[strongSwan] Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?

Jerry Lundström jerry.lundstrom at iis.se
Mon Apr 14 11:45:49 CEST 2014 

Hi,

So I have been trying to get strongSwan to work with Aruba VPN and are
stuck. The VPN is configured to take a client certificate and I have
tried the rw-cert and rw-eap-tls-* test examples.

Any help or suggestion is very appreciate.

For rw-cert this is the configuration and log I used:

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn vpn
	left=%any
	leftcert=userCert.pem
	leftid=user at domain
	leftfirewall=yes
	right=vpn.domain
	rightid="<VPN DN>"
	rightsubnet=10.1.0.0/16
	rightauth=pubkey
	auto=add
	ike=aes128-sha1-modp1024

initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
sending cert request for "<CA>"
sending cert request for "<CA>"
sending cert request for "<CA>"
authentication of 'user at domain' (myself) with RSA signature successful
sending end entity cert "<user DN>"
sending issuer cert "<CA>"
establishing CHILD_SA vpn
generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
received packet: from <VPN IP>[4500] to 192.168.1.67[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error


For rw-eap-tls-* this is the configuration and log I used:

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn vpn
	left=%any
	leftcert=userCert.pem
	leftid=user at domain
	leftauth=eap
	leftfirewall=yes
	right=vpn.domain
	rightid="<VPN DN>"
	rightsubnet=10.1.0.0/16
	rightauth=pubkey
	auto=add
	ike=aes128-sha1-modp1024
	aaa_identity=user at domain

initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
initiating IKE_SA vpn[1] to <VPN IP>
generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.67[500] to <VPN IP>[500]
received packet: from <VPN IP>[500] to 192.168.1.67[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
sending cert request for "<CA>"
sending cert request for "<CA>"
sending cert request for "<CA>"
establishing CHILD_SA vpn
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
received packet: from <VPN IP>[4500] to 192.168.1.67[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "<VPN DN>"
  using certificate "<VPN DN>"
  using trusted intermediate ca certificate "<CA>"
checking certificate status of "<VPN DN>"
... crl stuff ...
certificate status is not available
  using trusted ca certificate "<CA>"
checking certificate status of "<CA>"
  using trusted certificate "<CA>"
  crl correctly signed by "<CA>"
  crl is valid: until Sep 20 23:22:37 2014
  using cached crl
certificate status is good
  reached self-signed root ca with a path length of 1
authentication of '<VPN DN>' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'user at domain'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
received packet: from <VPN IP>[4500] to 192.168.1.67[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/TLS ]
server requested EAP_TLS authentication (id 0x01)
generating IKE_AUTH request 3 [ EAP/RES/TLS ]
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
retransmit 1 of request with message ID 3
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
retransmit 2 of request with message ID 3
sending packet: from 192.168.1.67[4500] to <VPN IP>[4500]
...

Cheers
Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 660 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140414/a4f45c66/attachment-0001.pgp>

More information about the Users mailing list