[strongSwan] Strongswan as road warrior to Cisco 3000 VPN concentrator

John Serink jserink2004 at yahoo.com
Thu May 2 16:07:56 CEST 2013 

Hi All:

I have been trying to get strongswan to replace the old linux Cisco vpn client and the windows GUI cisco vpn client I use form inside my Windows 7 VM to connect to our corporate network. I have made some progress but have hit a road block.

My /etc/ipsec.secrets file:
jserinki7 certs # cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA May2-2013key.pem

ap\jserink  : XAUTH "XXXXXX"

My /etc/ipsec.conf file:
jserinki7 certs # cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
uniqueids = yes

# Add connections here.

conn christchurch
     left=%defaultroute
     keyexchange=ikev1
     authby=xauthrsasig
     xauth=client
     ike=aes-sha1-modp1024,aes-sha1-modp1536,aes-md5-modp1024,aes-md5-modp1536,3des-md5-modp768,3des-sha1-modp768,aes192-sha1-modp1024,aes192-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-modp1536,aes192-md5-modp1024,aes192-md5-modp1536,aes256-md5-modp1024,aes256-md5-modp1536,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1536,3des-sha1-modp1536
     esp=aes-sha1-modp1024,aes-sha1-modp1536,aes-md5-modp1024,aes-md5-modp1536,3des-md5-modp768,3des-sha1-modp768,aes192-sha1-modp1024,aes192-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-modp1536,aes192-md5-modp1024,aes192-md5-modp1536,aes256-md5-modp1024,aes256-md5-modp1536,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1536,3des-sha1-modp1536
     
     leftsourceip=%modeconfig
     leftid=jim at bob.com
     right=chch.bob.com
     modeconfig=pull
     xauth_identity=ap\jserink
     rightsubnet=10.0.0.0/8
     auto=start
     rekey=yes
     type=tunnel

i'm using everything under the sun for ike and esp as am not quite sure what the concentrator us using.

