[strongSwan] strongswan behind ec2 classic and iOS client issue

WorkingMan signup_mail2002 at yahoo.com
Thu Oct 10 20:52:41 CEST 2013 

Here is what going on.

I setup everything locally on the same LAN in a VM and it works.
I setup strongswan 5.1 in EC2 class (not VPC) and here is what I get when 
iOS client tries to connect from 3G (it says can't validate server 
certificate).

charon: 16[IKE] authentication of 'L=..' with RSA successful
charon: 16[IKE] authentication of 'C=..' (myself) successful
charon: 16[IKE] sending end entity cert "C=..."
charon: 16[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
[NET] sending packet: from <VPN GW>[4500] to <iOS client>[41482] (1548 
bytes)

charon: 02[ENC] generating TRANSACTION request 568083321 [ HASH CP ]
charon: 02[NET] sending packet: from <VPN GW>[4500] to <iOS client>[41482] 
(76 bytes)
charon: 06[ENC] header verification failed
charon: 06[NET] received invalid IKE header from <iOS client> - ignored
charon: 06[ENC] header verification failed
charon: 06[NET] received invalid IKE header from <iOS client> - ignored
charon: 01[NET] received packet: from <iOS client>[41482] to <VPN GW>[4500] 
(76 bytes)
charon: 01[ENC] invalid HASH_V1 payload length, decryption failed?
01[ENC] could not decrypt payloads
charon: 01[IKE] message parsing failed

That's problem1. When I try to connect with iOS client using WIFI I get 
"Negotiation with the VPN server failed" and server side seems to indicate 
timeout,

sending end entity cert "..."
charon: 03[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
charon: 03[NET] sending packet: from <VPN GW>[4500] to <router IP>[4500] 
(1548 bytes)
charon: 04[JOB] deleting half open IKE_SA after timeout

That's problem2.

In both cases server/client certification validation were successful. 
Problem1 fails when iOS tries to validate server certificate. Problem2 VPN 
GW fails to communicate with iOS client for whatever reason after certs are 
validated by the server.

ipsec.conf

ca ipsec
        cacert=ca.pem
        auto=add

conn %default
        ikelifetime=60m
        keylife=20m
        keyingtries=1
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        left=%any
        leftcert=vpn.crt
        leftauth=pubkey
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        rightsendcert=never
        leftsendcert=always
        eap_identity=%identity%
        forceencaps=yes
        auto=add

conn ikev1
        keyexchange=ikev1
        rightauth=pubkey
        rightauth2=xauth
        rightsourceip=10.100.1.0/16
        right=%any
        rightid=%any

ipsec.secrets

: RSA vpn.key
test : XUATH "test"

I assume that since strongswan can validate both client/server certificate 
that's not the issue (or is it). Maybe some routing is wrong.

I have udp: 4500, 500(isakmp), tcp: esp in both input/output chain. TCPMSS 
set to 1356 (any issue with that?). Finally a bunch of MSAQUERADE rules for 
my server IP subnet. Another hint is that if I do all this using WIFI on my 
iphone I get a different message (after certs are validated successfully). 
VPN fails to communicated with client with this message eventually after 
many retransmission: "deleting half open IKE_SA after timeout".

Thanks in adv

More information about the Users mailing list