[strongSwan] IPSEC/l2TP Chrome OS

Ilan Caspi ilan.caspi at gmail.com
Wed Feb 11 19:47:48 CET 2015


Thanks Noel but still no joy, I'm pretty sure that the rest of the l2tp is
fine because it works with a shred secret but the certificates for some
reason are still off the current ipsec.conf looks like this

keyexchange=ikev1

    authby=rsasig

    rekey=yes

    keyingtries=2

    leftsubnet=0.0.0.0/0

    leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"

    leftcert=server.pem

    leftprotoport="17/1701"

    right=%any

    rightid=%any

    rightprotoport="17/1701"

    type="transport"

    auto=add

The connection fails with this message:

IKE_SA chromebook[1] state change: CONNECTING => ESTABLISHED

09[IKE] scheduling reauthentication in 13531s

09[IKE] maximum IKE_SA lifetime 14071s

09[IKE] sending end entity cert "CN=
do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com, OU=DEV, O=
pertino.com, C=US"

09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino, C=US"

09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1, O=Pertino,
C=US"

09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]

09[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
(2092 bytes)

03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]

02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]

02[NET] waiting for data on sockets

11[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
(68 bytes)

11[ENC] invalid HASH_V1 payload length, decryption failed?

11[ENC] could not decrypt payloads

11[IKE] message parsing failed

11[IKE] ignore malformed INFORMATIONAL request

11[IKE] INFORMATIONAL_V1 request with message ID 2808853053 processing
failed

02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]

02[NET] waiting for data on sockets

12[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
(1092 bytes)

12[IKE] received retransmit of request with ID 0, retransmitting response

12[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
(2092 bytes)

03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]

02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]

02[NET] waiting for data on sockets

13[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
(68 bytes)

13[ENC] invalid HASH_V1 payload length, decryption failed?

