[strongSwan] IPSEC/l2TP Chrome OS

Ilan Caspi ilan.caspi at gmail.com
Wed Feb 11 18:49:43 CET 2015 

Maybe this will shed some light on the subject. The chrombook is using the
following configuration:

ipsec.conf

ike="3des-sha1-modp1024"

        esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"

        keyexchange="ikev1"

        rekey=yes

        left="%defaultroute"

        leftcert="%smartcard1 at crypto_module
:719D7F5687E27E8DAD5E37FD84CFFA1027B29878"

        leftprotoport="17/1701"

        leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown"

        right="162.243.137.92"

        rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"

        rightid="%any"

        rightprotoport="17/1701"

        type="transport"

        auto="start"

strongswan.conf

libstrongswan {

  plugins {

    pkcs11 {

      modules {

        crypto_module {

          path = /usr/lib/libchaps.so

        }

      }

    }

  }

}

charon {

  accept_unencrypted_mainmode_messages = yes

  ignore_routing_tables = 0

  install_routes = no

  routing_table = 0

}


ipsec.secrets

10.0.1.135 162.243.137.92 : PIN
%smartcard1 at crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878
"111111"

I'm trying to dig into the chromium code and understand if this the only
config chromeos will generate but assuming that is the case how can I set
the strongswan server to answer that client config?

Thanks again for all the help

Ilan

On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <ilan.caspi at gmail.com> wrote:

