[strongSwan] ikev2 vpn using PKI auth with a Blackberry Z10

G. B. gawd0wns at hotmail.com
Wed Sep 4 04:05:51 CEST 2013 

I have been attempting to setup a vpn between my home file server and a blackberry z10, using a "generic ikev2 vpn" and self-signed certificates.  All of my attempts are failing at the same place.  Here is the piece of log where it fails:

Sep  3 22:19:09 firebrand charon: 09[CFG]   loaded certificate "C=CA, O=none, CN=server" from 'serverCert.pem'
Sep  3 22:19:09 firebrand charon: 09[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=CA, O=none, CN=server'
Sep  3 22:19:09 firebrand charon: 09[CFG] added configuration 'z10'
Sep  3 22:19:09 firebrand charon: 09[CFG] adding virtual IP address pool 'z10': 10.90.0.3/32
Sep  3 22:23:08 firebrand charon: 03[NET] received packet: from 24.100.200.200[43337] to 192.168.16.50[500]
Sep  3 22:23:08 firebrand charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep  3 22:23:08 firebrand charon: 03[CFG] looking for an ike config for 192.168.16.50...24.100.200.200
Sep  3 22:23:08 firebrand charon: 03[CFG]   candidate: 192.168.16.50...%any, prio 5
Sep  3 22:23:08 firebrand charon: 03[CFG] found matching ike config: 192.168.16.50...%any with prio 5
Sep  3 22:23:08 firebrand charon: 03[IKE] 24.100.200.200 is initiating an IKE_SA
Sep  3 22:23:08 firebrand charon: 03[CFG] selecting proposal:
Sep  3 22:23:08 firebrand charon: 03[CFG]   proposal matches
Sep  3 21:39:19 firebrand charon: 03[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 
 3 21:39:19 firebrand charon: 03[CFG] configured proposals: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_256/MODP_2048
Sep  3 21:39:19 firebrand charon: 03[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep  3 21:39:19 firebrand charon: 03[IKE] local host is behind NAT, sending keep alives
Sep  3 21:39:19 firebrand charon: 03[IKE] remote host is behind NAT
Sep  3 21:39:19 firebrand charon: 03[IKE] sending cert request for "C=CA, O=none, CN=AA-VPN-CA"
Sep 
 3 21:39:19 firebrand charon: 03[ENC] generating IKE_SA_INIT response 0 [
 SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sep  3 21:39:19 firebrand charon: 03[NET] sending packet: from 192.168.16.50[500] to 24.100.200.200[43387]
Sep  3 21:39:19 firebrand charon: 12[NET] received packet: from 24.100.200.200[43388] to 192.168.16.50[4500]
Sep  3 21:39:19 firebrand charon: 12[ENC] invalid X509 hash length (0) in certreq
Sep  3 21:39:19 firebrand charon: 12[ENC] CERTIFICATE_REQUEST verification failed
Sep  3 21:39:19 firebrand charon: 12[ENC] could not decrypt payloads
Sep  3 21:39:19 firebrand charon: 12[IKE] message verification failed
Sep  3 21:39:19 firebrand charon: 12[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
Sep  3 21:39:19 firebrand charon: 12[NET] sending packet: from 192.168.16.50[500] to 24.100.200.200[43387]
Sep  3 21:39:19 firebrand charon: 12[IKE] IKE_AUTH request with message ID 1 processing failed
Sep  3 21:39:31 firebrand charon: 13[NET] received packet: from 24.100.200.200[43388] to 192.168.16.50[4500]
Sep  3 21:39:31 firebrand charon: 13[ENC] invalid X509 hash length (0) in certreq
Sep  3 21:39:31 firebrand charon: 13[ENC] CERTIFICATE_REQUEST verification failed
Sep  3 21:39:31 firebrand charon: 13[ENC] could not decrypt payloads
Sep  3 21:39:31 firebrand charon: 13[IKE] message verification failed
Sep  3 21:39:31 firebrand charon: 13[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
Sep  3 21:39:31 firebrand charon: 13[NET] sending packet: from 192.168.16.50[500] to 24.100.200.200[43387]
Sep  3 21:39:31 firebrand charon: 13[IKE] IKE_AUTH request with message ID 1 processing failed

I don't exactly know what is failing here.  I don't think there is a problem with the way I generated the certificates, I followed the instructions on the strongswan website for a setting up a simple CA.  I generated a CA, an RSA keypair for my server and an RSA keypair for my z10.  The CA certificate (CA.pem) was copied to both the server and z10, the RSA keypair for the z10 was copied to the z10(z10.pem), and the RSA keypair for the server(serverCert.pem, serverKey.pem) was placed on the server:

CA:
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=AA-VPN-CA" --san="AA-VPN-CA at unknown.planet" --ca --outform pem > caCert.pem

Server keypair:
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in
 serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem
 --dn "C=CA, O=none, CN=server" --san="fire at unknown.planet" --outform 
pem > serverCert.pem

Client keypair:
ipsec pki --gen --outform pem > userKey.pem
ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=z10" --san="z10 at unknown.planet" --outform pem > userCert.pem

When importing the client keypair to the Z10, I am pasting the public key below the private key in one text file so I can import it easily.


I have altered my configuration many times trying to get this working. The log I pasted above has this configuration:

***ipsec.conf***

config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
        charondebug="cfg 3"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn z10
        ike=aes256-sha256-sha256-modp2048!
        esp=aes256-sha256-sha256-modp2048!
        leftcert=serverCert.pem
        leftid=%any
        left=%defaultroute
        leftsourceip=10.90.0.1
        leftsubnet=192.168.16.0/24
        leftfirewall=yes
        right=%any
        rightid="C=CA, O=none, CN=z10"
        rightsubnet=10.90.0.0/24
        rightsourceip=10.90.0.3
        keyexchange=ikev2
        auto=add


--ipsec listall:

List of X.509 End Entity Certificates:

  altNames:  fire at unknown.planet
  subject:  "C=CA, O=none, CN=server"
  issuer:   "C=CA, O=none, CN=AA-VPN-CA"
  serial:    00:cc:d0:6f:e2:cd:0f:22:83
  validity:  not before Sep 03 21:31:11 2013, ok
             not after  Sep 02 21:31:11 2016, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     0e:20:5c:6f:d4:7f:f4:48:e8:4f:00:00:9d:a5:cd:e8:65:3a:14:9f
  subjkey:   67:85:d1:8e:8b:80:9d:34:89:3d:aa:be:58:c6:58:15:56:0f:cf:d1
  authkey:   1e:b4:24:b5:7b:64:fe:41:e7:b9:01:ad:01:c1:70:20:02:49:3a:cf

List of X.509 CA Certificates:

  altNames:  AA-VPN-CA at unknown.planet
  subject:  "C=CA, O=none, CN=AA-VPN-CA"
  issuer:   "C=CA, O=none, CN=AA-VPN-CA"
  serial:    1c:4f:c9:f1:71:38:43:a0
  validity:  not before Sep 03 21:31:03 2013, ok
             not after  Sep 02 21:31:03 2016, ok
  pubkey:    RSA 2048 bits
  keyid:     7c:91:eb:71:14:0e:5e:49:0c:33:85:67:fc:9f:4f:cd:2b:f2:cc:2b
  subjkey:   1e:b4:24:b5:7b:64:fe:41:e7:b9:01:ad:01:c1:70:20:02:49:3a:cf
  authkey:   1e:b4:24:b5:7b:64:fe:41:e7:b9:01:ad:01:c1:70:20:02:49:3a:cf


What am I doing wrong?



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130904/c27c9787/attachment.html>

More information about the Users mailing list