[strongSwan] IPSEC/l2TP Chrome OS
Noel Kuntze
noel at familie-kuntze.de
Wed Feb 11 19:29:28 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Ilan,
You are looking at a L2TP/IPsec configuration with certificate authentication and transport mode.
The following config will be compatible:
conn chromiumos
ike="3des-sha1-modp1024"
esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
keyexchange="ikev1"
rekey=yes
left="%defaultroute"
leftprotoport="17/1701"
rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
rightid="%any"
right=%any
rightprotoport="17/1701"
type="transport"
auto="add"
You will need to adjust the leftca section or define the certificate manually using leftcert.
You also need to run an l2tp daemon, like xl2tpd, as traffic will be tunneled using l2tp.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 11.02.2015 um 18:49 schrieb Ilan Caspi:
> Maybe this will shed some light on the subject. The chrombook is using the following configuration:
>
> ipsec.conf
>
> ike="3des-sha1-modp1024"
>
> esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
>
> keyexchange="ikev1"
>
> rekey=yes
>
> left="%defaultroute"
>
> leftcert="%smartcard1 at crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878"
>
> leftprotoport="17/1701"
>
> leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown"
>
> right="162.243.137.92"
>
> rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>
> rightid="%any"
>
> rightprotoport="17/1701"
>
> type="transport"
>
> auto="start"
>
> strongswan.conf
>
> libstrongswan {
>
> plugins {
>
> pkcs11 {
>
> modules {
>
> crypto_module {
>
> path = /usr/lib/libchaps.so
>
> }
>
> }
>
> }
>
> }
>
> }
>
> charon {
>
> accept_unencrypted_mainmode_messages = yes
>
> ignore_routing_tables = 0
>
> install_routes = no
>
> routing_table = 0
>
> }
>
>
> ipsec.secrets
>
> 10.0.1.135 162.243.137.92 : PIN %smartcard1 at crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878 "111111"
>
> I'm trying to dig into the chromium code and understand if this the only config chromeos will generate but assuming that is the case how can I set the strongswan server to answer that client config?
>
> Thanks again for all the help
>
> Ilan
>
>
> On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <ilan.caspi at gmail.com <mailto:ilan.caspi at gmail.com>> wrote:
>
> Hi Noel,
>
> Unfortunately that wasn't the ticket
>
> 14[CFG] candidate "chromebook", match: 1/19/28 (me/other/ike)
>
> 14[IKE] no peer config found
>
> 14[IKE] queueing INFORMATIONAL task
>
> 14[IKE] activating new tasks
>
> 14[IKE] activating INFORMATIONAL task
>
> 14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH N(AUTH_FAILED) ]
>
>
> ipsec,conf
>
> conn chromebook
>
> keyexchange=ikev1
>
> authby=rsasig
>
> rekey=no
>
> keyingtries=2
>
> left=%defaultroute
>
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>
> leftprotoport=udp/l2tp
>
> leftcert=server.pem
>
> right=%any
>
> rightprotoport=udp/%any
>
> rightrsasigkey=%cert
>
> rightid="CN=*, OU=1957, O=mydomain.com <http://mydomain.com>, C=US"
>
> auto=add
>
> aggressive=yes
>
>
> On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Ilan,
>
> That could be the client trying to use agressive mode.
> Enable it in the conn section and see if it works with it.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
> > Hi,
>
> > I'm trying to connect a chromebook to Linux strongSwan U5.1.2/K3.13.0-43-generic with not much luck.
>
> > Using a secret the connection is just fine but when moving the authentication using a CA things are going wrong. The certs should be ok because they work with a different connection
>
> > From reading the logs the authentication is going well but things are starting to go wrong here:
>
> > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>
> > 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> > 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> > 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> > 03[NET] waiting for data on sockets
>
> > 06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> > 06[ENC] invalid HASH_V1 payload length, decryption failed?
