[strongSwan] Blackberry 10 can't establish VPN with Amazon AWS EC2 using PKI auth

[Юрий]

Hi all!

I met strange situation: have Amazon AWS CentOS with Strongswan installed and try to use test VPN. So, I can establish VPN using PKI on Windows 7 & 8.1 machines and EAP-MSCHAPv2 on Blackberry 10 devices, but latters totally won't work with PKI

My configs are:

# I know it's not optimized yet, but it works, so I'll optimise in the future
# ServerPublicIP means public IP of Amazon AWS instance i.e. 54.xxx.xxx.xxx
# ServerPrivateIP means private IP of Amazon instance, i.e 172.xxx.xxx.xxx
# ClientPublicIP means public IP of remote client

config setup
    strictcrlpolicy=no

conn %default
   ikelifetime=24h
   keylife=24h
   keyexchange=ikev2
   dpdaction=clear
   dpdtimeout=3600s
   dpddelay=3600s
   compress=yes
   #esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
   #ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096

# It's EAP-MSCHAP connect, it works flawless on every Blackberry device

conn BB_10
   rekey=no
   left=%any
   leftsubnet=0.0.0.0/0
   leftauth=psk
   leftid=ServerPublicIP
   right=%any
   rightsourceip=192.168.2.100/28
   rightauth=eap-mschapv2
   rightsendcert=never
   eap_identity=%any
   auto=add

# Win 7 connect, working good too

conn laptop
   left=%any
   leftauth=pubkey
   leftcert=serverCert.pem
   leftid=ServerPublicIP
   leftsubnet=0.0.0.0/0
   right=%any
   rightsourceip=192.168.2.100/28
   rightauth=pubkey
   rightcert=clientCert.pem
   rightsendcert=never
   rekey=no
   auto=add

# Win 8.1 connect, I didn't merge it with previous conn because of plans
# swap device to ultrabook with mobile SIM slot, so it should be MOBIKE
# connect rather laptop above

conn Win8
   left=%any
   leftauth=pubkey
   leftcert=serverCert.pem
   leftid=ServerPublicIP
   leftsubnet=0.0.0.0/0
   right=%any
   rightsourceip=192.168.2.100/28
   rightauth=pubkey
   rightcert=My_BB.pem
   rightsendcert=never
   rekey=no
   auto=add

# This connect doesn't work

conn BB1
   left=%any
   leftid="C=US,O=Acme,CN=ServerPublicIP"
   leftsubnet=0.0.0.0/0
   leftauth=pubkey
   leftcert=serverCert.pem
   right=%any
   rightsourceip=192.168.2.100/28
   rightauth=pubkey
   rightid="C=US,O=Acme,CN=user"
   rekey=no
   auto=add

That's about certificates:

# Making selfsigned CA authourity

ipsec pki --gen --outform pem > caKey.pem

ipsec pki --self --in caKey.pem --dn "C=US, O=Acme, CN=CA_issuer" --ca --outform pem > caCert.pem

# Making server keypair

ipsec pki --gen --outform pem > serverKey.pem

ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme, CN=ServerPublicIP" --san="ServerPublicIP" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem

# Making client keypair for conn laptop

ipsec pki --gen --outform pem > clientKey.pem

ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme, CN=client" --outform pem > clientCert.pem

# Making pkcs12 container for import on Win 7 machine

openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "CA_issuer" -out clientCert.p12

# It's a second keipair maked a couple of monthes later. I tried it for 
# Blackberry first, but it didn't work, that's why it has such strange 
# client name, its own filename, and so on
# but it works good on Windows 8.1
# Actually I generated client certificate only. Everything other  include
# clientKey.pem I got before

ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme, CN=My_BB" --outform pem > My_BB.pem

# Making pkcs12 container for import on Win 8.1 machine

openssl pkcs12 -export -inkey clientKey.pem -in My_BB.pem -name "Blackberry" -certfile caCert.pem -caname "Acme" -out Blackberry0.p12

# And that's my last client cetificate for Blackberry PKI connect which
# I can't establish
# Again, I use everything include clientKey from initiate certs generate

ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=Acme, CN=user" --san "user at ServerPublicIP" --flag serverAuth --outform pem > user_BB.pem

# Making pkcs12 container for import on Blackberry 10 device

openssl pkcs12 -export -inkey clientKey.pem -in user_BB.pem -name "Blackberry" -certfile caCert.pem -caname "Acme" -out Blackberry1.p12

Blackberry 10 settings are:

Server Address: ServerPublicIP
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: PKI
Authentication ID Type: Identity Certificate Distinguished Name
Client Cetifucate: selected from dropdown and named "user"
Gateway Auth Type: PKI
Gateway Auth ID Type: Identity Certificate Distinguished Name
Gateway CA Certificate: selected from dropdown and named "CA_issuer"
Everything else I leave default

So, funny part I don't understand is VPN doesn't establish, all I have is "Connection Timeout" and weirdest thing is under log:

01 charon: 01[IKE] ClientPublicIP is initiating an IKE_SA
02 charon: 01[IKE] local host is behind NAT, sending keep alives
03 charon: 01[IKE] remote host is behind NAT
04 charon: 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
05 charon: 01[NET] sending packet: from ServerPrivateIP[500] to ClientPublicIP[500] (308 bytes)
06 charon: 15[IKE] sending keep alive to ClientPublicIP[500]
07 charon: 09[JOB] deleting half open IKE_SA after timeout

So, as I understand last two lines right, Blackberry won't send back packet with certs list or it doesn't receive something to initiate this send. I'm not extremly familiar with all those things, so I suspect something wrong with certs for this connect, but haven't absolutely any idea what exactly and how it can be resolved

Thanks in advance,
                                Urgen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141006/ba333021/attachment.html>