[strongSwan] agile vpn or win ipsec policy

jotpe jotpe.osm at gmail.com
Wed Sep 3 12:17:01 CEST 2014 

Hello list, thank you for your help.

Now I found a configuration, which made the Win7 Client to accept my
x.509 user certificate and finally established a connection!

I did it this way:

---------- bash -----------
# CA
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=DE, O=me, CN=FS_CA" --ca
--outform pem > caCert.pem
# Fileservice SERVER
ipsec pki --gen --outform pem > fsKey.pem
ipsec pki --pub --in fsKey.pem | ipsec pki --issue --cacert caCert.pem
--cakey caKey.pem --flag serverAuth --san fileservice.me --dn "C=DE,
O=me, CN=fileservice.me" --outform pem > fsCert.pem
# WIN 7 CLIENT
ipsec pki --gen --outform pem > testumgebungKey.pem
# this --san 167.225.8.209 was the last difficulty
ipsec pki --pub --in testumgebungKey.pem | ipsec pki --issue --cacert
caCert.pem --cakey caKey.pem --dn "C=DE, O=me, CN=egal" --san
167.225.8.209 --outform pem > testumgebungCert.pem
openssl pkcs12 -export -inkey testumgebungKey.pem -in
testumgebungCert.pem -name "testumgebung" -certfile cacert.pem -caname
"FS_CA" -out testumgebungCert.p12
------ end bash -----------


------- ipsec.conf --------
config setup
    plutostart=no

conn win7
    left=%defaultroute
    leftcert=fsCert.pem
    leftauth=pubkey
    right=%any
    rightauth=eap-tls
    rightsendcert=never
    rightsourceip=192.168.2.0/24
    keyexchange=ikev2
    auto=add
------- ipsec.conf end ----