>
> > 06[ENC] could not decrypt payloads
>
> > 06[IKE] message parsing failed
>
> > 06[IKE] ignore malformed INFORMATIONAL request
>
> > ipsec.conf
>
> > config setup
>
> > charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> > uniqueids=never
>
> > conn %default
>
> > authby=rsasig
>
> > leftrsasigkey=%cert
>
> > rightrsasigkey=%cert
>
> > keyingtries=1
>
> > keylife=60m
>
> > ikelifetime=240m
>
> > rightdns=8.8.8.8
>
>
> > conn ios
>
> > keyexchange=ikev1
>
> > xauth=server
>
> > left=%defaultroute
>
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > leftcert=server.pem
>
> > right=%any
>
> > rightid="CN=*, OU=1957, O=secretdomain.com <http://secretdomain.com> <http://pertino.com>, C=US"
>
> > rightsourceip=172.27.0.0/16 <http://172.27.0.0/16> <http://172.27.0.0/16>
>
> > rightsubnet=172.27.0.0/16 <http://172.27.0.0/16> <http://172.27.0.0/16>
>
> > rightauth2=xauth-noauth
>
> > ike=aes128-sha1-modp2048,3des-sha1-modp1536
>
> > esp=aes128-sha1-modp2048,3des-sha1-modp1536
>
> > rekey=no
>
> > reauth=no
>
> > dpddelay=10
>
> > dpdtimeout=30
>
> > dpdaction=clear
>
> > auto=add
>
> > fragmentation=yes
>
>
>
> > conn chromebook
>
> > keyexchange=ikev1
>
> > authby=rsasig
>
> > rekey=no
>
> > keyingtries=2
>
> > left=%defaultroute
>
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > leftprotoport=udp/l2tp
>
> > leftcert=server.pem
>
> > right=%any
>
> > rightprotoport=udp/%any
>
> > rightrsasigkey=%cert
>
> > rightid="CN=*, OU=1957, O= secretdomain.com <http://secretdomain.com> <http://pertino.com>, C=US"
>
> > auto=add
>
> > ipsec.secrets
>
> > : RSA /etc/ipsec.d/private/newserverkey.pem
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJU25+DAAoJEDg5KY9j7GZY42YP+wVonlB3zuNYLZ3X4w9AQ+Eg
UAh6xcvMYQC35lqJ+zpAXboP/TdRuSSDY2ldxq/xep/MuOijEvkKUeidJoO7y+oN
u9ZYQ9hh9XvpkdLZUp+h55bUjMjZfRwDGoB6HUyfO787HDJ4htpKMxSEUu+EhvkF
vGl0yj/4D5XkljdN+xq559RbP4Rd3RhynaRC/o5gEgD295vH8v0JpBYcXf9hDE9d
j3/mNYgsAmWDMUEmSUsUYup4i233DFdAQL2xPsW37GJtJ9wPbfeyxponKT3XpU0F
a88LIUHvxMk7+sZAovj1aRwOQt9LkQFULZ5YIq0JEkoVT+mcDK/i3pI/Ilr4Vrsi
9cStKIdvEiowsG7w60nLYgINvtw00pg1HBVwuWh1wdCeO5G2eRGruZYmQ5IMUQS5
ZyHorULoRJi7K5lH842skik7I9w+P8mUEI1GSznubyM8xOV0oD8QZxnBNWxf+6HH
BfNmOIC8lluQElRpGfmTEm8yVMVrAEWIT22G0IL0Y8vJsDKoODYSTUtNZFNn7tVE
mUPxiqzf9z0tm8IJtSzHa7wQtLtNBuMzVMX/uHOLnjsrsm8FCh+ZULyxPSUNmiaA
e5sPtGBaM5ENnKKcAagQC0F2SizclvcfIP0jJx88wFjeyVMCZrjc8nCK8Lm3Vz9r
Tl4yNZzKysGnZqj5SwjK
=IEwR
-----END PGP SIGNATURE-----
More information about the Users
mailing list