[strongSwan] Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?
Jerry Lundström
jerry.lundstrom at iis.se
Mon Apr 14 11:45:49 CEST 2014
Hi,
So I have been trying to get strongSwan to work with Aruba VPN and are
stuck. The VPN is configured to take a client certificate and I have
tried the rw-cert and rw-eap-tls-* test examples.
Any help or suggestion is very appreciate.
For rw-cert this is the configuration and log I used:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn vpn
left=%any
leftcert=userCert.pem
leftid=user at domain
leftfirewall=yes
right=vpn.domain
rightid="<VPN DN>"
rightsubnet=10.1.0.0/16
rightauth=pubkey
auto=add
ike=aes128-sha1-modp1024
initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
sending cert request for "<CA>"
sending cert request for "<CA>"
sending cert request for "<CA>"
authentication of 'user at domain' (myself) with RSA signature successful
sending end entity cert "<user DN>"
sending issuer cert "<CA>"
establishing CHILD_SA vpn
generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
received packet: from <VPN IP>[4500] to 192.168.1.67[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
For rw-eap-tls-* this is the configuration and log I used:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn vpn
left=%any
leftcert=userCert.pem
leftid=user at domain
leftauth=eap
leftfirewall=yes
right=vpn.domain
rightid="<VPN DN>"
rightsubnet=10.1.0.0/16
rightauth=pubkey
auto=add
ike=aes128-sha1-modp1024
aaa_identity=user at domain
initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
sending cert request for "<CA>"
sending cert request for "<CA>"
sending cert request for "<CA>"
establishing CHILD_SA vpn
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
received packet: from <VPN IP>[4500] to 192.168.1.67[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "<VPN DN>"
using certificate "<VPN DN>"
using trusted intermediate ca certificate "<CA>"
checking certificate status of "<VPN DN>"
... crl stuff ...
certificate status is not available
using trusted ca certificate "<CA>"
checking certificate status of "<CA>"
using trusted certificate "<CA>"
crl correctly signed by "<CA>"
crl is valid: until Sep 20 23:22:37 2014
using cached crl
certificate status is good
reached self-signed root ca with a path length of 1
authentication of '<VPN DN>' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'user at domain'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
received packet: from <VPN IP>[4500] to 192.168.1.67[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/TLS ]
server requested EAP_TLS authentication (id 0x01)
generating IKE_AUTH request 3 [ EAP/RES/TLS ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
retransmit 1 of request with message ID 3
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
retransmit 2 of request with message ID 3
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
...
Cheers
Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 660 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140414/a4f45c66/attachment-0001.pgp>
More information about the Users
mailing list