[strongSwan] wiki article iOS
Michael Monnerie
lists.michael.monnerie at is.it-management.at
Sun Apr 7 15:41:23 CEST 2013
Oh strange, I received this mail privately but not via the mailinglist.
Am Montag, 18. März 2013, 12:16:22 schrieben Sie:
> Hi Michael,
>
> Your conn section is not loaded by the daemon.
>
> The reason is the comment here (also applies to the second comment in
>
> your config):
> > conn ios
> >
> > keyexchange=ikev1
> >
> > # authby=xauthrsasig
> > ...
>
> Comments in ipsec.conf have to be indented the same way as the options.
>
> That is, the above should look something like this:
> > conn ios
> >
> > keyexchange=ikev1
> > # authby=xauthrsasig
Thank you, I tried that:
conn ios
keyexchange=ikev1
# authby=xauthrsasig
xauth=server
left=212.69.162.156
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
leftauth=pubkey
leftauth2=xauth
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=zmiPadCert.pem
rightid="C=AT, O=Proteger, CN=*"
compress=no
auto=add
# pfs=no
Still no sign that it gets loaded...
Mar 19 11:26:59 sharepoint1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux 3.8.2-zmi, x86_64)
Mar 19 11:26:59 sharepoint1 charon: 00[LIB] no RDRAND support on AuthenticAMD CPU, disabled
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] HA config misses local/remote address
Mar 19 11:26:59 sharepoint1 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading ca certificates from '/usr/etc/ipsec.d/cacerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading aa certificates from '/usr/etc/ipsec.d/aacerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading ocsp signer certificates from '/usr/etc/ipsec.d/ocspcerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading attribute certificates from '/usr/etc/ipsec.d/acerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading crls from '/usr/etc/ipsec.d/crls'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading secrets from '/usr/etc/ipsec.secrets'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loaded RSA private key from '/usr/etc/ipsec.d/private/myKey.der'
Mar 19 11:26:59 sharepoint1 charon: 00[DMN] loaded plugins: charon aes des blowfish sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl af-alg fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default stroke smp updown eap-md5 eap-mschapv2 eap-tls xauth-generic xauth-eap xauth-pam whitelist
lookip certexpire unity
Mar 19 11:26:59 sharepoint1 charon: 00[JOB] spawning 16 worker threads
Mar 19 11:26:59 sharepoint1 ipsec_starter[8838]: charon (8841) started after 120 ms
Oh, I just see that sysconfdir is /usr/etc, fixing that...
Looks good now, but still doesn't work:
Mar 19 11:38:19 sharepoint1 charon: 04[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received XAuth vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received Cisco Unity vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received FRAGMENTATION vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received DPD vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] 81.217.108.227 is initiating a Main Mode IKE_SA
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] 81.217.108.227 is initiating a Main Mode IKE_SA
Mar 19 11:38:19 sharepoint1 charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
Mar 19 11:38:19 sharepoint1 charon: 04[NET] sending packet: from 212.69.162.156[500] to 81.217.108.227[500] (136 bytes)
Mar 19 11:38:20 sharepoint1 charon: 03[NET] received packet: from 81.217.108.227[500] to 212.69.162.156[500] (292 bytes)
Mar 19 11:38:20 sharepoint1 charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 19 11:38:20 sharepoint1 charon: 03[IKE] remote host is behind NAT
Mar 19 11:38:20 sharepoint1 charon: 03[IKE] sending cert request for "C=AT, O=Proteger, CN=Proteger"
Mar 19 11:38:20 sharepoint1 charon: 03[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Mar 19 11:38:20 sharepoint1 charon: 03[NET] sending packet: from 212.69.162.156[500] to 81.217.108.227[500] (366 bytes)
Mar 19 11:38:21 sharepoint1 charon: 02[NET] received packet: from 81.217.108.227[4500] to 212.69.162.156[4500] (1180 bytes)
Mar 19 11:38:21 sharepoint1 charon: 02[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Mar 19 11:38:21 sharepoint1 charon: 02[IKE] ignoring certificate request without data
Mar 19 11:38:21 sharepoint1 charon: 02[IKE] received end entity cert "C=AT, O=Proteger, CN=iPad_ZMI"
Mar 19 11:38:21 sharepoint1 charon: 02[CFG] looking for XAuthInitRSA peer configs matching 212.69.162.156...81.217.108.227[C=AT, O=Proteger, CN=iPad_ZMI]
Mar 19 11:38:21 sharepoint1 charon: 02[IKE] no peer config found
Mar 19 11:38:21 sharepoint1 charon: 02[ENC] generating INFORMATIONAL_V1 request 3956128409 [ HASH N(AUTH_FAILED) ]
Mar 19 11:38:21 sharepoint1 charon: 02[NET] sending packet: from 212.69.162.156[4500] to 81.217.108.227[4500] (92 bytes)
Trying to go back to what the wiki says:
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
leftauth=pubkey
leftauth2=xauth
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=zmiPadCert.pem
#rightid="C=AT, O=Proteger, CN=*"
#compress=no
auto=add
# pfs=no
and now I am on kernel 3.8.4, it makes this:
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: Starting strongSwan 5.0.2 IPsec [starter]...
