[strongSwan] Problems connecting to Strongswan with WP8.1

raceface raceface_the_one at gmx.net
Sun Oct 19 11:39:35 CEST 2014 

Hi,

I'm not experienced in kernel modification. What do I have to do to get
IPsec stacks loaded into the kernel?

The server.key has been created including
extendedKeyUsage = serverAuth
subjectAltName = DNS:THE FQDN OF THE SERVER
authorityKeyIdentifier=keyid

Thanks for your help!

Andy


> -----Ursprüngliche Nachricht-----
> Von: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Gesendet: Sonntag, 19. Oktober 2014 11:23
> An: raceface; users at lists.strongswan.org
> Betreff: Re: [strongSwan] Problems connecting to Strongswan with WP8.1
> 
> Hi,
> 
> It seems that Ubuntu 12.04 is running on an old 2.6.32 kernel
> instead of the standard 3.2 kernel, but most of the IPsec
> features in the kernel should work.
> 
> But much worse is that the ipsec starter does not detect
> and IPsec stack in the kernel at all:
> 
> > no netkey IPsec stack detected
> > no KLIPS IPsec stack detected
> > no known IPsec stack detected, ignoring!
> 
> Thus it is not surprising that now IPsec policies can be installed:
> 
> > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> > 00[NET] installing IKE bypass policy failed
> 
> Thus try to fix your kernel installation, otherwise no IPsec tunnel is
> going to be installed.
> 
> On the IKEv2 side, the negotiation stops with the message
> 
> > 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> > 11[NET] sending packet: from the real IP[4500] to 80.187.107.73[2869]
> > (908 bytes)
> 
> Most probably the Windows 8.1 client does not accept the strongSwan
> VPN gateway certificate. Is the FQDN contained as a subjectAltName
> in the server certificate? And is the "serverAuth" Extended Key Usage
> flag set in the certificate which is another mandatory requirement.
> 
> Best regards
> 
> Andreas
> 
> On 10/18/2014 10:56 PM, raceface wrote:
> > Hi,
> >
> >
> >
> > I am stuck in getting a connection from a Windows Phone 8.1 to
> > strongswan 5.2.0 on a Ubuntu 12.04.
> >
> >
> >
> > Here’s my ipsec.conf
> >
> >
> >
> > config setup
> >
> >      uniqueids=never
> >
> >      # charondebug="cfg -1, dmn 11, ike -1, net -1"
> >
> >
> >
> > conn myVPN
> >
> >        left=%any
> >
> >        leftsubnet=0.0.0.0/0
> >
> >        leftid=@took out the FQDN
> >
> >        lefthostaccess=yes
> >
> >        leftfirewall=yes
> >
> >        leftcert=server.crt
> >
> >        ike=aes256-sha1-modp1024!
> >
> >        esp=aes256-sha1!
> >
> >        rekey=no
> >
> >        keyexchange=ikev2
> >
> >        ikelifetime=8h
> >
> >        keylife=1h
> >
> >        right=%any
> >
> >        rightsourceip=192.168.188.50
> >
> >        rightauth=eap-mschapv2
> >
> >        compress=yes
> >
> >        dpdaction=clear
> >
> >        dpddelay=300s
> >
> >        rightsendcert=never
> >
> >        eap_identity=%any
> >
> >        auto=add
> >
> >
> >
> > And this is the –nofork output
> >
> >
> >
> > Starting strongSwan 5.2.0 IPsec [starter]...
> >
> > no netkey IPsec stack detected
> >
> > no KLIPS IPsec stack detected
> >
> > no known IPsec stack detected, ignoring!
> >
> > 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux
> > 2.6.32-042stab092.3, i686)
> >
> > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> >
> > 00[NET] installing IKE bypass policy failed
> >
> > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> >
> > 00[NET] installing IKE bypass policy failed
> >
> > 00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument
> >
> > 00[NET] installing IKE bypass policy failed
> >
> > 00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument
> >
> > 00[NET] installing IKE bypass policy failed
> >
> > 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> >
> > 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=Andreas
> Seiler,
> > CN=took out the FQDN" from '/etc/ipsec.d/cacerts/ca.crt'
> >
> > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> >
> > 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> >
> > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> >
> > 00[CFG] loading crls from '/etc/ipsec.d/crls'
> >
> > 00[CFG] loading secrets from '/etc/ipsec.secrets'
> >
> > 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/server.key'
> >
> > 00[CFG]   loaded EAP secret for phone
> >
> > 00[LIB] loaded plugins: charon curl pkcs11 aes des rc2 sha1 sha2 md5
