[strongSwan] ikev2 vpn using PKI auth with a Blackberry Z10

G. B. gawd0wns at hotmail.com
Sun Sep 15 22:05:57 CEST 2013 

I made a few changes after reading through the documents, though something is
still off.  My goal is to have my blackberry client device (24.114.94.100)
connect to the server (99.234.220.200, LAN ip-192.168.16.50) via public key
authentication, and to have access to the LAN (192.168.16.0/24) behind the
server.  I can connect to my server (now running strongswan 5.0.4), though
I cannot ping between the host and client, or reach the subnet behind the
host.  There are no errors when connecting, and I am issued a virtual ip
(10.10.10.1):

 

Sep 15 15:59:19 daemon.info syslog:
14[IKE] peer requested virtual IP %any

Sep 15 15:59:19 daemon.info syslog:
14[CFG] assigning new lease to 'C=CA, O=none, CN=z10'

Sep 15 15:59:19 daemon.info syslog:
14[IKE] assigning virtual IP 10.10.10.1 to peer 'C=CA, O=none, CN=z10'

Sep 15 15:59:19 daemon.info syslog:
14[CFG] looking for a child config for 0.0.0.0/0 === 0.0.0.0/0

Sep 15 15:59:19 daemon.info syslog:
14[CFG] proposing traffic selectors for us:

Sep 15 15:59:19 daemon.info syslog:
14[CFG]  192.168.16.0/24

Sep 15 15:59:19 daemon.info syslog:
14[CFG] proposing traffic selectors for other:

Sep 15 15:59:19 daemon.info syslog:
14[CFG]  10.10.10.1/32

Sep 15 15:59:19 daemon.info syslog:
14[CFG]   candidate "z10" with prio 1+1

Sep 15 15:59:19 daemon.info syslog:
14[CFG] found matching child config "z10" with prio 2

Sep 15 15:59:19 daemon.info syslog:
14[CFG] selecting proposal:

Sep 15 15:59:19 daemon.info syslog:
14[CFG]   proposal matches

Sep 15 15:59:19 daemon.info syslog:
14[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Sep 15 15:59:19 daemon.info syslog:
14[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ

Sep 15 15:59:19 daemon.info syslog:
14[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Sep 15 15:59:19 daemon.info syslog:
14[CFG] selecting traffic selectors for us:

Sep 15 15:59:19 daemon.info syslog:
14[CFG]  config: 192.168.16.0/24, received: 0.0.0.0/0 => match:
192.168.16.0/24

Sep 15 15:59:19 daemon.info syslog:
14[CFG] selecting traffic selectors for other:

Sep 15 15:59:19 daemon.info syslog:
14[CFG]  config: 10.10.10.1/32, received: 0.0.0.0/0 => match:
10.10.10.1/32

Sep 15 15:59:19 daemon.info syslog:
14[IKE] CHILD_SA z10{1} established with SPIs cb969207_i 8607aedc_o and TS
192.168.16.0/24 === 10.10.10.1/32

Sep 15 15:59:19 unknown
authpriv.info syslog: 14[IKE] CHILD_SA z10{1} established with SPIs cb969207_i
8607aedc_o and TS 192.168.16.0/24 === 10.10.10.1/32

Sep 15 15:59:19 unknown
local0.notice vpn: + C=CA, O=none, CN=z10 10.10.10.1/32 == 24.114.94.100 --
99.234.220.200 == 192.168.16.0/24

Sep 15 15:59:19 daemon.info syslog:
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) N(ESP_TFC_PAD_N)
SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]

Sep 15 15:59:19 daemon.info syslog:
14[NET] sending packet: from 99.234.220.200[4500] to 24.114.94.100[22744] (1360
bytes)



ipsec statusall:



Virtual IP pools
(size/online/offline):

  10.10.10.0/24: 254/1/0

Listening IP addresses:

  99.234.220.200

  192.168.16.50

Connections:

        
z10:  %any...%any  IKEv2

        
z10:   local:  [C=CA, O=none, CN=server] uses public key
authentication

        
z10:    cert:  "C=CA, O=none, CN=server"

        
z10:   remote: [C=CA, O=none, CN=z10] uses public key authentication

        
z10:   child:  192.168.16.0/24 === dynamic TUNNEL

Security Associations (1 up, 0
connecting):

        
z10[1]: ESTABLISHED 55 seconds ago, 99.234.220.200[C=CA, O=none,
CN=server]...24.114.94.100[C=CA, O=none, CN=z10]

        
z10[1]: IKEv2 SPIs: a997fb46c85f4f05_i 3c5ff9b38c53e941_r*, public key
reauthentication in 54 minutes

        
z10[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

        
z10{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cf338bc9_i 9ac052ec_o

        
z10{1}:  AES_CBC_256/HMAC_SHA2_256_128, 438 bytes_i, 0 bytes_o, rekeying
in 15 minutes

        
z10{1}:   192.168.16.0/24 === 10.10.10.1/32





new ipsec.conf on server:



config setup

        strictcrlpolicy=no

        charondebug="cfg 4"

        uniqueids=yes



conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev2

        ike=aes256-sha256-sha256-modp2048!

        esp=aes256-sha256-modp2048!

        left=%defaultroute

        leftauth=pubkey

        leftcert=serverCert.pem

        leftid="C=CA, O=none,
CN=server"

        leftfirewall=yes

        leftsubnet=(I have tried both
0.0.0.0/0 and 192.168.16.0/24)



conn z10

        right=%any

        rightauth=pubkey

        rightsourceip=10.10.10.0/24

        rightdns=192.168.16.50

        rightid="C=CA, O=none,
CN=z10"

        auto=add





I do not see the issue.  There are new iptables rules being added, so I
know leftfirewall=yes is working on the server:



Chain FORWARD (policy DROP)

target     prot opt
source              
destination

ACCEPT     all  -- 
10.10.10.1          
192.168.16.0/24      policy match dir in pol ipsec
reqid 1 proto ipv6-crypt

ACCEPT     all  -- 
192.168.16.0/24      
10.10.10.1          policy match
dir out pol ipsec reqid 1 proto ipv6-crypt





I can see the virtual ip address, and dns server address come up on my
blackberry, I am not certain what else is missing at this point.

 

 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130915/cacd8304/attachment.html>

More information about the Users mailing list