[strongSwan] Strongswan and WP8.1
raceface
raceface_the_one at gmx.net
Mon Oct 27 22:36:23 CET 2014
Hi Noel,
I changed to auto=add. What does it mean with the ID, authentication should be via username and password, the certs should only be for encryption. Below is my ipsec.conf
conn rw-mschapv2
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=%any
leftsubnet=0.0.0.0/0
leftid=@sync.andreasseiler.com
leftcert=server.crt
leftauth=pubkey
leftfirewall=yes
right=%any
rightsourceip=10.0.0.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
compress=yes
Thanks for help!
Andy
> -----Ursprüngliche Nachricht-----
> Von: users-bounces at lists.strongswan.org [mailto:users-
> bounces at lists.strongswan.org] Im Auftrag von Noel Kuntze
> Gesendet: Montag, 27. Oktober 2014 22:26
> An: users at lists.strongswan.org
> Betreff: Re: [strongSwan] Strongswan and WP8.1
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> You probably have "auto=start" in the conn definition. Change that to
> "auto=add".
> If you use certificates, the IDs of the peers have to be the DNs of the
> certificates of the corresponding peer. StrongSwan enforces that by
> defaulting back to the DN of the certificate, if you set an ID, that is
> not confirmed by the certificate.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.10.2014 um 22:24 schrieb raceface:
> > Hi all,
> >
> > I installed strongswan 5.2 on Debian wheezy running on a KVM machine.
> > Strongswan is up and running and can be reached from outside. But
> > there seems to be something wrong with the certs.
> >
> > The ca.crt is created including
> >
> > basicConstraints = critical, CA:true
> > extendedKeyUsage = serverAuth
> > keyUsage = critical, keyCertSign, cRLSign
> >
> > and the server.crt is created including
> >
> > extendedKeyUsage = serverAuth
> > subjectAltName = DNS:FQDN removed
> > authorityKeyIdentifier=keyid
> >
> > The ca.crt is already installed on the lumia and a reboot is
> performed.
> >
> > After starting strongswan with --nofork I get following messages:
> > Starting strongSwan 5.2.0 IPsec [starter]...
> > 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux
> > 3.2.0-4-amd64,
> > x86_64)
> > 00[CFG] HA config misses local/remote address 00[LIB] plugin 'ha':
> > failed to load - ha_plugin_create returned NULL 00[CFG] loading ca
> > certificates from '/etc/ipsec.d/cacerts'
> > 00[CFG] loaded ca certificate "C=DE, ST=Some-State, O=andy,
> CN=removed"
> > from '/etc/ipsec.d/cacerts/ca.crt'
> > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> > 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> > 00[CFG] loading crls from '/etc/ipsec.d/crls'
> > 00[CFG] loading secrets from '/etc/ipsec.secrets'
> > 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
> > 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/server.key'
> > 00[CFG] loaded EAP secret for "aceface2nd"
> > 00[CFG] loaded 0 RADIUS server configurations 00[LIB] loaded plugins:
> > charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints
> > pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-
> prf
> > gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default
> > farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
> > eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic
> > xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led
> > addrblock unity 00[LIB] unable to load 5 plugin features (5 due to
> > unmet dependencies) 00[LIB] dropped capabilities, running as uid 0,
> > gid 0 00[JOB] spawning 16 worker threads charon (3751) started after
> > 60 ms 03[CFG] received stroke: add connection 'rw-mschapv2'
> > 03[CFG] left nor right host is our side, assuming left=local 03[CFG]
> > adding virtual IP address pool 10.0.0.0/24
> > 03[CFG] loaded certificate "C=DE, ST=Some-State, O=andy,
> CN=removed" from
> > 'server.crt'
> > 03[CFG] id 'removed' not confirmed by certificate, defaulting to
> 'C=DE,
> > ST=Some-State, O=andy, CN=removed'
> > 03[CFG] added configuration 'rw-mschapv2'
> > 01[CFG] received stroke: initiate 'rw-mschapv2'
> > 01[IKE] unable to resolve %any, initiate aborted 01[MGR] tried to
> > check-in and delete nonexisting IKE_SA 09[NET] received packet: from
> > removed[500] to removed[500] (616 bytes) 09[ENC] parsed IKE_SA_INIT
> > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] 09[ENC]
> > received unknown vendor ID:
> > 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> > 09[ENC] received unknown vendor ID:
> > fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> > 09[ENC] received unknown vendor ID:
> > 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> > 09[ENC] received unknown vendor ID:
> > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> > 09[IKE] removed is initiating an IKE_SA 09[IKE] remote host is behind
> > NAT 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(MULT_AUTH) ]
> > 09[NET] sending packet: from removed[500] to removed[500] (308 bytes)
> > 07[NET] received packet: from removed[17224] to removed[4500] (1324
> > bytes) 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP)
> > CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] 07[IKE] received
> > cert request for "C=DE, ST=Some-State, O=andy, CN=removed"
> > 07[IKE] received 49 cert requests for an unknown ca 07[CFG] looking
> > for peer configs matching removed[%any]...removed[removed] 07[CFG]
> > selected peer config 'rw-mschapv2'
> > 07[IKE] initiating EAP_IDENTITY method (id 0x00) 07[IKE] peer
> supports
> > MOBIKE 07[IKE] authentication of 'C=DE, ST=Some-State, O=andy,
> > CN=removed' (myself) with RSA signature successful 07[IKE] sending
> end
> > entity cert "C=DE, ST=Some-State, O=andy, CN=removed"
> > 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> > 07[NET] sending packet: from removed[4500] to removed[17224] (932
> > bytes) 02[JOB] deleting half open IKE_SA after timeout
> >
> > The lumia is quitting the job with error message 13801.
> >
> > Any hints what I need to do for correction? I am wondering that
> > strongswan is loggin "id . . . not confirmed by certificate" while
> > starting and "unable to resolve %any".
> >
> > Thanks for your help!
> >
> > Andy
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUTrh2AAoJEDg5KY9j7GZYkbQQAIxMcL6is+Mcz5KYkGqPWVsC
> jVUxSuhw+qt5G48ueYGCZO3nfrmeJkMwVxDlX1zpsbUe3AiZaV8V87wsfPAgIYCA
> gOZp+DS4nLrdnrA5m1gf2btyTOkPPotp2QaExIvii3N3LXRjztA94BC8O7TD9tjM
> 7sCpfP9jZIn/OziCvRRYIG3z5j0gzxPoMkWJ2UKLerBAZ+g1CLIpJwO69txjgf+q
> LGjcZmV0VFvXu721Vc5QF6hgqbd659o4CbC265pu+iX7Z5/wFcy/5YINAI2jIJIP
> SoVatZOrltauu+cQea1LPdky44Qodp5ibA1t7MVxwZvn23Ts798IYrU/FICE0Q+c
> MENXKleTNK1BWdjsSuX53hN1JvPph+4KGhmqSDpxYbm40bGGnSPXEsrXJy+yipUp
> T84jBS2DWfY/WHpSXFjoTrKVp2iVNfbQ0bUro8Qn1JkeyqoRs0h4zjmU0YsHyOuw
> ANsXhvcx0F1uJe1ic9bGYmWuHywVWeOguS26paRj7HxAqPaffvbRpwJLPQFyNHzP
> rFh/iU14LV9wufEkYR7azogiYUbJ/0PQgK4RpLCikouKK9XsWE8gqJKFD43crdmG
> D3bFmSn2pu3WdcHZu/dXOLNuBde4jqFO+Kcc/T9gEQKb5byBTttT2xHqJUVDAi66
> Oplp9BJA6XuiDbKqLq2T
> =7bFZ
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list