[strongSwan] Problems connecting to Strongswan with WP8.1

Andreas Steffen andreas.steffen at strongswan.org
Sun Oct 19 11:23:20 CEST 2014 

Hi,

It seems that Ubuntu 12.04 is running on an old 2.6.32 kernel
instead of the standard 3.2 kernel, but most of the IPsec
features in the kernel should work.

But much worse is that the ipsec starter does not detect
and IPsec stack in the kernel at all:

> no netkey IPsec stack detected
> no KLIPS IPsec stack detected
> no known IPsec stack detected, ignoring!

Thus it is not surprising that now IPsec policies can be installed:

> 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> 00[NET] installing IKE bypass policy failed

Thus try to fix your kernel installation, otherwise no IPsec tunnel is
going to be installed.

On the IKEv2 side, the negotiation stops with the message

> 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 11[NET] sending packet: from the real IP[4500] to 80.187.107.73[2869]
> (908 bytes)

Most probably the Windows 8.1 client does not accept the strongSwan
VPN gateway certificate. Is the FQDN contained as a subjectAltName
in the server certificate? And is the "serverAuth" Extended Key Usage
flag set in the certificate which is another mandatory requirement.

Best regards

Andreas

On 10/18/2014 10:56 PM, raceface wrote:
> Hi,
> 
>  
> 
> I am stuck in getting a connection from a Windows Phone 8.1 to
> strongswan 5.2.0 on a Ubuntu 12.04.
> 
>  
> 
> Here’s my ipsec.conf
> 
>  
> 
> config setup
> 
>      uniqueids=never
> 
>      # charondebug="cfg -1, dmn 11, ike -1, net -1"
> 
>  
> 
> conn myVPN
> 
>        left=%any
> 
>        leftsubnet=0.0.0.0/0
> 
>        leftid=@took out the FQDN
> 
>        lefthostaccess=yes
> 
>        leftfirewall=yes
> 
>        leftcert=server.crt
> 
>        ike=aes256-sha1-modp1024!
> 
>        esp=aes256-sha1!
> 
>        rekey=no
> 
>        keyexchange=ikev2
> 
>        ikelifetime=8h
> 
>        keylife=1h
> 
>        right=%any
> 
>        rightsourceip=192.168.188.50
> 
>        rightauth=eap-mschapv2
> 
>        compress=yes
> 
>        dpdaction=clear
> 
>        dpddelay=300s
> 
>        rightsendcert=never
> 
>        eap_identity=%any
> 
>        auto=add
> 
>  
> 
> And this is the –nofork output
> 
>  
> 
> Starting strongSwan 5.2.0 IPsec [starter]...
> 
> no netkey IPsec stack detected
> 
> no KLIPS IPsec stack detected
> 
> no known IPsec stack detected, ignoring!
> 
> 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux
> 2.6.32-042stab092.3, i686)
> 
> 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> 
> 00[NET] installing IKE bypass policy failed
> 
> 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> 
> 00[NET] installing IKE bypass policy failed
> 
> 00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument
> 
> 00[NET] installing IKE bypass policy failed
> 
> 00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument
> 
> 00[NET] installing IKE bypass policy failed
> 
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 
> 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=Andreas Seiler,
> CN=took out the FQDN" from '/etc/ipsec.d/cacerts/ca.crt'
> 
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 
> 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
> 
> 00[CFG]   loaded EAP secret for phone
> 
> 00[LIB] loaded plugins: charon curl pkcs11 aes des rc2 sha1 sha2 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr
> kernel-netlink resolve socket-default stroke updown eap-identity
> eap-mschapv2 eap-tls eap-ttls xauth-generic
> 
> 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
> 
> 00[JOB] spawning 16 worker threads
> 
> charon (22973) started after 20 ms
> 
> 08[CFG] received stroke: add connection 'myVPN'
> 
> 08[CFG] left nor right host is our side, assuming left=local
> 
> 08[CFG] adding virtual IP address pool 192.168.188.50
> 
> 08[CFG]   loaded certificate "C=DE, ST=Some-State, O=Andreas Seiler,
> CN=took out the FQDN" from 'server.crt'
> 
> 08[CFG] added configuration 'myVPN'
> 
> 10[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> (616 bytes)
> 
> 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) V V V V ]
> 
> 10[ENC] received unknown vendor ID:
> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> 
> 10[ENC] received unknown vendor ID:
> fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> 
> 10[ENC] received unknown vendor ID:
> 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> 
> 10[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> 
> 10[IKE] 80.187.107.73 is initiating an IKE_SA
> 
> 10[IKE] remote host is behind NAT
> 
> 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 
> 10[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
> bytes)
> 
> 11[NET] received packet: from 80.187.107.73[2869] to the real IP[4500]
> (1324 bytes)
> 
> 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR
> DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> 
> 11[IKE] received cert request for "C=DE, ST=Some-State, O=Andreas
> Seiler, CN=took out the FQDN"
> 
> 11[IKE] received 48 cert requests for an unknown ca
> 
> 11[CFG] looking for peer configs matching the real
> IP[%any]...80.187.107.73[10.69.240.130]
> 
> 11[CFG] selected peer config 'myVPN'
> 
> 11[IKE] initiating EAP_IDENTITY method (id 0x00)
> 
> 11[IKE] peer supports MOBIKE
> 
> 11[IKE] authentication of 'took out the FQDN' (myself) with RSA
> signature successful
> 
> 11[IKE] sending end entity cert "C=DE, ST=Some-State, O=Andreas Seiler,
> CN=took out the FQDN"
> 
> 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 
> 11[NET] sending packet: from the real IP[4500] to 80.187.107.73[2869]
> (908 bytes)
> 
> 12[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> (616 bytes)
> 
> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) V V V V ]
> 
> 12[ENC] received unknown vendor ID:
> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> 
> 12[ENC] received unknown vendor ID:
> fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> 
> 12[ENC] received unknown vendor ID:
> 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> 
> 12[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> 
> 12[IKE] 80.187.107.73 is initiating an IKE_SA
> 
> 12[IKE] remote host is behind NAT
> 
> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 
> 12[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
> bytes)
> 
> 13[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> (616 bytes)
> 
> 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) V V V V ]
> 
> 13[IKE] received retransmit of request with ID 0, retransmitting response
> 
> 13[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
> bytes)
> 
> 14[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> (616 bytes)
> 
> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) V V V V ]
> 
> 14[IKE] received retransmit of request with ID 0, retransmitting response
> 
> 14[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
> bytes)
> 
> 15[JOB] deleting half open IKE_SA after timeout
> 
>  
> 
> Has anybody an idea what might be the problem?
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141019/484cfcd6/attachment-0001.bin>

More information about the Users mailing list