------- daemon.log ---------
Sep  3 11:33:33 Microknoppix charon: 16[NET] received packet: from
167.225.8.209[500] to 167.225.10.104[500]
Sep  3 11:33:33 Microknoppix charon: 16[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep  3 11:33:33 Microknoppix charon: 16[IKE] 167.225.8.209 is
initiating an IKE_SA
Sep  3 11:33:33 Microknoppix charon: 16[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep  3 11:33:33 Microknoppix charon: 16[NET] sending packet: from
167.225.10.104[500] to 167.225.8.209[500]
Sep  3 11:33:33 Microknoppix charon: 05[NET] received packet: from
167.225.8.209[4500] to 167.225.10.104[4500]
Sep  3 11:33:33 Microknoppix charon: 05[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Sep  3 11:33:33 Microknoppix charon: 05[ENC] unknown attribute type
INTERNAL_IP6_SERVER
Sep  3 11:33:33 Microknoppix charon: 05[ENC] parsed IKE_AUTH request 1
[ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA
TSi TSr ]
Sep  3 11:33:33 Microknoppix charon: 05[IKE] received cert request for
"C=DE, O=me, CN=FS_CA"
Sep  3 11:33:33 Microknoppix charon: 05[IKE] received 10 cert requests
for an unknown ca
Sep  3 11:33:33 Microknoppix charon: 05[CFG] looking for peer configs
matching 167.225.10.104[%any]...167.225.8.209[167.225.8.209]
Sep  3 11:33:33 Microknoppix charon: 05[CFG] selected peer config 'win7'
Sep  3 11:33:33 Microknoppix charon: 05[IKE] initiating EAP_TLS method (id 0xC5)
Sep  3 11:33:33 Microknoppix charon: 05[IKE] peer supports MOBIKE
Sep  3 11:33:33 Microknoppix charon: 05[IKE] authentication of 'C=DE,
O=me, CN=fileservice.me' (myself) with RSA signature successful
Sep  3 11:33:33 Microknoppix charon: 05[IKE] sending end entity cert
"C=DE, O=me, CN=fileservice.me"
Sep  3 11:33:33 Microknoppix charon: 05[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/TLS ]
Sep  3 11:33:33 Microknoppix charon: 05[NET] sending packet: from
167.225.10.104[4500] to 167.225.8.209[4500]
Sep  3 11:33:33 Microknoppix charon: 01[NET] received packet: from
167.225.8.209[4500] to 167.225.10.104[4500]
Sep  3 11:33:33 Microknoppix charon: 01[ENC] parsed IKE_AUTH request 2
[ EAP/RES/TLS ]
Sep  3 11:33:33 Microknoppix charon: 01[TLS] received TLS
'renegotiation info' extension
Sep  3 11:33:33 Microknoppix charon: 01[TLS] received TLS 'elliptic
curves' extension
Sep  3 11:33:33 Microknoppix charon: 01[TLS] received TLS 'ec point
formats' extension
Sep  3 11:33:33 Microknoppix charon: 01[TLS] negotiated TLS version
TLS 1.0 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Sep  3 11:33:33 Microknoppix charon: 01[TLS] sending TLS server
certificate 'C=DE, O=me, CN=fileservice.me'
Sep  3 11:33:33 Microknoppix charon: 01[TLS] sending TLS cert request
for 'C=DE, O=me, CN=FS_CA'
Sep  3 11:33:33 Microknoppix charon: 01[ENC] generating IKE_AUTH
response 2 [ EAP/REQ/TLS ]
Sep  3 11:33:33 Microknoppix charon: 01[NET] sending packet: from
167.225.10.104[4500] to 167.225.8.209[4500]
Sep  3 11:33:33 Microknoppix charon: 04[NET] received packet: from
167.225.8.209[4500] to 167.225.10.104[4500]
Sep  3 11:33:33 Microknoppix charon: 04[ENC] parsed IKE_AUTH request 3
[ EAP/RES/TLS ]
Sep  3 11:33:33 Microknoppix charon: 04[ENC] generating IKE_AUTH
response 3 [ EAP/REQ/TLS ]
Sep  3 11:33:33 Microknoppix charon: 04[NET] sending packet: from
167.225.10.104[4500] to 167.225.8.209[4500]
Sep  3 11:33:33 Microknoppix charon: 14[NET] received packet: from
167.225.8.209[4500] to 167.225.10.104[4500]
Sep  3 11:33:33 Microknoppix charon: 14[ENC] parsed IKE_AUTH request 4
[ EAP/RES/TLS ]
Sep  3 11:33:33 Microknoppix charon: 14[TLS] received TLS peer
certificate 'C=DE, O=me, CN=egal'
Sep  3 11:33:33 Microknoppix charon: 14[CFG]   using certificate
"C=DE, O=me, CN=egal"
Sep  3 11:33:33 Microknoppix charon: 14[CFG]   using trusted ca
certificate "C=DE, O=me, CN=FS_CA"
Sep  3 11:33:33 Microknoppix charon: 14[CFG] checking certificate
status of "C=DE, O=me, CN=egal"
Sep  3 11:33:33 Microknoppix charon: 14[CFG] certificate status is not available
Sep  3 11:33:33 Microknoppix charon: 14[CFG]   reached self-signed
root ca with a path length of 0
Sep  3 11:33:33 Microknoppix charon: 14[ENC] generating IKE_AUTH
response 4 [ EAP/REQ/TLS ]
Sep  3 11:33:33 Microknoppix charon: 14[NET] sending packet: from
167.225.10.104[4500] to 167.225.8.209[4500]
Sep  3 11:33:33 Microknoppix charon: 02[NET] received packet: from
167.225.8.209[4500] to 167.225.10.104[4500]
Sep  3 11:33:33 Microknoppix charon: 02[ENC] parsed IKE_AUTH request 5
[ EAP/RES/TLS ]
Sep  3 11:33:33 Microknoppix charon: 02[IKE] EAP method EAP_TLS
succeeded, MSK established
Sep  3 11:33:33 Microknoppix charon: 02[ENC] generating IKE_AUTH
response 5 [ EAP/SUCC ]
Sep  3 11:33:33 Microknoppix charon: 02[NET] sending packet: from
167.225.10.104[4500] to 167.225.8.209[4500]
Sep  3 11:33:33 Microknoppix charon: 15[NET] received packet: from
167.225.8.209[4500] to 167.225.10.104[4500]
Sep  3 11:33:33 Microknoppix charon: 15[ENC] parsed IKE_AUTH request 6 [ AUTH ]
Sep  3 11:33:33 Microknoppix charon: 15[IKE] authentication of
'167.225.8.209' with EAP successful
Sep  3 11:33:33 Microknoppix charon: 15[IKE] authentication of 'C=DE,
O=me, CN=fileservice.me' (myself) with EAP
Sep  3 11:33:33 Microknoppix charon: 15[IKE] IKE_SA win7[2]
established between 167.225.10.104[C=DE, O=me,
CN=fileservice.me]...167.225.8.209[167.225.8.209]
Sep  3 11:33:33 Microknoppix charon: 15[IKE] scheduling
reauthentication in 9883s
Sep  3 11:33:33 Microknoppix charon: 15[IKE] maximum IKE_SA lifetime 10423s
Sep  3 11:33:33 Microknoppix charon: 15[IKE] peer requested virtual IP %any6
Sep  3 11:33:33 Microknoppix charon: 15[CFG] reassigning offline lease
to '167.225.8.209'
Sep  3 11:33:33 Microknoppix charon: 15[IKE] assigning virtual IP
192.168.2.1 to peer '167.225.8.209'
Sep  3 11:33:33 Microknoppix charon: 15[IKE] CHILD_SA win7{2}
established with SPIs cd7c13a7_i f18d886a_o and TS 167.225.10.104/32
=== 192.168.2.1/32
Sep  3 11:33:33 Microknoppix charon: 15[ENC] generating IKE_AUTH
response 6 [ AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(NO_ADD_ADDR) ]
Sep  3 11:33:33 Microknoppix charon: 15[NET] sending packet: from
167.225.10.104[4500] to 167.225.8.209[4500]
--------- deamon.log end ------------


I fear, I basically do not understand the VPN principle.
If the Win7 client is connected, I cannot use my standard intranet
connection. Everything seems to be send to the vpn tunnel.
Additionally the there is a misconfiguration left, because I can ping
SECURE from the linux server to the new assigned IP adress
192.168.2.1, but pinging from Win7 to the linux server does not use
the tunnel. Maybe just a little misconfiguration.

More important is that:
I just wanted to secure a peer to peer connection from one windows
client to one linux server. Everything else should be normal
accessible like before.
My windows-friendly-neighbour said, Windows Agile VPN is not the right
way, you need to configure the IP security policy to talk ipsec [1]
with strongswan. No Windows VPN Connection needed. Is that possible
with strongswan?

[1] like this http://www.winservermart.com/HowTo/Images/VPN_Policy_Assign.gif

Best regards.
Johannes

More information about the Users mailing list