[strongSwan] OpenSwan to StrongSwan migration (with CA): VPN not working
Andreas Steffen
andreas.steffen at strongswan.org
Wed Oct 17 19:16:22 CEST 2012
Hi,
you define
left=192.168.101.254
but the IKE messages arrive on an interface with
IP address 216.130.102.66:
packet from 123.123.123.123:500:
initial Main Mode message received on 216.130.102.66:500
but no connection has been authorized with policy=PUBKEY
no wonder that no match can be achieved!
Andreas
On 10/17/2012 04:11 PM, CJ Fearnley wrote:
> After a T1 outage left OpenSwan useless (again), I decided it was time
> to try StrongSwan. The system uses a local CA on the server. Keys and
> certs are in /etc/ipsec.d where we created them for OpenSwan. Nice that
> no change seems to be necessary there. It is a Debian Squeeze system,
> so I'm using the 4.4.1-5.2 version of the strongswan package.
>
> I'm testing this ipsec.onf (loosely based on
> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert):
>
> config setup
> charonstart=yes
> plutostart=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24
> # nat_traversal=yes
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> keyexchange=ikev2
>
> conn sslvpn
> left=192.168.101.254
> leftid="C=US, ST=IL, L=Glenwood, O=PRIVACY, CN=PRIVACY.PRIVACY.com, E=priv at privacy.com"
> leftsendcert=always
> leftsubnet=192.168.101.0/24
> leftcert=PRIVACY.crt
> right=%any
> rekey=yes
> auto=add
>
> The other end is a NETGEAR ProSafe VPN Firewall FVS336GV2 configured for
> 3DES encryption and SHA-1 authentication. auth.log reports (IP changed
> for privacy):
>
> Oct 17 09:48:34 cw1 pluto[13499]: added connection description "sslvpn"
> Oct 17 09:48:38 cw1 pluto[13499]: packet from 123.123.123.123:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
> Oct 17 09:48:38 cw1 pluto[13499]: packet from 123.123.123.123:500: received Vendor ID payload [Dead Peer Detection]
> Oct 17 09:48:38 cw1 pluto[13499]: packet from 123.123.123.123:500: initial Main Mode message received on 216.130.102.66:500 but no connection has been authorized with policy=PUBKEY
>
> ipsec status
> Security Associations:
> none
>
> I tried keyexchange=ike with nat_traversal with similar failures.
>
> How can I test that the client keys are OK?
>
> I tried
>
> lfcjf at cw1:~$ cat /etc/lfrr/ssl/keys/grandrapids2 at PRIVACY.com.crt|sudo ipsec pki --print
> plugin 'test-vectors' failed to load: /usr/lib/ipsec/plugins/libstrongswan-test-vectors.so: cannot open shared object file: No such file or directory
> plugin 'revocation' failed to load: /usr/lib/ipsec/plugins/libstrongswan-revocation.so: cannot open shared object file: No such file or directory
> cert: X509
> subject: "CN=PRIVACY"
> issuer: "C=US, ST=IL, L=Glenwood, O=PRIVACY, CN=PRIVACY VPN Services CA, E=priv at privacy.com"
> validity: not before Apr 13 16:19:21 2012, ok
> not after Apr 11 16:19:21 2022, ok (expires in 3463 days)
> serial: 37
> flags: clientAuth
> authkeyId: 4f:6d:db:66:40:aa:53:93:c8:e0:0b:dd:21:d3:79:c8:9f:c0:10:52
> subjkeyId: a9:fb:5e:c5:b5:7a:5a:3e:0d:24:1c:81:41:25:8c:1d:06:d3:e0:4e
> pubkey: RSA 1024 bits
> keyid: 87:3f:a3:23:c2:c2:ea:1f:e3:de:11:97:b2:b2:d0:f3:15:fc:7b:59
> subjkey: a9:fb:5e:c5:b5:7a:5a:3e:0d:24:1c:81:41:25:8c:1d:06:d3:e0:4e
>
> Does that mean the client key is correctly signed and valid? If so why
> isn't the tunnel working?
>
> Again, the Netgear and certs worked last week. But a T1 outage, random
> other confounding factors, and a sophisticated but error prone admin
> (me) mean that something dumb is as likely as something subtle.
>
> What should I try next?
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list