[strongSwan] connecting certificate only, mac os x

Cindy Moore ctmoore at cs.ucsd.edu
Wed Dec 10 23:27:48 CET 2014 

ipsec.conf
It seems to find these two connections possible candidates tho i'm
really only trying to do the first one:

#certificate only
conn roadwarrior-ikev1
        keyexchange=ikev1
        leftauth=pubkey
        right=%any
        rightid=%any
        rightauth=pubkey
        rightauth2=xauth-noauth
        auto=add

# no certificate; how about ldap??
# hybrid auth version
# see https://wiki.strongswan.org/projects/strongswan/wiki/XAuthPam
conn roadwarrior-ldap
        leftauth=pubkey
        right=%any
        rightid=%any
        rightauth=xauth-pam
        auto=add

I'm not entirely sure whether this is trying to tell me the certs
dont' look like rsa or if whatever certs got exchanged were empty (I
suppose that's not exclusive) but I'm not quite sure what's going on
here.  It says there's two matching configs, but never says which one
it actually tries

/var/log/syslog:

Dec 10 14:15:22 vpn charon: 04[IKE] ignoring certificate request without data
Dec 10 14:15:22 vpn charon: 04[IKE] received end entity cert "C=US,
O=Sysnet, CN=ctmoore at cs.ucsd.edu"
Dec 10 14:15:22 vpn charon: 04[CFG] looking for RSA signature peer
configs matching 137.110.222.21...128.54.58.170[C=US, O=Sysnet,
CN=ctmoore at cs.ucsd.edu]
Dec 10 14:15:22 vpn charon: 04[CFG]   candidate "roadwarrior-ikev1",
match: 1/1/1052 (me/other/ike)
Dec 10 14:15:22 vpn charon: 04[CFG]   candidate "roadwarrior-ldap",
match: 1/1/1048 (me/other/ike)
Dec 10 14:15:22 vpn charon: 04[IKE] found 2 matching configs, but none
allows RSA signature authentication using Main Mode

and then

Dec 10 14:15:52 vpn charon: 07[IKE] IKE_SA (unnamed)[2] state change:
CREATED => CONNECTING
Dec 10 14:15:52 vpn charon: 07[CFG] selecting proposal:
Dec 10 14:15:52 vpn charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Dec 10 14:15:52 vpn charon: 07[CFG] selecting proposal:
Dec 10 14:15:52 vpn charon: 07[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Dec 10 14:15:52 vpn charon: 07[CFG] selecting proposal:
Dec 10 14:15:52 vpn charon: 07[CFG]   proposal matches
Dec 10 14:15:52 vpn charon: 07[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 10 14:15:52 vpn charon: 07[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
Dec 10 14:15:52 vpn charon: 07[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 10 14:15:52 vpn charon: 07[IKE] sending XAuth vendor ID
Dec 10 14:15:52 vpn charon: 07[IKE] sending DPD vendor ID
Dec 10 14:15:52 vpn charon: 07[IKE] sending NAT-T (RFC 3947) vendor ID
Dec 10 14:15:52 vpn charon: 07[ENC] generating ID_PROT response 0 [ SA V V V ]
Dec 10 14:15:52 vpn charon: 07[NET] sending packet: from
137.110.222.21[500] to 128.54.58.170[500] (132 bytes)
Dec 10 14:15:52 vpn charon: 03[NET] sending packet: from
137.110.222.21[500] to 128.54.58.170[500]
Dec 10 14:15:52 vpn charon: 02[NET] received packet: from
128.54.58.170[500] to 137.110.222.21[500]
Dec 10 14:15:52 vpn charon: 02[NET] waiting for data on sockets
Dec 10 14:15:52 vpn charon: 04[NET] received packet: from
128.54.58.170[500] to 137.110.222.21[500] (228 bytes)
Dec 10 14:15:52 vpn charon: 04[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Dec 10 14:15:52 vpn charon: 04[IKE] sending cert request for "C=US,
O=Sysnet, CN=strongSwan Root CA"
Dec 10 14:15:52 vpn charon: 04[ENC] generating ID_PROT response 0 [ KE
No CERTREQ NAT-D NAT-D ]
Dec 10 14:15:52 vpn charon: 04[NET] sending packet: from
137.110.222.21[500] to 128.54.58.170[500] (310 bytes)
Dec 10 14:15:52 vpn charon: 03[NET] sending packet: from
137.110.222.21[500] to 128.54.58.170[500]
Dec 10 14:16:22 vpn charon: 08[JOB] deleting half open IKE_SA after timeout
Dec 10 14:16:22 vpn charon: 08[IKE] IKE_SA (unnamed)[2] state change:
CONNECTING => DESTROYINGq

More information about the Users mailing list