[strongSwan] Strongswan and WP8.1

Noel Kuntze noel at familie-kuntze.de
Mon Oct 27 22:26:15 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

You probably have "auto=start" in the conn definition. Change that
to "auto=add".
If you use certificates, the IDs of the peers have to be the DNs of the
certificates of the corresponding peer. StrongSwan enforces that
by defaulting back to the DN of the certificate, if you set an ID, that is
not confirmed by the certificate.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.10.2014 um 22:24 schrieb raceface:
> Hi all,
>
> I installed strongswan 5.2 on Debian wheezy running on a KVM machine.
> Strongswan is up and running and can be reached from outside. But there
> seems to be something wrong with the certs.
>
> The ca.crt is created including
>
> basicConstraints = critical, CA:true
> extendedKeyUsage = serverAuth
> keyUsage = critical, keyCertSign, cRLSign
>
> and the server.crt is created including
>
> extendedKeyUsage = serverAuth
> subjectAltName = DNS:FQDN removed
> authorityKeyIdentifier=keyid
>
> The ca.crt is already installed on the lumia and a reboot is performed.
>
> After starting strongswan with --nofork I get following messages:
> Starting strongSwan 5.2.0 IPsec [starter]...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.2.0-4-amd64,
> x86_64)
> 00[CFG] HA config misses local/remote address
> 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=andy, CN=removed"
> from '/etc/ipsec.d/cacerts/ca.crt'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
> 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
> 00[CFG]   loaded EAP secret for "aceface2nd"
> 00[CFG] loaded 0 RADIUS server configurations
> 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
> socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap
> xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> 00[LIB] dropped capabilities, running as uid 0, gid 0
> 00[JOB] spawning 16 worker threads
> charon (3751) started after 60 ms
> 03[CFG] received stroke: add connection 'rw-mschapv2'
> 03[CFG] left nor right host is our side, assuming left=local
> 03[CFG] adding virtual IP address pool 10.0.0.0/24
> 03[CFG]   loaded certificate "C=DE, ST=Some-State, O=andy, CN=removed" from
> 'server.crt'
> 03[CFG]   id 'removed' not confirmed by certificate, defaulting to 'C=DE,
> ST=Some-State, O=andy, CN=removed'
> 03[CFG] added configuration 'rw-mschapv2'
> 01[CFG] received stroke: initiate 'rw-mschapv2'
> 01[IKE] unable to resolve %any, initiate aborted
> 01[MGR] tried to check-in and delete nonexisting IKE_SA
> 09[NET] received packet: from removed[500] to removed[500] (616 bytes)
> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
> V V V ]
> 09[ENC] received unknown vendor ID:
> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> 09[ENC] received unknown vendor ID:
> fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> 09[ENC] received unknown vendor ID:
> 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> 09[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> 09[IKE] removed is initiating an IKE_SA
> 09[IKE] remote host is behind NAT
> 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 09[NET] sending packet: from removed[500] to removed[500] (308 bytes)
> 07[NET] received packet: from removed[17224] to removed[4500] (1324 bytes)
> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS
> NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> 07[IKE] received cert request for "C=DE, ST=Some-State, O=andy, CN=removed"
> 07[IKE] received 49 cert requests for an unknown ca
> 07[CFG] looking for peer configs matching removed[%any]...removed[removed]
> 07[CFG] selected peer config 'rw-mschapv2'
> 07[IKE] initiating EAP_IDENTITY method (id 0x00)
> 07[IKE] peer supports MOBIKE
> 07[IKE] authentication of 'C=DE, ST=Some-State, O=andy, CN=removed' (myself)
> with RSA signature successful
> 07[IKE] sending end entity cert "C=DE, ST=Some-State, O=andy, CN=removed"
> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 07[NET] sending packet: from removed[4500] to removed[17224] (932 bytes)
> 02[JOB] deleting half open IKE_SA after timeout
>
> The lumia is quitting the job with error message 13801.
>
> Any hints what I need to do for correction? I am wondering that strongswan
> is loggin "id . . . not confirmed by certificate" while starting and "unable
> to resolve %any".
>
> Thanks for your help!
>
> Andy
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUTrh2AAoJEDg5KY9j7GZYkbQQAIxMcL6is+Mcz5KYkGqPWVsC
jVUxSuhw+qt5G48ueYGCZO3nfrmeJkMwVxDlX1zpsbUe3AiZaV8V87wsfPAgIYCA
gOZp+DS4nLrdnrA5m1gf2btyTOkPPotp2QaExIvii3N3LXRjztA94BC8O7TD9tjM
7sCpfP9jZIn/OziCvRRYIG3z5j0gzxPoMkWJ2UKLerBAZ+g1CLIpJwO69txjgf+q
LGjcZmV0VFvXu721Vc5QF6hgqbd659o4CbC265pu+iX7Z5/wFcy/5YINAI2jIJIP
SoVatZOrltauu+cQea1LPdky44Qodp5ibA1t7MVxwZvn23Ts798IYrU/FICE0Q+c
MENXKleTNK1BWdjsSuX53hN1JvPph+4KGhmqSDpxYbm40bGGnSPXEsrXJy+yipUp
T84jBS2DWfY/WHpSXFjoTrKVp2iVNfbQ0bUro8Qn1JkeyqoRs0h4zjmU0YsHyOuw
ANsXhvcx0F1uJe1ic9bGYmWuHywVWeOguS26paRj7HxAqPaffvbRpwJLPQFyNHzP
rFh/iU14LV9wufEkYR7azogiYUbJ/0PQgK4RpLCikouKK9XsWE8gqJKFD43crdmG
D3bFmSn2pu3WdcHZu/dXOLNuBde4jqFO+Kcc/T9gEQKb5byBTttT2xHqJUVDAi66
Oplp9BJA6XuiDbKqLq2T
=7bFZ
-----END PGP SIGNATURE-----



More information about the Users mailing list