[strongSwan] Strongswan and WP8.1

raceface raceface_the_one at gmx.net
Tue Oct 28 11:38:38 CET 2014 

Hi Andreas,

thanks for the feedback. The leftid is already set tot he FQDN of the server
"leftid=@FQDN of the server". I alo checked, if I had a typo error. The
server is reachable from the internet via the FQDN.

I just removed the FQDN in the logs I sent through the list.

Now the Lumia shows me the error 809, that the server didn't respond, but
there is a kind of communication between the lumia and strongswan:

10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
10[NET] sending packet: from removed IP[500] to removed IP[500] (308 bytes)
08[NET] received packet: from remove IP[500] to removed IP[500] (616 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
V V V ]
08[IKE] received retransmit of request with ID 0, retransmitting response
08[NET] sending packet: from removed IP[500] to removed IP[500] (308 bytes)
15[NET] received packet: from removed IP[500] to removed IP[500] (616 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
V V V ]
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from removed IP[500] to removed IP[500] (308 bytes)

Andy

> -----Ursprüngliche Nachricht-----
> Von: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Gesendet: Dienstag, 28. Oktober 2014 08:01
> An: raceface; users at lists.strongswan.org
> Betreff: Re: [strongSwan] Strongswan and WP8.1
> 
> Hello Andy,
> 
> see my inline comments.
> 
> On 10/27/2014 10:24 PM, raceface wrote:
> > Hi all,
> >
> > I installed strongswan 5.2 on Debian wheezy running on a KVM machine.
> > Strongswan is up and running and can be reached from outside. But
> there
> > seems to be something wrong with the certs.
> >
> > The ca.crt is created including
> >
> > basicConstraints = critical, CA:true
> > extendedKeyUsage = serverAuth
> > keyUsage = critical, keyCertSign, cRLSign
> >
> > and the server.crt is created including
> >
> > extendedKeyUsage = serverAuth
> > subjectAltName = DNS:FQDN removed
> > authorityKeyIdentifier=keyid
> >
> Server certificate seems ok if FQDN is contained as subjectAltName
> and serverAuth EKU is set.
> 
> CA certificate does not need serverAuth EKU but the presence probably
> does not do any harm.
> 
> > The ca.crt is already installed on the lumia and a reboot is
> performed.
> >
> > After starting strongswan with --nofork I get following messages:
> > Starting strongSwan 5.2.0 IPsec [starter]...
> > 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.2.0-4-
> amd64,
> > x86_64)
> > 00[CFG] HA config misses local/remote address
> > 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
> > 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> > 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=andy,
> CN=removed"
> > from '/etc/ipsec.d/cacerts/ca.crt'
> > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> > 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> > 00[CFG] loading crls from '/etc/ipsec.d/crls'
> > 00[CFG] loading secrets from '/etc/ipsec.secrets'
> > 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
> > 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/server.key'
> > 00[CFG]   loaded EAP secret for "aceface2nd"
> > 00[CFG] loaded 0 RADIUS server configurations
> > 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce
> x509
> > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey pem
> > openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
> > socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-
> gtc
> > eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-
> eap
> > xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock
> unity
> > 00[LIB] unable to load 5 plugin features (5 due to unmet
> dependencies)
> > 00[LIB] dropped capabilities, running as uid 0, gid 0
> > 00[JOB] spawning 16 worker threads
> > charon (3751) started after 60 ms
> > 03[CFG] received stroke: add connection 'rw-mschapv2'
> > 03[CFG] left nor right host is our side, assuming left=local
> > 03[CFG] adding virtual IP address pool 10.0.0.0/24
> > 03[CFG]   loaded certificate "C=DE, ST=Some-State, O=andy,
> CN=removed" from
> > 'server.crt'
> > 03[CFG]   id 'removed' not confirmed by certificate, defaulting to
> 'C=DE,
> > ST=Some-State, O=andy, CN=removed'
> You have to set leftid=<FQDN of the server> as contained in the
> subjectAltName of the certificate, because by default leftid is set to
> the IP address defined by left which in your case is %any.
> 
> > 03[CFG] added configuration 'rw-mschapv2'
> > 01[CFG] received stroke: initiate 'rw-mschapv2'
> > 01[IKE] unable to resolve %any, initiate aborted
> > 01[MGR] tried to check-in and delete nonexisting IKE_SA
> > 09[NET] received packet: from removed[500] to removed[500] (616
> bytes)
> > 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) V
> > V V V ]
> > 09[ENC] received unknown vendor ID:
> > 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> > 09[ENC] received unknown vendor ID:
> > fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> > 09[ENC] received unknown vendor ID:
> > 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> > 09[ENC] received unknown vendor ID:
> > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> > 09[IKE] removed is initiating an IKE_SA
> > 09[IKE] remote host is behind NAT
> > 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(MULT_AUTH) ]
> > 09[NET] sending packet: from removed[500] to removed[500] (308 bytes)
> > 07[NET] received packet: from removed[17224] to removed[4500] (1324
> bytes)
> > 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP)
> CPRQ(ADDR DNS
> > NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> > 07[IKE] received cert request for "C=DE, ST=Some-State, O=andy,
> CN=removed"
> > 07[IKE] received 49 cert requests for an unknown ca
> > 07[CFG] looking for peer configs matching
> removed[%any]...removed[removed]
> > 07[CFG] selected peer config 'rw-mschapv2'
> > 07[IKE] initiating EAP_IDENTITY method (id 0x00)
> > 07[IKE] peer supports MOBIKE
> > 07[IKE] authentication of 'C=DE, ST=Some-State, O=andy, CN=removed'
> (myself)
> > with RSA signature successful
> > 07[IKE] sending end entity cert "C=DE, ST=Some-State, O=andy,
> CN=removed"
> > 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> > 07[NET] sending packet: from removed[4500] to removed[17224] (932
> bytes)
> > 02[JOB] deleting half open IKE_SA after timeout
> >
> > The lumia is quitting the job with error message 13801.
> The Lumia has a problem either with the digital signature, the server
> ID,
> the server certificate or the CA certificate. For the actual reason you
> have to look on the Lumia side. Error message 13801 does not really
> help.
> 
> > Any hints what I need to do for correction? I am wondering that
> strongswan
> > is loggin "id . . . not confirmed by certificate" while starting and
> "unable
> > to resolve %any".
> >
> > Thanks for your help!
> >
> > Andy
> 
> Best regards
> 
> Andreas
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list