[strongSwan] Strongswan + Mac OSX

Claude Tompers claude.tompers at restena.lu
Mon Sep 3 10:48:02 CEST 2012


Hi,

I'm using strongswan-5.0.0 and Apple Mountain Lion.
I'm trying to setup a VPN using Certificates only.

So far I had the VPN working in a hybrid mode where strongswan
authenicates itself using its certificate and my Mac authenticates with
username/groupname.

When trying to authenticate the Mac with a signature, I get the
following errors :

Sep  3 10:35:40 vpn-test charon: 15[NET] received packet: from
158.64.1.176[500] to 158.64.1.13[500]
Sep  3 10:35:40 vpn-test charon: 15[ENC] parsed ID_PROT request 0 [ SA V
V V V V V V V V V V V V V ]
Sep  3 10:35:40 vpn-test charon: 15[IKE] received NAT-T (RFC 3947) vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received XAuth vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] received Cisco Unity vendor ID
Sep  3 10:35:40 vpn-test charon: 15[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Sep  3 10:35:40 vpn-test charon: 15[IKE] received DPD vendor ID
Sep  3 10:35:40 vpn-test charon: 15[IKE] 158.64.1.176 is initiating a
Main Mode IKE_SA
Sep  3 10:35:40 vpn-test charon: 15[IKE] 158.64.1.176 is initiating a
Main Mode IKE_SA
Sep  3 10:35:40 vpn-test charon: 15[ENC] generating ID_PROT response 0 [
SA V V V ]
Sep  3 10:35:40 vpn-test charon: 15[NET] sending packet: from
158.64.1.13[500] to 158.64.1.176[500]
Sep  3 10:35:40 vpn-test charon: 16[NET] received packet: from
158.64.1.176[500] to 158.64.1.13[500]
Sep  3 10:35:40 vpn-test charon: 16[ENC] parsed ID_PROT request 0 [ KE
No NAT-D NAT-D ]
Sep  3 10:35:40 vpn-test charon: 16[IKE] sending cert request for "C=LU,
ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA VPN CA,
E=admin at restena.lu"
Sep  3 10:35:40 vpn-test charon: 16[ENC] generating ID_PROT response 0 [
KE No CERTREQ NAT-D NAT-D ]
Sep  3 10:35:40 vpn-test charon: 16[NET] sending packet: from
158.64.1.13[500] to 158.64.1.176[500]
Sep  3 10:35:40 vpn-test charon: 18[NET] received packet: from
158.64.1.176[500] to 158.64.1.13[500]
Sep  3 10:35:40 vpn-test charon: 18[ENC] decryption failed, invalid length
Sep  3 10:35:40 vpn-test charon: 18[ENC] could not decrypt payloads
Sep  3 10:35:40 vpn-test charon: 18[IKE] integrity check failed

My ipsec.conf is the following:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

ca vpnca
    cacert=VPNCA-cacert.pem
    crluri=VPNCA-crl.pem
    auto=add

config setup
    charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1,
enc 1, lib 1"
    strictcrlpolicy=yes
    uniqueids=no


conn %default
    ikelifetime=60m
    ike=aes256-sha1-modp2048-modp1536-modp1024
    esp=aes256-sha1
    dpdaction=clear
    dpddelay=60s
    dpdtimeout=300s
    keyingtries=1
    inactivity=4h
    left=%any
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=vpn.restena.lu-cert.pem
    leftid=@vpn-test.restena.lu
    eap_identity=%identity
    right=%any
    rekey=no
    reauth=no
    mobike=no
    auto=add

# Add connections here.

conn IKEv1
    keyexchange=ikev1
    aggressive=yes
    rightauth=xauth-eap
    rightsourceip=%ikev1

conn IKEv2
    keyexchange=ikev2
    rightauth=eap-radius
    rightsourceip=%ikev2
    rightsendcert=never

conn RESTENA
    keyexchange=ikev1
    rightauth=pubkey
    rightsourceip=%ikev1


And the certificate I'm using on the client side is the following:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA,
CN=RESTENA VPN CA/emailAddress=admin at restena.lu
        Validity
            Not Before: Oct 29 08:41:38 2010 GMT
            Not After : Oct 28 08:41:38 2015 GMT
        Subject: C=LU, L=Luxembourg, O=Fondation RESTENA,
CN=ctompers/emailAddress=claude.tompers at restena.lu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:e6:be:81:bd:a6:a4:3a:22:38:e1:11:4d:ef:c6:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME, Object Signing
            Netscape Comment:
                RESTENA VPN Client Certificate
            X509v3 Subject Key Identifier:
                57:50:91:24:6B:0F:19:9A:76:78:B1:5E:6F:8B:D0:D4:93:A8:1A:16
            X509v3 Authority Key Identifier:
               
keyid:F8:FD:2F:DA:23:BE:EE:8B:B4:FD:2B:D0:98:5C:C1:5F:1E:5B:74:AC
                DirName:/C=LU/ST=n/a/L=Luxembourg/O=Fondation
RESTENA/CN=RESTENA VPN CA/emailAddress=admin at restena.lu
                serial:8D:CC:1F:4A:8D:C6:FA:CE

            X509v3 Issuer Alternative Name:
                <EMPTY>

            X509v3 Subject Alternative Name:
                email:claude.tompers at restena.lu
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
    Signature Algorithm: sha1WithRSAEncryption
        26:04:db:59:d8:bb:ea:fc:1a:78:8a:06:7f:bb:dc:b2:db:03:
        ...


It seems to me that my Mac does not respond with the certificate
correctly. Am I right about that ?
What can I do to fix this ?


kind regards,
Claude

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120903/eebc3678/attachment.pgp>


More information about the Users mailing list