> Hi Noel,
>
> Unfortunately that wasn't the ticket
>
> 14[CFG]   candidate "chromebook", match: 1/19/28 (me/other/ike)
>
> 14[IKE] no peer config found
>
> 14[IKE] queueing INFORMATIONAL task
>
> 14[IKE] activating new tasks
>
> 14[IKE]   activating INFORMATIONAL task
>
> 14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH
> N(AUTH_FAILED) ]
>
> ipsec,conf
>
> conn chromebook
>
>     keyexchange=ikev1
>
>     authby=rsasig
>
>     rekey=no
>
>     keyingtries=2
>
>     left=%defaultroute
>
>     leftsubnet=0.0.0.0/0
>
>     leftprotoport=udp/l2tp
>
>     leftcert=server.pem
>
>     right=%any
>
>     rightprotoport=udp/%any
>
>     rightrsasigkey=%cert
>
>     rightid="CN=*, OU=1957, O=mydomain.com, C=US"
>
>     auto=add
>
>     aggressive=yes
>
> On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Ilan,
>>
>> That could be the client trying to use agressive mode.
>> Enable it in the conn section and see if it works with it.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
>> > Hi,
>> >
>> > I'm trying to connect a chromebook to Linux strongSwan
>> U5.1.2/K3.13.0-43-generic with not much luck.
>> >
>> > Using a secret the connection is just fine but when moving the
>> authentication using a CA things are going wrong. The certs should be ok
>> because they work with a different connection
>> >
>> > From reading the logs the authentication is going well but things are
>> starting to go wrong here:
>> >
>> > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>> >
>> > 15[NET] sending packet: from 162.243.137.92[4500] to
>> 50.204.245.210[4500] (2092 bytes)
>> >
>> > 04[NET] sending packet: from 162.243.137.92[4500] to
>> 50.204.245.210[4500]
>> >
>> > 03[NET] received packet: from 50.204.245.210[4500] to
>> 162.243.137.92[4500]
>> >
>> > 03[NET] waiting for data on sockets
>> >
>> > 06[NET] received packet: from 50.204.245.210[4500] to
>> 162.243.137.92[4500] (68 bytes)
>> >
>> > 06[ENC] invalid HASH_V1 payload length, decryption failed?
>> >
>> > 06[ENC] could not decrypt payloads
>> >
>> > 06[IKE] message parsing failed
>> >
>> > 06[IKE] ignore malformed INFORMATIONAL request
>> >
>> > ipsec.conf
>> >
>> > config setup
>> >
>> >     charondebug="cfg 2, dmn 2, ike 2, net 2"
>> >
>> >     uniqueids=never
>> >
>> > conn %default
>> >
>> > authby=rsasig
>> >
>> >  leftrsasigkey=%cert
>> >
>> >  rightrsasigkey=%cert
>> >
>> >  keyingtries=1
>> >
>> >  keylife=60m
>> >
>> >  ikelifetime=240m
>> >
>> > rightdns=8.8.8.8
>> >
>> >
>> > conn ios
>> >
>> >     keyexchange=ikev1
>> >
>> >     xauth=server
>> >
>> >     left=%defaultroute
>> >
>> >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> >
>> >     leftcert=server.pem
>> >
>> >     right=%any
>> >
>> >     rightid="CN=*, OU=1957, O=secretdomain.com <http://pertino.com>,
>> C=US"
>> >
>> >     rightsourceip=172.27.0.0/16 <http://172.27.0.0/16>
>> >
>> >     rightsubnet=172.27.0.0/16 <http://172.27.0.0/16>
>> >
>> >     rightauth2=xauth-noauth
>> >
>> >     ike=aes128-sha1-modp2048,3des-sha1-modp1536
>> >
>> >     esp=aes128-sha1-modp2048,3des-sha1-modp1536
>> >
>> >     rekey=no
>> >
>> >     reauth=no
>> >
>> >     dpddelay=10
>> >
>> >     dpdtimeout=30
>> >
>> >     dpdaction=clear
>> >
>> >     auto=add
>> >
>> >     fragmentation=yes
>> >
>> >
>> >
>> > conn chromebook
>> >
>> >     keyexchange=ikev1
>> >
>> >     authby=rsasig
>> >
>> >     rekey=no
>> >
>> >     keyingtries=2
>> >
>> >     left=%defaultroute
>> >
>> >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> >
>> >     leftprotoport=udp/l2tp
>> >
>> >     leftcert=server.pem
>> >
>> >     right=%any
>> >
>> >     rightprotoport=udp/%any
>> >
>> >     rightrsasigkey=%cert
>> >
>> >     rightid="CN=*, OU=1957, O= secretdomain.com <http://pertino.com>,
>> C=US"
>> >
>> >     auto=add
>> >
>> > ipsec.secrets
>> >
>> > : RSA /etc/ipsec.d/private/newserverkey.pem
>> >
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJU0+AqAAoJEDg5KY9j7GZYA9AP/0ufz0Ur1gbiPMPjr9xZR9w7
>> ciRsuuGKZ8njpt36rGacFXDrD9X2dRtuYTa9UCkHo//e+nqZwB8JlK0f+sKePCqG
>> FodwUubzmT8maARmE5x33B6O1sG8XHLdbWeNBoVY4N1Di1fjizPTqyxM1HCYZMtc
>> WSN1FUQ2Rceo6NL6KGo8/IAtoIr+ovX0ok1hX5Jzd98bTUeGfcOVcedyX5auwEnZ
>> efHqrkqaHwqCa6B3r/iOmDpW0A877hIYK45mBc87mF2k40l4zX97nbt/UM9BtSaX
>> /xuhU4wS02HkGcSqp+z/d6CMgOsVLAjhgesyPZgzY+oNOvEHUDNOC0i5SV2uYBNY
>> Z5mlL1ZPD/2fr4jDR1vfmQXiqo7jsJHdWjMT+X3zfptxDF1ek34PyyCc/fOq8zDK
>> Xmk2hMi4Kr3ldE1+se8eERh7S0S1gNVrqoDkRN6OklwpwKiaJtgNT7OBZCl9Zhwn
>> fuiB+0ilK6ADPtasSgw5IKXrLyNry+oh6lCHgJ2mrngfOfgxjxgoZLymMr6Ad9wC
>> zgAhU+Ai4EJH3xQehfZYZV775KfDp22o5HCR/Ho2PaFuKxLnTFeXsQHltog/Jd0L
>> 3seAqFSu7yEJ4DuDFzHCBiUdN9AQpYqj5fgIYbH2vo3/L7TqEDYqKUyylX3vvIYc
>> 02x4JkZxJIZMAZh8yvdH
>> =oI9J
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150211/cf477e4e/attachment.html>

More information about the Users mailing list