[strongSwan] Strongswan and WP8.1

raceface raceface_the_one at gmx.net
Tue Oct 28 13:09:30 CET 2014 

No, I didn't change anything.

Best regards!

Andy

> -----Ursprüngliche Nachricht-----
> Von: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Gesendet: Dienstag, 28. Oktober 2014 11:59
> An: raceface; users at lists.strongswan.org
> Betreff: Re: [strongSwan] Strongswan and WP8.1
> 
> Hi,
> 
> now it seems that the lumia does not receive the IKE_SA_INIT response
> message sent by the strongSwan server. Did you change anything in
> the network setup?
> 
> Regards
> 
> Andreas
> 
> On 10/28/2014 11:38 AM, raceface wrote:
> > Hi Andreas,
> >
> > thanks for the feedback. The leftid is already set tot he FQDN of the
> server
> > "leftid=@FQDN of the server". I alo checked, if I had a typo error.
> The
> > server is reachable from the internet via the FQDN.
> >
> > I just removed the FQDN in the logs I sent through the list.
> >
> > Now the Lumia shows me the error 809, that the server didn't respond,
> but
> > there is a kind of communication between the lumia and strongswan:
> >
> > 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(MULT_AUTH) ]
> > 10[NET] sending packet: from removed IP[500] to removed IP[500] (308
> bytes)
> > 08[NET] received packet: from remove IP[500] to removed IP[500] (616
> bytes)
> > 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) V
> > V V V ]
> > 08[IKE] received retransmit of request with ID 0, retransmitting
> response
> > 08[NET] sending packet: from removed IP[500] to removed IP[500] (308
> bytes)
> > 15[NET] received packet: from removed IP[500] to removed IP[500] (616
> bytes)
> > 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) V
> > V V V ]
> > 15[IKE] received retransmit of request with ID 0, retransmitting
> response
> > 15[NET] sending packet: from removed IP[500] to removed IP[500] (308
> bytes)
> >
> > Andy
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> >> Gesendet: Dienstag, 28. Oktober 2014 08:01
> >> An: raceface; users at lists.strongswan.org
> >> Betreff: Re: [strongSwan] Strongswan and WP8.1
> >>
> >> Hello Andy,
> >>
> >> see my inline comments.
> >>
> >> On 10/27/2014 10:24 PM, raceface wrote:
> >>> Hi all,
> >>>
> >>> I installed strongswan 5.2 on Debian wheezy running on a KVM
> machine.
> >>> Strongswan is up and running and can be reached from outside. But
> >> there
> >>> seems to be something wrong with the certs.
> >>>
> >>> The ca.crt is created including
> >>>
> >>> basicConstraints = critical, CA:true
> >>> extendedKeyUsage = serverAuth
> >>> keyUsage = critical, keyCertSign, cRLSign
> >>>
> >>> and the server.crt is created including
> >>>
> >>> extendedKeyUsage = serverAuth
> >>> subjectAltName = DNS:FQDN removed
> >>> authorityKeyIdentifier=keyid
> >>>
> >> Server certificate seems ok if FQDN is contained as subjectAltName
> >> and serverAuth EKU is set.
> >>
> >> CA certificate does not need serverAuth EKU but the presence
> probably
> >> does not do any harm.
> >>
> >>> The ca.crt is already installed on the lumia and a reboot is
> >> performed.
> >>>
> >>> After starting strongswan with --nofork I get following messages:
> >>> Starting strongSwan 5.2.0 IPsec [starter]...
> >>> 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.2.0-
> 4-
> >> amd64,
> >>> x86_64)
> >>> 00[CFG] HA config misses local/remote address
> >>> 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned
> NULL
> >>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> >>> 00[CFG]   loaded ca certificate "C=DE, ST=Some-State, O=andy,
> >> CN=removed"
> >>> from '/etc/ipsec.d/cacerts/ca.crt'
> >>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> >>> 00[CFG] loading ocsp signer certificates from
> >> '/etc/ipsec.d/ocspcerts'
> >>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> >>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> >>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> >>> 00[CFG] loading secrets from
> '/var/lib/strongswan/ipsec.secrets.inc'
> >>> 00[CFG]   loaded RSA private key from
> >> '/etc/ipsec.d/private/server.key'
> >>> 00[CFG]   loaded EAP secret for "aceface2nd"
> >>> 00[CFG] loaded 0 RADIUS server configurations
> >>> 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce
> >> x509
> >>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> >> sshkey pem
