[strongSwan] Strongswan and WP8.1

Noel Kuntze noel at familie-kuntze.de
Mon Oct 27 22:45:04 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Andy,

IDs are used by the peers to indicate the correct configuration for clients or
group clients together with a common configuration, like
assigning one configuration to all the guys from sales who connect via IPsec.
Using the correct IDs is essential in finding the correct configuration on the two peers.
If you don't have matching IDs in the configuration of both sides (Assuming you don't
use wildcards), a connection can't be established as no configuration can be found.

- From ipsec.conf about leftid:

              how the left participant should be  identified  for  authentica‐
              tion; defaults to left or the subject of the certificate config‐
              ured with leftcert.  Can be an  IP  address,  a  fully-qualified
              domain  name,  an email address, or a keyid. If leftcert is con‐
              figured the identity has to be confirmed by the certificate.

              For IKEv2 and rightid the prefix % in front of the identity pre‐
              vents  the  daemon  from sending IDr in its IKE_AUTH request and
              will allow it to verify the configured identity against the sub‐
              ject  and  subjectAltNames contained in the responder's certifi‐
              cate (otherwise it is only compared with the IDr returned by the
              responder).   The IDr sent by the initiator might otherwise pre‐
              vent the responder from finding a config if it has configured  a
              different value for leftid.


Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.10.2014 um 22:36 schrieb raceface:
> Hi Noel,
>
> I changed to auto=add. What does it mean with the ID, authentication should be via username and password, the certs should only be for encryption. Below is my ipsec.conf
>
> conn rw-mschapv2
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         left=%any
>         leftsubnet=0.0.0.0/0
>         leftid=@sync.andreasseiler.com
>         leftcert=server.crt
>         leftauth=pubkey
>         leftfirewall=yes
>         right=%any
>         rightsourceip=10.0.0.0/24
>         rightauth=eap-mschapv2
>         rightsendcert=never
>         eap_identity=%any
>         auto=add
>         compress=yes
>
> Thanks for help!
>
> Andy
>
>> -----Ursprüngliche Nachricht-----
>> Von: users-bounces at lists.strongswan.org [mailto:users-
>> bounces at lists.strongswan.org] Im Auftrag von Noel Kuntze
>> Gesendet: Montag, 27. Oktober 2014 22:26
>> An: users at lists.strongswan.org
>> Betreff: Re: [strongSwan] Strongswan and WP8.1
>>
>>
> Hello,
>
> You probably have "auto=start" in the conn definition. Change that to
> "auto=add".
> If you use certificates, the IDs of the peers have to be the DNs of the
> certificates of the corresponding peer. StrongSwan enforces that by
> defaulting back to the DN of the certificate, if you set an ID, that is
> not confirmed by the certificate.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.10.2014 um 22:24 schrieb raceface:
> >>> Hi all,
> >>>
> >>> I installed strongswan 5.2 on Debian wheezy running on a KVM machine.
> >>> Strongswan is up and running and can be reached from outside. But
> >>> there seems to be something wrong with the certs.
> >>>
> >>> The ca.crt is created including
> >>>
> >>> basicConstraints = critical, CA:true
> >>> extendedKeyUsage = serverAuth
> >>> keyUsage = critical, keyCertSign, cRLSign
> >>>
> >>> and the server.crt is created including
> >>>
> >>> extendedKeyUsage = serverAuth
> >>> subjectAltName = DNS:FQDN removed
> >>> authorityKeyIdentifier=keyid
> >>>
> >>> The ca.crt is already installed on the lumia and a reboot is
> performed.
> >>>
> >>> After starting strongswan with --nofork I get following messages:
> >>> Starting strongSwan 5.2.0 IPsec [starter]...
> >>> 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux
> >>> 3.2.0-4-amd64,
> >>> x86_64)
> >>> 00[CFG] HA config misses local/remote address 00[LIB] plugin 'ha':
> >>> failed to load - ha_plugin_create returned NULL 00[CFG] loading ca
> >>> certificates from '/etc/ipsec.d/cacerts'
> >>> 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=andy,
> CN=removed"
> >>> from '/etc/ipsec.d/cacerts/ca.crt'
> >>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> >>> 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> >>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> >>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> >>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> >>> 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
> >>> 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/server.key'
> >>> 00[CFG]   loaded EAP secret for "aceface2nd"
> >>> 00[CFG] loaded 0 RADIUS server configurations 00[LIB] loaded plugins:
> >>> charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints
> >>> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-
> prf
> >>> gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default
> >>> farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
> >>> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic
> >>> xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led
> >>> addrblock unity 00[LIB] unable to load 5 plugin features (5 due to
> >>> unmet dependencies) 00[LIB] dropped capabilities, running as uid 0,
> >>> gid 0 00[JOB] spawning 16 worker threads charon (3751) started after
> >>> 60 ms 03[CFG] received stroke: add connection 'rw-mschapv2'
> >>> 03[CFG] left nor right host is our side, assuming left=local 03[CFG]
> >>> adding virtual IP address pool 10.0.0.0/24
> >>> 03[CFG]   loaded certificate "C=DE, ST=Some-State, O=andy,
> CN=removed" from
> >>> 'server.crt'
> >>> 03[CFG]   id 'removed' not confirmed by certificate, defaulting to
> 'C=DE,
> >>> ST=Some-State, O=andy, CN=removed'
> >>> 03[CFG] added configuration 'rw-mschapv2'
> >>> 01[CFG] received stroke: initiate 'rw-mschapv2'
> >>> 01[IKE] unable to resolve %any, initiate aborted 01[MGR] tried to
> >>> check-in and delete nonexisting IKE_SA 09[NET] received packet: from
> >>> removed[500] to removed[500] (616 bytes) 09[ENC] parsed IKE_SA_INIT
> >>> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] 09[ENC]
> >>> received unknown vendor ID:
> >>> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> >>> 09[ENC] received unknown vendor ID:
> >>> fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> >>> 09[ENC] received unknown vendor ID:
> >>> 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> >>> 09[ENC] received unknown vendor ID:
> >>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> >>> 09[IKE] removed is initiating an IKE_SA 09[IKE] remote host is behind
> >>> NAT 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> >>> N(NATD_D_IP) N(MULT_AUTH) ]
> >>> 09[NET] sending packet: from removed[500] to removed[500] (308 bytes)
> >>> 07[NET] received packet: from removed[17224] to removed[4500] (1324
> >>> bytes) 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP)
> >>> CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] 07[IKE] received
> >>> cert request for "C=DE, ST=Some-State, O=andy, CN=removed"
> >>> 07[IKE] received 49 cert requests for an unknown ca 07[CFG] looking
> >>> for peer configs matching removed[%any]...removed[removed] 07[CFG]
> >>> selected peer config 'rw-mschapv2'
> >>> 07[IKE] initiating EAP_IDENTITY method (id 0x00) 07[IKE] peer
> supports
> >>> MOBIKE 07[IKE] authentication of 'C=DE, ST=Some-State, O=andy,
> >>> CN=removed' (myself) with RSA signature successful 07[IKE] sending
> end
> >>> entity cert "C=DE, ST=Some-State, O=andy, CN=removed"
> >>> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> >>> 07[NET] sending packet: from removed[4500] to removed[17224] (932
> >>> bytes) 02[JOB] deleting half open IKE_SA after timeout
> >>>
> >>> The lumia is quitting the job with error message 13801.
> >>>
> >>> Any hints what I need to do for correction? I am wondering that
> >>> strongswan is loggin "id . . . not confirmed by certificate" while
> >>> starting and "unable to resolve %any".
> >>>
> >>> Thanks for your help!
> >>>
> >>> Andy
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUTrzgAAoJEDg5KY9j7GZYjmsP+gNkbAXLYdYTF2ywYMGV15dV
oR6aWgJ+0JicQx6tepmhwNA5zFjHTu1MQ1cO3FR4gz3CoWiBO1xFDOMa03M/iJXN
d/QNoIRf7Tnuw2ghqAWZrQ+J0y2MGLETOCbbgk34SxHzNoxAqSHhHelO9jZh/pSO
FtfOWfTRcstY4i3Nv8sLS2CMENDM/2iHL//CltsSZhwUUfejIjnHH/zQW4SchCjC
p7xrBVCvJ8i71XwbaHsbtJCjatUixLxU22SPYBU+ZlXprNfyz91D4iy+9pk3a6+A
rTXeQRyR36dx7dQZhGWnQ7wY8K3L01re7RvV7gUhGKAmmjsc4dASSCEUbvP7EYE5
+1tPVVfJU6ueQCDeb5057q18Bivucg2nX9M1481IwNuJCxDve3ayoOrRcmDFTVd/
Dngs5rjAXJOfoAIHpMTZy9kQZVN+0GsPPhUPdV0KnjX6oOY5sAGFe2Y0fq6Px6je
12BKjKE21y2eWK6oaD45Y3wfZKph7UbXQn0fOrHvPdwIEdh8tl2cmv6G8ldlye6A
DACTq8y/vlGH69pKEhjYarjuOGeKk494TsRNBJj56+jB2zWsD4APp639yVpQrDFz
v7tq0SO6AhZVr480Q9G9F6O1ULXMCy1DLdQuvujmzZ5E4srRcLOrbEOW6CVXq8YO
DJF1dD0oSAwT25YMNUKn
=fxLf
-----END PGP SIGNATURE-----



More information about the Users mailing list