[strongSwan] IPSEC/l2TP Chrome OS

Thu Feb 5 22:27:10 CET 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Ilan,

That could be the client trying to use agressive mode.
Enable it in the conn section and see if it works with it.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
> Hi,
>
> I'm trying to connect a chromebook to Linux strongSwan U5.1.2/K3.13.0-43-generic with not much luck.
>
> Using a secret the connection is just fine but when moving the authentication using a CA things are going wrong. The certs should be ok because they work with a different connection
>
> From reading the logs the authentication is going well but things are starting to go wrong here:
>
> 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>
> 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> 03[NET] waiting for data on sockets
>
> 06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> 06[ENC] invalid HASH_V1 payload length, decryption failed?
>
> 06[ENC] could not decrypt payloads
>
> 06[IKE] message parsing failed
>
> 06[IKE] ignore malformed INFORMATIONAL request
>
> ipsec.conf
>
> config setup
>
>     charondebug="cfg 2, dmn 2, ike 2, net 2"
>
>     uniqueids=never
>
> conn %default
>
> authby=rsasig
>
>  leftrsasigkey=%cert
>
>  rightrsasigkey=%cert
>
>  keyingtries=1
>
>  keylife=60m
>
>  ikelifetime=240m
>
> rightdns=8.8.8.8
>
>
> conn ios
>
>     keyexchange=ikev1
>
>     xauth=server
>
>     left=%defaultroute
>
>     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>
>     leftcert=server.pem
>
>     right=%any
>
>     rightid="CN=*, OU=1957, O=secretdomain.com <http://pertino.com>, C=US"
>
>     rightsourceip=172.27.0.0/16 <http://172.27.0.0/16>
>
>     rightsubnet=172.27.0.0/16 <http://172.27.0.0/16>
>
>     rightauth2=xauth-noauth
>
>     ike=aes128-sha1-modp2048,3des-sha1-modp1536
>
>     esp=aes128-sha1-modp2048,3des-sha1-modp1536
>
>     rekey=no
>
>     reauth=no
>
>     dpddelay=10
>
>     dpdtimeout=30
>
>     dpdaction=clear
>
>     auto=add
>
>     fragmentation=yes
>
>    
>
> conn chromebook
>
>     keyexchange=ikev1
>
>     authby=rsasig
>
>     rekey=no
>
>     keyingtries=2
>
>     left=%defaultroute
>
>     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>
>     leftprotoport=udp/l2tp
>
>     leftcert=server.pem
>
>     right=%any
>
>     rightprotoport=udp/%any
>
>     rightrsasigkey=%cert
>
>     rightid="CN=*, OU=1957, O= secretdomain.com <http://pertino.com>, C=US"
>
>     auto=add
>
> ipsec.secrets
>
> : RSA /etc/ipsec.d/private/newserverkey.pem
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU0+AqAAoJEDg5KY9j7GZYA9AP/0ufz0Ur1gbiPMPjr9xZR9w7
ciRsuuGKZ8njpt36rGacFXDrD9X2dRtuYTa9UCkHo//e+nqZwB8JlK0f+sKePCqG
FodwUubzmT8maARmE5x33B6O1sG8XHLdbWeNBoVY4N1Di1fjizPTqyxM1HCYZMtc
WSN1FUQ2Rceo6NL6KGo8/IAtoIr+ovX0ok1hX5Jzd98bTUeGfcOVcedyX5auwEnZ
efHqrkqaHwqCa6B3r/iOmDpW0A877hIYK45mBc87mF2k40l4zX97nbt/UM9BtSaX
/xuhU4wS02HkGcSqp+z/d6CMgOsVLAjhgesyPZgzY+oNOvEHUDNOC0i5SV2uYBNY
Z5mlL1ZPD/2fr4jDR1vfmQXiqo7jsJHdWjMT+X3zfptxDF1ek34PyyCc/fOq8zDK
Xmk2hMi4Kr3ldE1+se8eERh7S0S1gNVrqoDkRN6OklwpwKiaJtgNT7OBZCl9Zhwn
fuiB+0ilK6ADPtasSgw5IKXrLyNry+oh6lCHgJ2mrngfOfgxjxgoZLymMr6Ad9wC
zgAhU+Ai4EJH3xQehfZYZV775KfDp22o5HCR/Ho2PaFuKxLnTFeXsQHltog/Jd0L
3seAqFSu7yEJ4DuDFzHCBiUdN9AQpYqj5fgIYbH2vo3/L7TqEDYqKUyylX3vvIYc
02x4JkZxJIZMAZh8yvdH
=oI9J
-----END PGP SIGNATURE-----