[strongSwan] IPSEC/l2TP Chrome OS

Ilan Caspi ilan.caspi at gmail.com
Fri Feb 6 00:32:51 CET 2015 

Hi Noel,

Unfortunately that wasn't the ticket

14[CFG]   candidate "chromebook", match: 1/19/28 (me/other/ike)

14[IKE] no peer config found

14[IKE] queueing INFORMATIONAL task

14[IKE] activating new tasks

14[IKE]   activating INFORMATIONAL task

14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH
N(AUTH_FAILED) ]

ipsec,conf

conn chromebook

    keyexchange=ikev1

    authby=rsasig

    rekey=no

    keyingtries=2

    left=%defaultroute

    leftsubnet=0.0.0.0/0

    leftprotoport=udp/l2tp

    leftcert=server.pem

    right=%any

    rightprotoport=udp/%any

    rightrsasigkey=%cert

    rightid="CN=*, OU=1957, O=mydomain.com, C=US"

    auto=add

    aggressive=yes

On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Ilan,
>
> That could be the client trying to use agressive mode.
> Enable it in the conn section and see if it works with it.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
> > Hi,
> >
> > I'm trying to connect a chromebook to Linux strongSwan
> U5.1.2/K3.13.0-43-generic with not much luck.
> >
> > Using a secret the connection is just fine but when moving the
> authentication using a CA things are going wrong. The certs should be ok
> because they work with a different connection
> >
> > From reading the logs the authentication is going well but things are
> starting to go wrong here:
> >
> > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
> >
> > 15[NET] sending packet: from 162.243.137.92[4500] to
> 50.204.245.210[4500] (2092 bytes)
> >
> > 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
> >
> > 03[NET] received packet: from 50.204.245.210[4500] to
> 162.243.137.92[4500]
> >
> > 03[NET] waiting for data on sockets
> >
> > 06[NET] received packet: from 50.204.245.210[4500] to
> 162.243.137.92[4500] (68 bytes)
> >
> > 06[ENC] invalid HASH_V1 payload length, decryption failed?
> >
> > 06[ENC] could not decrypt payloads
> >
> > 06[IKE] message parsing failed
> >
> > 06[IKE] ignore malformed INFORMATIONAL request
> >
> > ipsec.conf
> >
> > config setup
> >
> >     charondebug="cfg 2, dmn 2, ike 2, net 2"
> >
> >     uniqueids=never
> >
> > conn %default
> >
> > authby=rsasig
> >
> >  leftrsasigkey=%cert
> >
> >  rightrsasigkey=%cert
> >
> >  keyingtries=1
> >
> >  keylife=60m
> >
> >  ikelifetime=240m
> >
> > rightdns=8.8.8.8
> >
> >
> > conn ios
> >
> >     keyexchange=ikev1
> >
> >     xauth=server
> >
> >     left=%defaultroute
> >
> >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >
> >     leftcert=server.pem
> >
> >     right=%any
> >
> >     rightid="CN=*, OU=1957, O=secretdomain.com <http://pertino.com>,
> C=US"
> >
> >     rightsourceip=172.27.0.0/16 <http://172.27.0.0/16>
> >
> >     rightsubnet=172.27.0.0/16 <http://172.27.0.0/16>
> >
> >     rightauth2=xauth-noauth
> >
> >     ike=aes128-sha1-modp2048,3des-sha1-modp1536
> >
> >     esp=aes128-sha1-modp2048,3des-sha1-modp1536
> >
> >     rekey=no
> >
> >     reauth=no
> >
> >     dpddelay=10
> >
> >     dpdtimeout=30
> >
> >     dpdaction=clear
> >
> >     auto=add
> >
> >     fragmentation=yes
> >
> >
> >
> > conn chromebook
> >
> >     keyexchange=ikev1
> >
> >     authby=rsasig
> >
> >     rekey=no
> >
> >     keyingtries=2
> >
> >     left=%defaultroute
> >
> >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >
> >     leftprotoport=udp/l2tp
> >
> >     leftcert=server.pem
> >
> >     right=%any
> >
> >     rightprotoport=udp/%any
> >
> >     rightrsasigkey=%cert
> >
> >     rightid="CN=*, OU=1957, O= secretdomain.com <http://pertino.com>,
> C=US"
> >
> >     auto=add
> >
> > ipsec.secrets
> >
> > : RSA /etc/ipsec.d/private/newserverkey.pem
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJU0+AqAAoJEDg5KY9j7GZYA9AP/0ufz0Ur1gbiPMPjr9xZR9w7
> ciRsuuGKZ8njpt36rGacFXDrD9X2dRtuYTa9UCkHo//e+nqZwB8JlK0f+sKePCqG
> FodwUubzmT8maARmE5x33B6O1sG8XHLdbWeNBoVY4N1Di1fjizPTqyxM1HCYZMtc
> WSN1FUQ2Rceo6NL6KGo8/IAtoIr+ovX0ok1hX5Jzd98bTUeGfcOVcedyX5auwEnZ
> efHqrkqaHwqCa6B3r/iOmDpW0A877hIYK45mBc87mF2k40l4zX97nbt/UM9BtSaX
> /xuhU4wS02HkGcSqp+z/d6CMgOsVLAjhgesyPZgzY+oNOvEHUDNOC0i5SV2uYBNY
> Z5mlL1ZPD/2fr4jDR1vfmQXiqo7jsJHdWjMT+X3zfptxDF1ek34PyyCc/fOq8zDK
> Xmk2hMi4Kr3ldE1+se8eERh7S0S1gNVrqoDkRN6OklwpwKiaJtgNT7OBZCl9Zhwn
> fuiB+0ilK6ADPtasSgw5IKXrLyNry+oh6lCHgJ2mrngfOfgxjxgoZLymMr6Ad9wC
> zgAhU+Ai4EJH3xQehfZYZV775KfDp22o5HCR/Ho2PaFuKxLnTFeXsQHltog/Jd0L
> 3seAqFSu7yEJ4DuDFzHCBiUdN9AQpYqj5fgIYbH2vo3/L7TqEDYqKUyylX3vvIYc
> 02x4JkZxJIZMAZh8yvdH
> =oI9J
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150205/a2697869/attachment-0001.html>

More information about the Users mailing list