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: # deprecated keyword 'nat_traversal' in config setup
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: # deprecated keyword 'charonstart' in config setup
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: ### 2 parsing errors (0 fatal) ###
Apr 7 15:35:52 sharepoint1 kernel: NET: Registered protocol family 15
Apr 7 15:35:52 sharepoint1 kernel: Initializing XFRM netlink socket
Apr 7 15:35:52 sharepoint1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux 3.8.4-zmi, x86_64)
Apr 7 15:35:52 sharepoint1 charon: 00[LIB] no RDRAND support on AuthenticAMD CPU, disabled
Apr 7 15:35:52 sharepoint1 kernel: NET: Registered protocol family 38
Apr 7 15:35:52 sharepoint1 kernel: sha1_ssse3: Neither AVX nor SSSE3 is available/usable.
Apr 7 15:35:52 sharepoint1 kernel: AVX instructions are not detected.
Apr 7 15:35:52 sharepoint1 kernel: AVX instructions are not detected.
Apr 7 15:35:52 sharepoint1 kernel: AVX instructions are not detected.
Apr 7 15:35:52 sharepoint1 charon: 00[CFG] HA config misses local/remote address
Apr 7 15:35:52 sharepoint1 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loaded ca certificate "C=AT, O=Proteger, CN=Proteger" from '/etc/ipsec.d/cacerts/caCert.pem'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/serverKey.pem'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loaded EAP secret for zmi
Apr 7 15:35:53 sharepoint1 charon: 00[DMN] loaded plugins: charon aes des blowfish sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl af-alg fips-prf gmp xcbc cmac hmac attr kern
el-pfkey kernel-klips kernel-netlink resolve socket-default stroke smp updown eap-md5 eap-mschapv2 eap-tls xauth-generic xauth-eap xauth-pam whitelist lookip certexpire unity
Apr 7 15:35:53 sharepoint1 charon: 00[JOB] spawning 16 worker threads
Apr 7 15:35:53 sharepoint1 ipsec_starter[6751]: charon (6752) started after 420 ms
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] received stroke: add connection 'ios'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] left nor right host is our side, assuming left=local
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] adding virtual IP address pool 10.0.0.2
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] loaded certificate "C=AT, O=Proteger, CN=sharepoint1.zmi.at" from 'serverCert.pem'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] id '%any' not confirmed by certificate, defaulting to 'C=AT, O=Proteger, CN=sharepoint1.zmi.at'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] loaded certificate "C=AT, O=Proteger, CN=iPad_ZMI" from 'zmiPadCert.pem'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] id '%any' not confirmed by certificate, defaulting to 'C=AT, O=Proteger, CN=iPad_ZMI'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] added configuration 'ios'
Apr 7 15:37:43 sharepoint1 charon: 16[NET] received packet: from 81.217.108.227[500] to 212.69.162.156[500] (668 bytes)
Apr 7 15:37:43 sharepoint1 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received XAuth vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received Cisco Unity vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received FRAGMENTATION vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received DPD vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] 81.217.108.227 is initiating a Main Mode IKE_SA
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] 81.217.108.227 is initiating a Main Mode IKE_SA
Apr 7 15:37:43 sharepoint1 charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr 7 15:37:43 sharepoint1 charon: 16[NET] sending packet: from 212.69.162.156[500] to 81.217.108.227[500] (136 bytes)
Apr 7 15:37:43 sharepoint1 charon: 03[NET] received packet: from 81.217.108.227[500] to 212.69.162.156[500] (292 bytes)
Apr 7 15:37:43 sharepoint1 charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 7 15:37:43 sharepoint1 charon: 03[IKE] remote host is behind NAT
Apr 7 15:37:43 sharepoint1 charon: 03[IKE] sending cert request for "C=AT, O=Proteger, CN=Proteger"
Apr 7 15:37:43 sharepoint1 charon: 03[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr 7 15:37:43 sharepoint1 charon: 03[NET] sending packet: from 212.69.162.156[500] to 81.217.108.227[500] (366 bytes)
Apr 7 15:37:44 sharepoint1 charon: 02[NET] received packet: from 81.217.108.227[4500] to 212.69.162.156[4500] (1180 bytes)
Apr 7 15:37:44 sharepoint1 charon: 02[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 7 15:37:44 sharepoint1 charon: 02[IKE] ignoring certificate request without data
Apr 7 15:37:44 sharepoint1 charon: 02[IKE] received end entity cert "C=AT, O=Proteger, CN=iPad_ZMI"
Apr 7 15:37:44 sharepoint1 charon: 02[CFG] looking for XAuthInitRSA peer configs matching 212.69.162.156...81.217.108.227[C=AT, O=Proteger, CN=iPad_ZMI]
Apr 7 15:37:44 sharepoint1 charon: 02[IKE] no peer config found
Apr 7 15:37:44 sharepoint1 charon: 02[ENC] generating INFORMATIONAL_V1 request 1267733536 [ HASH N(AUTH_FAILED) ]
Apr 7 15:37:44 sharepoint1 charon: 02[NET] sending packet: from 212.69.162.156[4500] to 81.217.108.227[4500] (92 bytes)
What is the problem now?
--
mit freundlichen Grüssen,
Michael Monnerie, Ing. BSc | Tel: +43 660 415 6531
XING: https://www.xing.com/profile/Michael_Monnerie
Facebook: https://www.facebook.com/michael.monnerie
Twitter: @MichaelMonnerie https://twitter.com/MichaelMonnerie
LinkedIn: http://lnkd.in/uGx6ug
Google+: https://plus.google.com/u/0/100598203632716687928/
Protéger.at Internet Services Austria [gesprochen: Prot-e-schee]
http://protéger.at | http://proteger.at
Facebook: https://www.facebook.com/protegerat
Mitglied im it-management Netzwerk http://it-management.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130407/17f9e02e/attachment.pgp>
More information about the Users
mailing list