[strongSwan] Strongswan and WP8.1

raceface raceface_the_one at gmx.net
Mon Oct 27 22:24:15 CET 2014 

Hi all,

I installed strongswan 5.2 on Debian wheezy running on a KVM machine.
Strongswan is up and running and can be reached from outside. But there
seems to be something wrong with the certs.

The ca.crt is created including

basicConstraints = critical, CA:true
extendedKeyUsage = serverAuth
keyUsage = critical, keyCertSign, cRLSign

and the server.crt is created including

extendedKeyUsage = serverAuth
subjectAltName = DNS:FQDN removed
authorityKeyIdentifier=keyid

The ca.crt is already installed on the lumia and a reboot is performed.

After starting strongswan with --nofork I get following messages:
Starting strongSwan 5.2.0 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.2.0-4-amd64,
x86_64)
00[CFG] HA config misses local/remote address
00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=andy, CN=removed"
from '/etc/ipsec.d/cacerts/ca.crt'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
00[CFG]   loaded EAP secret for "aceface2nd"
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap
xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (3751) started after 60 ms
03[CFG] received stroke: add connection 'rw-mschapv2'
03[CFG] left nor right host is our side, assuming left=local
03[CFG] adding virtual IP address pool 10.0.0.0/24
03[CFG]   loaded certificate "C=DE, ST=Some-State, O=andy, CN=removed" from
'server.crt'
03[CFG]   id 'removed' not confirmed by certificate, defaulting to 'C=DE,
ST=Some-State, O=andy, CN=removed'
03[CFG] added configuration 'rw-mschapv2'
01[CFG] received stroke: initiate 'rw-mschapv2'
01[IKE] unable to resolve %any, initiate aborted
01[MGR] tried to check-in and delete nonexisting IKE_SA
09[NET] received packet: from removed[500] to removed[500] (616 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
V V V ]
09[ENC] received unknown vendor ID:
1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
09[ENC] received unknown vendor ID:
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
09[ENC] received unknown vendor ID:
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
09[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
09[IKE] removed is initiating an IKE_SA
09[IKE] remote host is behind NAT
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
09[NET] sending packet: from removed[500] to removed[500] (308 bytes)
07[NET] received packet: from removed[17224] to removed[4500] (1324 bytes)
07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS
NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
07[IKE] received cert request for "C=DE, ST=Some-State, O=andy, CN=removed"
07[IKE] received 49 cert requests for an unknown ca
07[CFG] looking for peer configs matching removed[%any]...removed[removed]
07[CFG] selected peer config 'rw-mschapv2'
07[IKE] initiating EAP_IDENTITY method (id 0x00)
07[IKE] peer supports MOBIKE
07[IKE] authentication of 'C=DE, ST=Some-State, O=andy, CN=removed' (myself)
with RSA signature successful
07[IKE] sending end entity cert "C=DE, ST=Some-State, O=andy, CN=removed"
07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
07[NET] sending packet: from removed[4500] to removed[17224] (932 bytes)
02[JOB] deleting half open IKE_SA after timeout

The lumia is quitting the job with error message 13801.

Any hints what I need to do for correction? I am wondering that strongswan
is loggin "id . . . not confirmed by certificate" while starting and "unable
to resolve %any".

Thanks for your help!

Andy

More information about the Users mailing list