[strongSwan] Strongswan and WP8.1

Andreas Steffen andreas.steffen at strongswan.org
Tue Oct 28 11:58:50 CET 2014


Hi,

now it seems that the lumia does not receive the IKE_SA_INIT response
message sent by the strongSwan server. Did you change anything in
the network setup?

Regards

Andreas

On 10/28/2014 11:38 AM, raceface wrote:
> Hi Andreas,
> 
> thanks for the feedback. The leftid is already set tot he FQDN of the server
> "leftid=@FQDN of the server". I alo checked, if I had a typo error. The
> server is reachable from the internet via the FQDN.
> 
> I just removed the FQDN in the logs I sent through the list.
> 
> Now the Lumia shows me the error 809, that the server didn't respond, but
> there is a kind of communication between the lumia and strongswan:
> 
> 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 10[NET] sending packet: from removed IP[500] to removed IP[500] (308 bytes)
> 08[NET] received packet: from remove IP[500] to removed IP[500] (616 bytes)
> 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
> V V V ]
> 08[IKE] received retransmit of request with ID 0, retransmitting response
> 08[NET] sending packet: from removed IP[500] to removed IP[500] (308 bytes)
> 15[NET] received packet: from removed IP[500] to removed IP[500] (616 bytes)
> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
> V V V ]
> 15[IKE] received retransmit of request with ID 0, retransmitting response
> 15[NET] sending packet: from removed IP[500] to removed IP[500] (308 bytes)
> 
> Andy
> 
>> -----Ursprüngliche Nachricht-----
>> Von: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>> Gesendet: Dienstag, 28. Oktober 2014 08:01
>> An: raceface; users at lists.strongswan.org
>> Betreff: Re: [strongSwan] Strongswan and WP8.1
>>
>> Hello Andy,
>>
>> see my inline comments.
>>
>> On 10/27/2014 10:24 PM, raceface wrote:
>>> Hi all,
>>>
>>> I installed strongswan 5.2 on Debian wheezy running on a KVM machine.
>>> Strongswan is up and running and can be reached from outside. But
>> there
>>> seems to be something wrong with the certs.
>>>
>>> The ca.crt is created including
>>>
>>> basicConstraints = critical, CA:true
>>> extendedKeyUsage = serverAuth
>>> keyUsage = critical, keyCertSign, cRLSign
>>>
>>> and the server.crt is created including
>>>
>>> extendedKeyUsage = serverAuth
>>> subjectAltName = DNS:FQDN removed
>>> authorityKeyIdentifier=keyid
>>>
>> Server certificate seems ok if FQDN is contained as subjectAltName
>> and serverAuth EKU is set.
>>
>> CA certificate does not need serverAuth EKU but the presence probably
>> does not do any harm.
>>
>>> The ca.crt is already installed on the lumia and a reboot is
>> performed.
>>>
>>> After starting strongswan with --nofork I get following messages:
>>> Starting strongSwan 5.2.0 IPsec [starter]...
>>> 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.2.0-4-
>> amd64,
>>> x86_64)
>>> 00[CFG] HA config misses local/remote address
>>> 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
>>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>>> 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=andy,
>> CN=removed"
>>> from '/etc/ipsec.d/cacerts/ca.crt'
>>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>>> 00[CFG] loading ocsp signer certificates from
>> '/etc/ipsec.d/ocspcerts'
>>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>> 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
>>> 00[CFG]   loaded RSA private key from
>> '/etc/ipsec.d/private/server.key'
>>> 00[CFG]   loaded EAP secret for "aceface2nd"
>>> 00[CFG] loaded 0 RADIUS server configurations
>>> 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce
>> x509
>>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
>> sshkey pem
>>> openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
>>> socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-
>> gtc
>>> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-
>> eap
>>> xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock
>> unity
>>> 00[LIB] unable to load 5 plugin features (5 due to unmet
>> dependencies)
>>> 00[LIB] dropped capabilities, running as uid 0, gid 0
>>> 00[JOB] spawning 16 worker threads
>>> charon (3751) started after 60 ms
>>> 03[CFG] received stroke: add connection 'rw-mschapv2'
>>> 03[CFG] left nor right host is our side, assuming left=local
>>> 03[CFG] adding virtual IP address pool 10.0.0.0/24
>>> 03[CFG]   loaded certificate "C=DE, ST=Some-State, O=andy,
>> CN=removed" from
>>> 'server.crt'
>>> 03[CFG]   id 'removed' not confirmed by certificate, defaulting to
>> 'C=DE,
>>> ST=Some-State, O=andy, CN=removed'
>> You have to set leftid=<FQDN of the server> as contained in the
>> subjectAltName of the certificate, because by default leftid is set to
>> the IP address defined by left which in your case is %any.
>>
>>> 03[CFG] added configuration 'rw-mschapv2'
>>> 01[CFG] received stroke: initiate 'rw-mschapv2'
>>> 01[IKE] unable to resolve %any, initiate aborted
>>> 01[MGR] tried to check-in and delete nonexisting IKE_SA
>>> 09[NET] received packet: from removed[500] to removed[500] (616
>> bytes)
>>> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) V
>>> V V V ]
>>> 09[ENC] received unknown vendor ID:
>>> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
>>> 09[ENC] received unknown vendor ID:
>>> fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
>>> 09[ENC] received unknown vendor ID:
>>> 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
>>> 09[ENC] received unknown vendor ID:
>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>> 09[IKE] removed is initiating an IKE_SA
>>> 09[IKE] remote host is behind NAT
>>> 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>>> N(NATD_D_IP) N(MULT_AUTH) ]
>>> 09[NET] sending packet: from removed[500] to removed[500] (308 bytes)
>>> 07[NET] received packet: from removed[17224] to removed[4500] (1324
>> bytes)
>>> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP)
>> CPRQ(ADDR DNS
>>> NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
>>> 07[IKE] received cert request for "C=DE, ST=Some-State, O=andy,
>> CN=removed"
>>> 07[IKE] received 49 cert requests for an unknown ca
>>> 07[CFG] looking for peer configs matching
>> removed[%any]...removed[removed]
>>> 07[CFG] selected peer config 'rw-mschapv2'
>>> 07[IKE] initiating EAP_IDENTITY method (id 0x00)
>>> 07[IKE] peer supports MOBIKE
>>> 07[IKE] authentication of 'C=DE, ST=Some-State, O=andy, CN=removed'
>> (myself)
>>> with RSA signature successful
>>> 07[IKE] sending end entity cert "C=DE, ST=Some-State, O=andy,
>> CN=removed"
>>> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>>> 07[NET] sending packet: from removed[4500] to removed[17224] (932
>> bytes)
>>> 02[JOB] deleting half open IKE_SA after timeout
>>>
>>> The lumia is quitting the job with error message 13801.
>> The Lumia has a problem either with the digital signature, the server
>> ID,
>> the server certificate or the CA certificate. For the actual reason you
>> have to look on the Lumia side. Error message 13801 does not really
>> help.
>>
>>> Any hints what I need to do for correction? I am wondering that
>> strongswan
>>> is loggin "id . . . not confirmed by certificate" while starting and
>> "unable
>>> to resolve %any".
>>>
>>> Thanks for your help!
>>>
>>> Andy
>>
>> Best regards
>>
>> Andreas
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141028/dc89553b/attachment-0001.bin>


More information about the Users mailing list