13[ENC] could not decrypt payloads

13[IKE] message parsing failed

13[IKE] ignore malformed INFORMATIONAL request

On Wed Feb 11 2015 at 10:29:31 AM Noel Kuntze <noel at familie-kuntze.de>
wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Ilan,
>
> You are looking at a L2TP/IPsec configuration with certificate
> authentication and transport mode.
> The following config will be compatible:
>
> conn chromiumos
>         ike="3des-sha1-modp1024"
>         esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
>         keyexchange="ikev1"
>         rekey=yes
>         left="%defaultroute"
>         leftprotoport="17/1701"
>         rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>         leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>         rightid="%any"
>         right=%any
>         rightprotoport="17/1701"
>         type="transport"
>         auto="add"
>
> You will need to adjust the leftca section or define the certificate
> manually using leftcert.
> You also need to run an l2tp daemon, like xl2tpd, as traffic will be
> tunneled using l2tp.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 11.02.2015 um 18:49 schrieb Ilan Caspi:
> > Maybe this will shed some light on the subject. The chrombook is using
> the following configuration:
> >
> > ipsec.conf
> >
> > ike="3des-sha1-modp1024"
> >
> >         esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
> >
> >         keyexchange="ikev1"
> >
> >         rekey=yes
> >
> >         left="%defaultroute"
> >
> >         leftcert="%smartcard1 at crypto_module:
> 719D7F5687E27E8DAD5E37FD84CFFA1027B29878"
> >
> >         leftprotoport="17/1701"
> >
> >         leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown"
> >
> >         right="162.243.137.92"
> >
> >         rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
> >
> >         rightid="%any"
> >
> >         rightprotoport="17/1701"
> >
> >         type="transport"
> >
> >         auto="start"
> >
> > strongswan.conf
> >
> > libstrongswan {
> >
> >   plugins {
> >
> >     pkcs11 {
> >
> >       modules {
> >
> >         crypto_module {
> >
> >           path = /usr/lib/libchaps.so
> >
> >         }
> >
> >       }
> >
> >     }
> >
> >   }
> >
> > }
> >
> > charon {
> >
> >   accept_unencrypted_mainmode_messages = yes
> >
> >   ignore_routing_tables = 0
> >
> >   install_routes = no
> >
> >   routing_table = 0
> >
> > }
> >
> >
> > ipsec.secrets
> >
> > 10.0.1.135 162.243.137.92 : PIN %smartcard1 at crypto_module:
> 719D7F5687E27E8DAD5E37FD84CFFA1027B29878 "111111"
> >
> > I'm trying to dig into the chromium code and understand if this the only
> config chromeos will generate but assuming that is the case how can I set
> the strongswan server to answer that client config?
> >
> > Thanks again for all the help
> >
> > Ilan
> >
> >
> > On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <ilan.caspi at gmail.com
> <mailto:ilan.caspi at gmail.com>> wrote:
> >
> >     Hi Noel,
> >
> >     Unfortunately that wasn't the ticket
> >
> >     14[CFG]   candidate "chromebook", match: 1/19/28 (me/other/ike)
> >
> >     14[IKE] no peer config found
> >
> >     14[IKE] queueing INFORMATIONAL task
> >
> >     14[IKE] activating new tasks
> >
> >     14[IKE]   activating INFORMATIONAL task
> >
> >     14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH
> N(AUTH_FAILED) ]
> >
> >
> >     ipsec,conf
> >
> >     conn chromebook
> >
> >         keyexchange=ikev1
> >
> >         authby=rsasig
> >
> >         rekey=no
> >
> >         keyingtries=2
> >
> >         left=%defaultroute
> >
> >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >
> >         leftprotoport=udp/l2tp
> >
> >         leftcert=server.pem
> >
> >         right=%any
> >
> >         rightprotoport=udp/%any
> >
> >         rightrsasigkey=%cert
> >
> >         rightid="CN=*, OU=1957, O=mydomain.com <http://mydomain.com>,
> C=US"
> >
> >         auto=add
> >
> >         aggressive=yes
> >
> >
> >     On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Ilan,
> >
> > That could be the client trying to use agressive mode.
> > Enable it in the conn section and see if it works with it.
