[strongSwan] Strongswan and WP8.1

Andreas Steffen andreas.steffen at strongswan.org
Tue Oct 28 08:01:07 CET 2014


Hello Andy,

see my inline comments.

On 10/27/2014 10:24 PM, raceface wrote:
> Hi all,
> 
> I installed strongswan 5.2 on Debian wheezy running on a KVM machine.
> Strongswan is up and running and can be reached from outside. But there
> seems to be something wrong with the certs.
> 
> The ca.crt is created including
> 
> basicConstraints = critical, CA:true
> extendedKeyUsage = serverAuth
> keyUsage = critical, keyCertSign, cRLSign
> 
> and the server.crt is created including
> 
> extendedKeyUsage = serverAuth
> subjectAltName = DNS:FQDN removed
> authorityKeyIdentifier=keyid
>
Server certificate seems ok if FQDN is contained as subjectAltName
and serverAuth EKU is set.

CA certificate does not need serverAuth EKU but the presence probably
does not do any harm.

> The ca.crt is already installed on the lumia and a reboot is performed.
> 
> After starting strongswan with --nofork I get following messages:
> Starting strongSwan 5.2.0 IPsec [starter]...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.2.0-4-amd64,
> x86_64)
> 00[CFG] HA config misses local/remote address
> 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=andy, CN=removed"
> from '/etc/ipsec.d/cacerts/ca.crt'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
> 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
> 00[CFG]   loaded EAP secret for "aceface2nd"
> 00[CFG] loaded 0 RADIUS server configurations
> 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
> socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap
> xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> 00[LIB] dropped capabilities, running as uid 0, gid 0
> 00[JOB] spawning 16 worker threads
> charon (3751) started after 60 ms
> 03[CFG] received stroke: add connection 'rw-mschapv2'
> 03[CFG] left nor right host is our side, assuming left=local
> 03[CFG] adding virtual IP address pool 10.0.0.0/24
> 03[CFG]   loaded certificate "C=DE, ST=Some-State, O=andy, CN=removed" from
> 'server.crt'
> 03[CFG]   id 'removed' not confirmed by certificate, defaulting to 'C=DE,
> ST=Some-State, O=andy, CN=removed'
You have to set leftid=<FQDN of the server> as contained in the
subjectAltName of the certificate, because by default leftid is set to
the IP address defined by left which in your case is %any.

> 03[CFG] added configuration 'rw-mschapv2'
> 01[CFG] received stroke: initiate 'rw-mschapv2'
> 01[IKE] unable to resolve %any, initiate aborted
> 01[MGR] tried to check-in and delete nonexisting IKE_SA
> 09[NET] received packet: from removed[500] to removed[500] (616 bytes)
> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
> V V V ]
> 09[ENC] received unknown vendor ID:
> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> 09[ENC] received unknown vendor ID:
> fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> 09[ENC] received unknown vendor ID:
> 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> 09[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> 09[IKE] removed is initiating an IKE_SA
> 09[IKE] remote host is behind NAT
> 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 09[NET] sending packet: from removed[500] to removed[500] (308 bytes)
> 07[NET] received packet: from removed[17224] to removed[4500] (1324 bytes)
> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS
> NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> 07[IKE] received cert request for "C=DE, ST=Some-State, O=andy, CN=removed"
> 07[IKE] received 49 cert requests for an unknown ca
> 07[CFG] looking for peer configs matching removed[%any]...removed[removed]
> 07[CFG] selected peer config 'rw-mschapv2'
> 07[IKE] initiating EAP_IDENTITY method (id 0x00)
> 07[IKE] peer supports MOBIKE
> 07[IKE] authentication of 'C=DE, ST=Some-State, O=andy, CN=removed' (myself)
> with RSA signature successful
> 07[IKE] sending end entity cert "C=DE, ST=Some-State, O=andy, CN=removed"
> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 07[NET] sending packet: from removed[4500] to removed[17224] (932 bytes)
> 02[JOB] deleting half open IKE_SA after timeout
> 
> The lumia is quitting the job with error message 13801.
The Lumia has a problem either with the digital signature, the server ID,
the server certificate or the CA certificate. For the actual reason you
have to look on the Lumia side. Error message 13801 does not really help.

> Any hints what I need to do for correction? I am wondering that strongswan
> is loggin "id . . . not confirmed by certificate" while starting and "unable
> to resolve %any".
> 
> Thanks for your help!
> 
> Andy

Best regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141028/4d35f12c/attachment.bin>


More information about the Users mailing list