> > random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> pkcs12
> > pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr
> > kernel-netlink resolve socket-default stroke updown eap-identity
> > eap-mschapv2 eap-tls eap-ttls xauth-generic
> >
> > 00[LIB] unable to load 3 plugin features (3 due to unmet
> dependencies)
> >
> > 00[JOB] spawning 16 worker threads
> >
> > charon (22973) started after 20 ms
> >
> > 08[CFG] received stroke: add connection 'myVPN'
> >
> > 08[CFG] left nor right host is our side, assuming left=local
> >
> > 08[CFG] adding virtual IP address pool 192.168.188.50
> >
> > 08[CFG]   loaded certificate "C=DE, ST=Some-State, O=Andreas Seiler,
> > CN=took out the FQDN" from 'server.crt'
> >
> > 08[CFG] added configuration 'myVPN'
> >
> > 10[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> > (616 bytes)
> >
> > 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) V V V V ]
> >
> > 10[ENC] received unknown vendor ID:
> > 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> >
> > 10[ENC] received unknown vendor ID:
> > fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> >
> > 10[ENC] received unknown vendor ID:
> > 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> >
> > 10[ENC] received unknown vendor ID:
> > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> >
> > 10[IKE] 80.187.107.73 is initiating an IKE_SA
> >
> > 10[IKE] remote host is behind NAT
> >
> > 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(MULT_AUTH) ]
> >
> > 10[NET] sending packet: from the real IP[500] to 80.187.107.73[500]
> (312
> > bytes)
> >
> > 11[NET] received packet: from 80.187.107.73[2869] to the real
> IP[4500]
> > (1324 bytes)
> >
> > 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP)
> CPRQ(ADDR
> > DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> >
> > 11[IKE] received cert request for "C=DE, ST=Some-State, O=Andreas
> > Seiler, CN=took out the FQDN"
> >
> > 11[IKE] received 48 cert requests for an unknown ca
> >
> > 11[CFG] looking for peer configs matching the real
> > IP[%any]...80.187.107.73[10.69.240.130]
> >
> > 11[CFG] selected peer config 'myVPN'
> >
> > 11[IKE] initiating EAP_IDENTITY method (id 0x00)
> >
> > 11[IKE] peer supports MOBIKE
> >
> > 11[IKE] authentication of 'took out the FQDN' (myself) with RSA
> > signature successful
> >
> > 11[IKE] sending end entity cert "C=DE, ST=Some-State, O=Andreas
> Seiler,
> > CN=took out the FQDN"
> >
> > 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> >
> > 11[NET] sending packet: from the real IP[4500] to 80.187.107.73[2869]
> > (908 bytes)
> >
> > 12[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> > (616 bytes)
> >
> > 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) V V V V ]
> >
> > 12[ENC] received unknown vendor ID:
> > 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> >
> > 12[ENC] received unknown vendor ID:
> > fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> >
> > 12[ENC] received unknown vendor ID:
> > 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> >
> > 12[ENC] received unknown vendor ID:
> > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> >
> > 12[IKE] 80.187.107.73 is initiating an IKE_SA
> >
> > 12[IKE] remote host is behind NAT
> >
> > 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(MULT_AUTH) ]
> >
> > 12[NET] sending packet: from the real IP[500] to 80.187.107.73[500]
> (312
> > bytes)
> >
> > 13[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> > (616 bytes)
> >
> > 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) V V V V ]
> >
> > 13[IKE] received retransmit of request with ID 0, retransmitting
> response
> >
> > 13[NET] sending packet: from the real IP[500] to 80.187.107.73[500]
> (312
> > bytes)
> >
> > 14[NET] received packet: from 80.187.107.73[500] to the real IP[500]
> > (616 bytes)
> >
> > 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) V V V V ]
> >
> > 14[IKE] received retransmit of request with ID 0, retransmitting
> response
> >
> > 14[NET] sending packet: from the real IP[500] to 80.187.107.73[500]
> (312
> > bytes)
> >
> > 15[JOB] deleting half open IKE_SA after timeout
> >
> >
> >
> > Has anybody an idea what might be the problem?
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
> 
> 
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list