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
> > > Hi,
> >
> > > I'm trying to connect a chromebook to Linux strongSwan
> U5.1.2/K3.13.0-43-generic with not much luck.
> >
> > > Using a secret the connection is just fine but when moving the
> authentication using a CA things are going wrong. The certs should be ok
> because they work with a different connection
> >
> > > From reading the logs the authentication is going well but things are
> starting to go wrong here:
> >
> > > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
> >
> > > 15[NET] sending packet: from 162.243.137.92[4500] to
> 50.204.245.210[4500] (2092 bytes)
> >
> > > 04[NET] sending packet: from 162.243.137.92[4500] to
> 50.204.245.210[4500]
> >
> > > 03[NET] received packet: from 50.204.245.210[4500] to
> 162.243.137.92[4500]
> >
> > > 03[NET] waiting for data on sockets
> >
> > > 06[NET] received packet: from 50.204.245.210[4500] to
> 162.243.137.92[4500] (68 bytes)
> >
> > > 06[ENC] invalid HASH_V1 payload length, decryption failed?
> >
> > > 06[ENC] could not decrypt payloads
> >
> > > 06[IKE] message parsing failed
> >
> > > 06[IKE] ignore malformed INFORMATIONAL request
> >
> > > ipsec.conf
> >
> > > config setup
> >
> > >     charondebug="cfg 2, dmn 2, ike 2, net 2"
> >
> > >     uniqueids=never
> >
> > > conn %default
> >
> > > authby=rsasig
> >
> > >  leftrsasigkey=%cert
> >
> > >  rightrsasigkey=%cert
> >
> > >  keyingtries=1
> >
> > >  keylife=60m
> >
> > >  ikelifetime=240m
> >
> > > rightdns=8.8.8.8
> >
> >
> > > conn ios
> >
> > >     keyexchange=ikev1
> >
> > >     xauth=server
> >
> > >     left=%defaultroute
> >
> > >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > >     leftcert=server.pem
> >
> > >     right=%any
> >
> > >     rightid="CN=*, OU=1957, O=secretdomain.com <
> http://secretdomain.com> <http://pertino.com>, C=US"
> >
> > >     rightsourceip=172.27.0.0/16 <http://172.27.0.0/16> <
> http://172.27.0.0/16>
> >
> > >     rightsubnet=172.27.0.0/16 <http://172.27.0.0/16> <
> http://172.27.0.0/16>
> >
> > >     rightauth2=xauth-noauth
> >
> > >     ike=aes128-sha1-modp2048,3des-sha1-modp1536
> >
> > >     esp=aes128-sha1-modp2048,3des-sha1-modp1536
> >
> > >     rekey=no
> >
> > >     reauth=no
> >
> > >     dpddelay=10
> >
> > >     dpdtimeout=30
> >
> > >     dpdaction=clear
> >
> > >     auto=add
> >
> > >     fragmentation=yes
> >
> >
> >
> > > conn chromebook
> >
> > >     keyexchange=ikev1
> >
> > >     authby=rsasig
> >
> > >     rekey=no
> >
> > >     keyingtries=2
> >
> > >     left=%defaultroute
> >
> > >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > >     leftprotoport=udp/l2tp
> >
> > >     leftcert=server.pem
> >
> > >     right=%any
> >
> > >     rightprotoport=udp/%any
> >
> > >     rightrsasigkey=%cert
> >
> > >     rightid="CN=*, OU=1957, O= secretdomain.com <
> http://secretdomain.com> <http://pertino.com>, C=US"
> >
> > >     auto=add
> >
> > > ipsec.secrets
> >
> > > : RSA /etc/ipsec.d/private/newserverkey.pem
> >
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >
> >
> >         _______________________________________________
> >         Users mailing list
> >         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >         https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJU25+DAAoJEDg5KY9j7GZY42YP+wVonlB3zuNYLZ3X4w9AQ+Eg
> UAh6xcvMYQC35lqJ+zpAXboP/TdRuSSDY2ldxq/xep/MuOijEvkKUeidJoO7y+oN
> u9ZYQ9hh9XvpkdLZUp+h55bUjMjZfRwDGoB6HUyfO787HDJ4htpKMxSEUu+EhvkF
> vGl0yj/4D5XkljdN+xq559RbP4Rd3RhynaRC/o5gEgD295vH8v0JpBYcXf9hDE9d
> j3/mNYgsAmWDMUEmSUsUYup4i233DFdAQL2xPsW37GJtJ9wPbfeyxponKT3XpU0F
> a88LIUHvxMk7+sZAovj1aRwOQt9LkQFULZ5YIq0JEkoVT+mcDK/i3pI/Ilr4Vrsi
> 9cStKIdvEiowsG7w60nLYgINvtw00pg1HBVwuWh1wdCeO5G2eRGruZYmQ5IMUQS5
> ZyHorULoRJi7K5lH842skik7I9w+P8mUEI1GSznubyM8xOV0oD8QZxnBNWxf+6HH
> BfNmOIC8lluQElRpGfmTEm8yVMVrAEWIT22G0IL0Y8vJsDKoODYSTUtNZFNn7tVE
> mUPxiqzf9z0tm8IJtSzHa7wQtLtNBuMzVMX/uHOLnjsrsm8FCh+ZULyxPSUNmiaA
> e5sPtGBaM5ENnKKcAagQC0F2SizclvcfIP0jJx88wFjeyVMCZrjc8nCK8Lm3Vz9r
> Tl4yNZzKysGnZqj5SwjK
> =IEwR
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150211/716b754b/attachment-0001.html>


More information about the Users mailing list