Here is the log file:
May 02 22:00:09 [ipsec_starter] Starting strongSwan 5.0.3 IPsec [starter]..._
May 02 22:00:09 [charon] 00[DMN] Starting IKE charon daemon (strongSwan 5.0.3, Linux 3.7.10-gentoo, x86_64)_
May 02 22:00:09 [charon] 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory_
May 02 22:00:09 [charon] 00[CFG] loaded 0 RADIUS server configurations_
May 02 22:00:09 [charon] 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'_
May 02 22:00:09 [charon] 00[CFG]   loaded ca certificate "A whole bunch of stuff" from '/etc/ipsec.d/cacerts/May2-2013-CA.pem'_
May 02 22:00:09 [charon] 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'_
May 02 22:00:10 [charon] 00[CFG]   loaded certificate "More stuff identifying me" from '/etc/ipsec.d/aacerts/May2-2013.crt'_
May 02 22:00:10 [charon] 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'_
May 02 22:00:10 [charon] 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'_
May 02 22:00:10 [charon] 00[CFG] loading crls from '/etc/ipsec.d/crls'_
May 02 22:00:10 [charon] 00[CFG] loading secrets from '/etc/ipsec.secrets'_
May 02 22:00:10 [charon] 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/May2-2013key.pem'_
May 02 22:00:10 [charon] 00[CFG]   loaded EAP secret for ap\jserink _
May 02 22:00:10 [charon] 00[DMN] loaded plugins: charon curl aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic dhcp_
May 02 22:00:10 [charon] 00[LIB] dropped capabilities, running as uid 0, gid 0_
May 02 22:00:10 [charon] 00[JOB] spawning 16 worker threads_
May 02 22:00:10 [ipsec_starter] charon (28901) started after 40 ms_
May 02 22:00:10 [charon] 10[CFG] received stroke: add connection 'christchurch'_
May 02 22:00:11 [charon] 10[CFG] left nor right host is our side, assuming left=local_
May 02 22:00:11 [charon] 10[CFG] added configuration 'christchurch'_
May 02 22:00:11 [charon] 12[CFG] received stroke: initiate 'christchurch'_
May 02 22:00:11 [charon] 12[IKE] initiating Main Mode IKE_SA christchurch[1] to 218.101.54.25_
                - Last output repeated twice -
May 02 22:00:11 [charon] 12[ENC] generating ID_PROT request 0 [ SA V V V V ]_
May 02 22:00:11 [charon] 12[NET] sending packet: from 192.168.0.35[500] to 218.101.54.25[500] (780 bytes)_
May 02 22:00:11 [charon] 14[NET] received packet: from 218.101.54.25[500] to 192.168.0.35[500] (124 bytes)_
May 02 22:00:11 [charon] 14[ENC] parsed ID_PROT response 0 [ SA V V ]_
May 02 22:00:11 [charon] 14[IKE] received NAT-T (RFC 3947) vendor ID_
May 02 22:00:11 [charon] 14[IKE] received FRAGMENTATION vendor ID_
May 02 22:00:11 [charon] 14[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]_
May 02 22:00:11 [charon] 14[NET] sending packet: from 192.168.0.35[500] to 218.101.54.25[500] (236 bytes)_
May 02 22:00:11 [charon] 15[NET] received packet: from 218.101.54.25[500] to 192.168.0.35[500] (473 bytes)_
May 02 22:00:11 [charon] 15[ENC] parsed ID_PROT response 0 [ KE No CERTREQ V V V V NAT-D NAT-D ]_
May 02 22:00:11 [charon] 15[IKE] received cert request for unknown ca 'A whole bunc of stuff from above'_
May 02 22:00:11 [charon] 15[IKE] local host is behind NAT, sending keep alives_
May 02 22:00:11 [charon] 15[IKE] sending cert request for "The same whle bunc of stuff"_
May 02 22:00:11 [charon] 15[IKE] authentication of 'jim at bob.com' (myself) successful_
May 02 22:00:11 [charon] 15[IKE] sending end entity cert "The stuff identifying me"_
May 02 22:00:11 [charon] 15[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ ]_
May 02 22:00:11 [charon] 15[NET] sending packet: from 192.168.0.35[4500] to 218.101.54.25[4500] (1852 bytes)_
May 02 22:00:15 [charon] 10[IKE] sending retransmit 1 of request message ID 0, seq 3_
May 02 22:00:15 [charon] 10[NET] sending packet: from 192.168.0.35[4500] to 218.101.54.25[4500] (1852 bytes)_
May 02 22:00:19 [charon] 13[NET] received packet: from 218.101.54.25[500] to 192.168.0.35[500] (473 bytes)_
May 02 22:00:19 [charon] 13[IKE] received retransmit of response with ID 0, but next request already sent_
May 02 22:00:22 [charon] 12[IKE] sending retransmit 2 of request message ID 0, seq 3_
May 02 22:00:22 [charon] 12[NET] sending packet: from 192.168.0.35[4500] to 218.101.54.25[4500] (1852 bytes)_
May 02 22:00:35 [charon] 15[NET] received packet: from 218.101.54.25[500] to 192.168.0.35[500] (473 bytes)_
May 02 22:00:35 [charon] 15[IKE] received retransmit of response with ID 0, but next request already sent_
May 02 22:00:35 [charon] 09[IKE] sending retransmit 3 of request message ID 0, seq 3_
May 02 22:00:35 [charon] 09[NET] sending packet: from 192.168.0.35[4500] to 218.101.54.25[4500] (1852 bytes)_
May 02 22:00:41 [charon] 00[DMN] signal of type SIGINT received. Shutting down_
May 02 22:00:41 [charon] 00[IKE] destroying IKE_SA in state CONNECTING without notification_
May 02 22:00:41 [ipsec_starter] charon stopped after 200 ms_
May 02 22:00:41 [ipsec_starter] ipsec starter stopped_

It appears that am authenticated with the certs and private key and then it just stops without movingon the to the phase 2 negotiation.

Any suggestions?

Cheers,
john

More information about the Users mailing list