[strongSwan] OpenSwan to StrongSwan migration (with CA): VPN not working

CJ Fearnley cjf at LinuxForce.net
Wed Oct 17 16:11:10 CEST 2012 

After a T1 outage left OpenSwan useless (again), I decided it was time
to try StrongSwan.  The system uses a local CA on the server.  Keys and
certs are in /etc/ipsec.d where we created them for OpenSwan.  Nice that
no change seems to be necessary there.  It is a Debian Squeeze system,
so I'm using the 4.4.1-5.2 version of the strongswan package.

I'm testing this ipsec.onf (loosely based on
http://www.strongswan.org/uml/testresults/ikev2/net2net-cert):

config setup
    charonstart=yes
    plutostart=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24
    # nat_traversal=yes

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    mobike=no
    keyexchange=ikev2

conn sslvpn
    left=192.168.101.254
    leftid="C=US, ST=IL, L=Glenwood, O=PRIVACY, CN=PRIVACY.PRIVACY.com, E=priv at privacy.com"
    leftsendcert=always
    leftsubnet=192.168.101.0/24
    leftcert=PRIVACY.crt
    right=%any
    rekey=yes
    auto=add

The other end is a NETGEAR ProSafe VPN Firewall FVS336GV2 configured for
3DES encryption and SHA-1 authentication.  auth.log reports (IP changed
for privacy):

Oct 17 09:48:34 cw1 pluto[13499]: added connection description "sslvpn"
Oct 17 09:48:38 cw1 pluto[13499]: packet from 123.123.123.123:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Oct 17 09:48:38 cw1 pluto[13499]: packet from 123.123.123.123:500: received Vendor ID payload [Dead Peer Detection]
Oct 17 09:48:38 cw1 pluto[13499]: packet from 123.123.123.123:500: initial Main Mode message received on 216.130.102.66:500 but no connection has been authorized with policy=PUBKEY

ipsec status
Security Associations:
  none

I tried keyexchange=ike with nat_traversal with similar failures.

How can I test that the client keys are OK?

I tried

lfcjf at cw1:~$ cat /etc/lfrr/ssl/keys/grandrapids2 at PRIVACY.com.crt|sudo ipsec pki --print
plugin 'test-vectors' failed to load: /usr/lib/ipsec/plugins/libstrongswan-test-vectors.so: cannot open shared object file: No such file or directory
plugin 'revocation' failed to load: /usr/lib/ipsec/plugins/libstrongswan-revocation.so: cannot open shared object file: No such file or directory
cert:      X509
subject:  "CN=PRIVACY"
issuer:   "C=US, ST=IL, L=Glenwood, O=PRIVACY, CN=PRIVACY VPN Services CA, E=priv at privacy.com"
validity:  not before Apr 13 16:19:21 2012, ok
           not after  Apr 11 16:19:21 2022, ok (expires in 3463 days)
serial:    37
flags:     clientAuth 
authkeyId: 4f:6d:db:66:40:aa:53:93:c8:e0:0b:dd:21:d3:79:c8:9f:c0:10:52
subjkeyId: a9:fb:5e:c5:b5:7a:5a:3e:0d:24:1c:81:41:25:8c:1d:06:d3:e0:4e
pubkey:    RSA 1024 bits
keyid:     87:3f:a3:23:c2:c2:ea:1f:e3:de:11:97:b2:b2:d0:f3:15:fc:7b:59
subjkey:   a9:fb:5e:c5:b5:7a:5a:3e:0d:24:1c:81:41:25:8c:1d:06:d3:e0:4e

Does that mean the client key is correctly signed and valid?  If so why
isn't the tunnel working?

Again, the Netgear and certs worked last week.  But a T1 outage, random
other confounding factors, and a sophisticated but error prone admin
(me) mean that something dumb is as likely as something subtle.

What should I try next?

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf at LinuxForce.net          |   IT Projects & Systems Maintenance
http://www.LinuxForce.net   |   http://blog.remoteresponder.net

More information about the Users mailing list