[strongSwan] IPSEC/l2TP Chrome OS

Ilan Caspi ilan.caspi at gmail.com
Thu Feb 5 19:17:32 CET 2015 

Hi,

I'm trying to connect a chromebook to Linux strongSwan
U5.1.2/K3.13.0-43-generic with not much luck.

Using a secret the connection is just fine but when moving the
authentication using a CA things are going wrong. The certs should be ok
because they work with a different connection

>From reading the logs the authentication is going well but things are
starting to go wrong here:

15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]

15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
(2092 bytes)

04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]

03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]

03[NET] waiting for data on sockets

06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
(68 bytes)

06[ENC] invalid HASH_V1 payload length, decryption failed?

06[ENC] could not decrypt payloads

06[IKE] message parsing failed

06[IKE] ignore malformed INFORMATIONAL request

ipsec.conf

config setup

    charondebug="cfg 2, dmn 2, ike 2, net 2"

    uniqueids=never

conn %default

authby=rsasig

  leftrsasigkey=%cert

  rightrsasigkey=%cert

  keyingtries=1

  keylife=60m

  ikelifetime=240m

rightdns=8.8.8.8


conn ios

    keyexchange=ikev1

    xauth=server

    left=%defaultroute

    leftsubnet=0.0.0.0/0

    leftcert=server.pem

    right=%any

    rightid="CN=*, OU=1957, O=secretdomain.com <http://pertino.com>, C=US"

    rightsourceip=172.27.0.0/16

    rightsubnet=172.27.0.0/16

    rightauth2=xauth-noauth

    ike=aes128-sha1-modp2048,3des-sha1-modp1536

    esp=aes128-sha1-modp2048,3des-sha1-modp1536

    rekey=no

    reauth=no

    dpddelay=10

    dpdtimeout=30

    dpdaction=clear

    auto=add

    fragmentation=yes



conn chromebook

    keyexchange=ikev1

    authby=rsasig

    rekey=no

    keyingtries=2

    left=%defaultroute

    leftsubnet=0.0.0.0/0

    leftprotoport=udp/l2tp

    leftcert=server.pem

    right=%any

    rightprotoport=udp/%any

    rightrsasigkey=%cert

    rightid="CN=*, OU=1957, O= secretdomain.com <http://pertino.com>, C=US"

    auto=add

ipsec.secrets

: RSA /etc/ipsec.d/private/newserverkey.pem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150205/e60f941c/attachment.html>

More information about the Users mailing list