
>> 13[NET] <1> sending packet: from
>> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
>> 02[NET] <1> received packet: from <clients-ipv4-address>[500] to
>> <snowmane.mydomain.edu-ip-address>[500]
>> 02[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG ]
>> 02[IKE] <1> received end entity cert "C=US, O=strongSwan, CN=client"
>> 02[CFG] <1> looking for XAuthInitRSA peer configs matching
>> <snowmane.mydomain.edu-ip-address>...<clients-ipv4-address>[C=US,
>> O=strongSwan, CN=client]
>> 02[IKE] <1> no peer config found
>> 02[IKE] <1> queueing INFORMATIONAL task
>> 02[IKE] <1> activating new tasks
>> 02[IKE] <1> activating INFORMATIONAL task
>> 02[ENC] <1> generating INFORMATIONAL_V1 request 3114230574 [ HASH
>> N(AUTH_FAILED) ]
>> 02[NET] <1> sending packet: from
>> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500]
>> 02[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list