> >>> openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
> resolve
> >>> socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-
> >> gtc
> >>> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic
> xauth-
> >> eap
> >>> xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led
> addrblock
> >> unity
> >>> 00[LIB] unable to load 5 plugin features (5 due to unmet
> >> dependencies)
> >>> 00[LIB] dropped capabilities, running as uid 0, gid 0
> >>> 00[JOB] spawning 16 worker threads
> >>> charon (3751) started after 60 ms
> >>> 03[CFG] received stroke: add connection 'rw-mschapv2'
> >>> 03[CFG] left nor right host is our side, assuming left=local
> >>> 03[CFG] adding virtual IP address pool 10.0.0.0/24
> >>> 03[CFG]   loaded certificate "C=DE, ST=Some-State, O=andy,
> >> CN=removed" from
> >>> 'server.crt'
> >>> 03[CFG]   id 'removed' not confirmed by certificate, defaulting to
> >> 'C=DE,
> >>> ST=Some-State, O=andy, CN=removed'
> >> You have to set leftid=<FQDN of the server> as contained in the
> >> subjectAltName of the certificate, because by default leftid is set
> to
> >> the IP address defined by left which in your case is %any.
> >>
> >>> 03[CFG] added configuration 'rw-mschapv2'
> >>> 01[CFG] received stroke: initiate 'rw-mschapv2'
> >>> 01[IKE] unable to resolve %any, initiate aborted
> >>> 01[MGR] tried to check-in and delete nonexisting IKE_SA
> >>> 09[NET] received packet: from removed[500] to removed[500] (616
> >> bytes)
> >>> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> >> N(NATD_D_IP) V
> >>> V V V ]
> >>> 09[ENC] received unknown vendor ID:
> >>> 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> >>> 09[ENC] received unknown vendor ID:
> >>> fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> >>> 09[ENC] received unknown vendor ID:
> >>> 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> >>> 09[ENC] received unknown vendor ID:
> >>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> >>> 09[IKE] removed is initiating an IKE_SA
> >>> 09[IKE] remote host is behind NAT
> >>> 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> >>> N(NATD_D_IP) N(MULT_AUTH) ]
> >>> 09[NET] sending packet: from removed[500] to removed[500] (308
> bytes)
> >>> 07[NET] received packet: from removed[17224] to removed[4500] (1324
> >> bytes)
> >>> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP)
> >> CPRQ(ADDR DNS
> >>> NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> >>> 07[IKE] received cert request for "C=DE, ST=Some-State, O=andy,
> >> CN=removed"
> >>> 07[IKE] received 49 cert requests for an unknown ca
> >>> 07[CFG] looking for peer configs matching
> >> removed[%any]...removed[removed]
> >>> 07[CFG] selected peer config 'rw-mschapv2'
> >>> 07[IKE] initiating EAP_IDENTITY method (id 0x00)
> >>> 07[IKE] peer supports MOBIKE
> >>> 07[IKE] authentication of 'C=DE, ST=Some-State, O=andy, CN=removed'
> >> (myself)
> >>> with RSA signature successful
> >>> 07[IKE] sending end entity cert "C=DE, ST=Some-State, O=andy,
> >> CN=removed"
> >>> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> >>> 07[NET] sending packet: from removed[4500] to removed[17224] (932
> >> bytes)
> >>> 02[JOB] deleting half open IKE_SA after timeout
> >>>
> >>> The lumia is quitting the job with error message 13801.
> >> The Lumia has a problem either with the digital signature, the
> server
> >> ID,
> >> the server certificate or the CA certificate. For the actual reason
> you
> >> have to look on the Lumia side. Error message 13801 does not really
> >> help.
> >>
> >>> Any hints what I need to do for correction? I am wondering that
> >> strongswan
> >>> is loggin "id . . . not confirmed by certificate" while starting
> and
> >> "unable
> >>> to resolve %any".
> >>>
> >>> Thanks for your help!
> >>>
> >>> Andy
> >>
> >> Best regards
> >>
> >> Andreas
> >>
> >>
> ======================================================================
> >> Andreas Steffen
> andreas.steffen at strongswan.org
> >> strongSwan - the Open Source VPN Solution!
> www.strongswan.org
> >> Institute for Internet Technologies and Applications
> >> University of Applied Sciences Rapperswil
> >> CH-8640 Rapperswil (Switzerland)
> >> ===========================================================[ITA-
> HSR]==
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
> 
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list