[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10

G. B. gawd0wns at hotmail.com
Sat Sep 21 19:12:48 CEST 2013 

Does anyone have any other suggestions to try?


From: gawd0wns at hotmail.com
To: users at lists.strongswan.org
Subject: RE: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
Date: Wed, 18 Sep 2013 21:13:39 -0200




> >          z10{1}:   0.0.0.0/24 === 10.10.10.1/32
> 
> Doesn't look like a valid subnet for your local side. What is your
> leftsubnet configuration?

During this connection attempt, I had leftsubnet set to 0.0.0.0/0.  I have been trying different settings to see if it would have an effect.  When I set the subnet to my actual LAN subnet, (leftsubnet=192.168.16.0/24), it doesn't work either.  Here is the ipsec statusall output when it is set to my actual subnet:

Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
  uptime: 3 minutes, since Sep 18 19:13:10 2013
  malloc: sbrk 221184, mmap 0, used 189456, free 31728
  worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/0
Listening IP addresses:
  99.234.220.200
  192.168.16.50
Connections:
         z10:  myip.com...%any  IKEv2
         z10:   local:  [C=CA, O=none, CN=server] uses public key authentication
         z10:    cert:  "C=CA, O=none, CN=server"
         z10:   remote: [C=CA, O=none, CN=z10] uses public key authentication
         z10:   child:  192.168.16.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
         z10[1]: ESTABLISHED 3 minutes ago, 99.234.220.200[C=CA, O=none, CN=server]...24.114.94.100[C=CA, O=none, CN=z10]
         z10[1]: IKEv2 SPIs: b44384ec9af2275b_i 9c09709370559f7d_r*, public key reauthentication in 52 minutes
         z10[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
         z10{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c5ab637d_i 633e50d9_o
         z10{1}:  AES_CBC_256/HMAC_SHA2_256_128, 384 bytes_i, 0 bytes_o, rekeying in 11 minutes
         z10{1}:   192.168.16.0/24 === 10.10.10.1/32

Some additional output:
root:/opt/etc# ip route list table 220
10.10.10.1 via 99.234.220.1 dev vlan2  proto static  src 192.168.16.50

My output from iptables -L doesn't look right, I have fewer rules than the configuration example on the strongswan website for gateway moon in a similar configuration (rw-cert):  http://www.strongswan.org/uml/testresults/ikev2/rw-cert/moon.iptables

I have fewer FORWARD rules, and I don't see anything to allow esp (that I can tell).

root:/opt/etc# iptables -L
root at unknown:/opt/etc# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4500
ACCEPT     udp  --  anywhere             anywhere            udp dpt:500
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  10.10.10.1           192.168.16.0/24      policy match dir in pol ipsec reqid 1 proto ipv6-crypt
ACCEPT     all  --  192.168.16.0/24       10.10.10.1          policy match dir out pol ipsec reqid 1 proto ipv6-crypt
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
wanin      all  --  anywhere             anywhere
wanout     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain shlimit (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere            recent: SET name: shlimit side: source
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
target     prot opt source               destination

Chain wanout (1 references)
target     prot opt source               destination



How could I add those additional rules manually?


> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Date: Wed, 18 Sep 2013 14:34:11 +0200
> 
> 
> >          z10{1}:   0.0.0.0/24 === 10.10.10.1/32
> 
> Doesn't look like a valid subnet for your local side. What is your
> leftsubnet configuration?
> 
> Possible that the updown script and/or iptables mess up with that.
> 
> Regards
> Martin
> 
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130921/dad8a3dd/attachment.html>

More information about the Users mailing list