[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
G. B.
gawd0wns at hotmail.com
Thu Sep 19 01:13:39 CEST 2013
> > z10{1}: 0.0.0.0/24 === 10.10.10.1/32
>
> Doesn't look like a valid subnet for your local side. What is your
> leftsubnet configuration?
During this connection attempt, I had leftsubnet set to 0.0.0.0/0. I have been trying different settings to see if it would have an effect. When I set the subnet to my actual LAN subnet, (leftsubnet=192.168.16.0/24), it doesn't work either. Here is the ipsec statusall output when it is set to my actual subnet:
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
uptime: 3 minutes, since Sep 18 19:13:10 2013
malloc: sbrk 221184, mmap 0, used 189456, free 31728
worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/1/0
Listening IP addresses:
99.234.220.200
192.168.16.50
Connections:
z10: myip.com...%any IKEv2
z10: local: [C=CA, O=none, CN=server] uses public key authentication
z10: cert: "C=CA, O=none, CN=server"
z10: remote: [C=CA, O=none, CN=z10] uses public key authentication
z10: child: 192.168.16.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
z10[1]: ESTABLISHED 3 minutes ago, 99.234.220.200[C=CA, O=none, CN=server]...24.114.94.100[C=CA, O=none, CN=z10]
z10[1]: IKEv2 SPIs: b44384ec9af2275b_i 9c09709370559f7d_r*, public key reauthentication in 52 minutes
z10[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
z10{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c5ab637d_i 633e50d9_o
z10{1}: AES_CBC_256/HMAC_SHA2_256_128, 384 bytes_i, 0 bytes_o, rekeying in 11 minutes
z10{1}: 192.168.16.0/24 === 10.10.10.1/32
Some additional output:
root:/opt/etc# ip route list table 220
10.10.10.1 via 99.234.220.1 dev vlan2 proto static src 192.168.16.50
My output from iptables -L doesn't look right, I have fewer rules than the configuration example on the strongswan website for gateway moon in a similar configuration (rw-cert): http://www.strongswan.org/uml/testresults/ikev2/rw-cert/moon.iptables
I have fewer FORWARD rules, and I don't see anything to allow esp (that I can tell).
root:/opt/etc# iptables -L
root at unknown:/opt/etc# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:4500
ACCEPT udp -- anywhere anywhere udp dpt:500
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.10.10.1 192.168.16.0/24 policy match dir in pol ipsec reqid 1 proto ipv6-crypt
ACCEPT all -- 192.168.16.0/24 10.10.10.1 policy match dir out pol ipsec reqid 1 proto ipv6-crypt
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain shlimit (1 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: shlimit side: source
DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
Chain wanin (1 references)
target prot opt source destination
Chain wanout (1 references)
target prot opt source destination
How could those additional rules manually?
> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Date: Wed, 18 Sep 2013 14:34:11 +0200
>
>
> > z10{1}: 0.0.0.0/24 === 10.10.10.1/32
>
> Doesn't look like a valid subnet for your local side. What is your
> leftsubnet configuration?
>
> Possible that the updown script and/or iptables mess up with that.
>
> Regards
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/127e405e/attachment.html>
More information about the Users
mailing list