[strongSwan] IPSEC/l2TP Chrome OS
Ilan Caspi
ilan.caspi at gmail.com
Wed Feb 11 19:47:48 CET 2015
Thanks Noel but still no joy, I'm pretty sure that the rest of the l2tp is
fine because it works with a shred secret but the certificates for some
reason are still off the current ipsec.conf looks like this
keyexchange=ikev1
authby=rsasig
rekey=yes
keyingtries=2
leftsubnet=0.0.0.0/0
leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
leftcert=server.pem
leftprotoport="17/1701"
right=%any
rightid=%any
rightprotoport="17/1701"
type="transport"
auto=add
The connection fails with this message:
IKE_SA chromebook[1] state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 13531s
09[IKE] maximum IKE_SA lifetime 14071s
09[IKE] sending end entity cert "CN=
do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com, OU=DEV, O=
pertino.com, C=US"
09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino, C=US"
09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1, O=Pertino,
C=US"
09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
09[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
(2092 bytes)
03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
02[NET] waiting for data on sockets
11[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
(68 bytes)
11[ENC] invalid HASH_V1 payload length, decryption failed?
11[ENC] could not decrypt payloads
11[IKE] message parsing failed
11[IKE] ignore malformed INFORMATIONAL request
11[IKE] INFORMATIONAL_V1 request with message ID 2808853053 processing
failed
02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
02[NET] waiting for data on sockets
12[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
(1092 bytes)
12[IKE] received retransmit of request with ID 0, retransmitting response
12[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
(2092 bytes)
03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
02[NET] waiting for data on sockets
13[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
(68 bytes)
13[ENC] invalid HASH_V1 payload length, decryption failed?
13[ENC] could not decrypt payloads
13[IKE] message parsing failed
13[IKE] ignore malformed INFORMATIONAL request
On Wed Feb 11 2015 at 10:29:31 AM Noel Kuntze <noel at familie-kuntze.de>
wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Ilan,
>
> You are looking at a L2TP/IPsec configuration with certificate
> authentication and transport mode.
> The following config will be compatible:
>
> conn chromiumos
> ike="3des-sha1-modp1024"
> esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
> keyexchange="ikev1"
> rekey=yes
> left="%defaultroute"
> leftprotoport="17/1701"
> rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
> leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
> rightid="%any"
> right=%any
> rightprotoport="17/1701"
> type="transport"
> auto="add"
>
> You will need to adjust the leftca section or define the certificate
> manually using leftcert.
> You also need to run an l2tp daemon, like xl2tpd, as traffic will be
> tunneled using l2tp.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 11.02.2015 um 18:49 schrieb Ilan Caspi:
> > Maybe this will shed some light on the subject. The chrombook is using
> the following configuration:
> >
> > ipsec.conf
> >
> > ike="3des-sha1-modp1024"
> >
> > esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
> >
> > keyexchange="ikev1"
> >
> > rekey=yes
> >
> > left="%defaultroute"
> >
> > leftcert="%smartcard1 at crypto_module:
> 719D7F5687E27E8DAD5E37FD84CFFA1027B29878"
> >
> > leftprotoport="17/1701"
> >
> > leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown"
> >
> > right="162.243.137.92"
> >
> > rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
> >
> > rightid="%any"
> >
> > rightprotoport="17/1701"
> >
> > type="transport"
> >
> > auto="start"
> >
> > strongswan.conf
> >
> > libstrongswan {
> >
> > plugins {
> >
> > pkcs11 {
> >
> > modules {
> >
> > crypto_module {
> >
> > path = /usr/lib/libchaps.so
> >
> > }
> >
> > }
> >
> > }
> >
> > }
> >
> > }
> >
> > charon {
> >
> > accept_unencrypted_mainmode_messages = yes
> >
> > ignore_routing_tables = 0
> >
> > install_routes = no
> >
> > routing_table = 0
> >
> > }
> >
> >
> > ipsec.secrets
> >
> > 10.0.1.135 162.243.137.92 : PIN %smartcard1 at crypto_module:
> 719D7F5687E27E8DAD5E37FD84CFFA1027B29878 "111111"
> >
> > I'm trying to dig into the chromium code and understand if this the only
> config chromeos will generate but assuming that is the case how can I set
> the strongswan server to answer that client config?
> >
> > Thanks again for all the help
> >
> > Ilan
> >
> >
> > On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <ilan.caspi at gmail.com
> <mailto:ilan.caspi at gmail.com>> wrote:
> >
> > Hi Noel,
> >
> > Unfortunately that wasn't the ticket
> >
> > 14[CFG] candidate "chromebook", match: 1/19/28 (me/other/ike)
> >
> > 14[IKE] no peer config found
> >
> > 14[IKE] queueing INFORMATIONAL task
> >
> > 14[IKE] activating new tasks
> >
> > 14[IKE] activating INFORMATIONAL task
> >
> > 14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH
> N(AUTH_FAILED) ]
> >
> >
> > ipsec,conf
> >
> > conn chromebook
> >
> > keyexchange=ikev1
> >
> > authby=rsasig
> >
> > rekey=no
> >
> > keyingtries=2
> >
> > left=%defaultroute
> >
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >
> > leftprotoport=udp/l2tp
> >
> > leftcert=server.pem
> >
> > right=%any
> >
> > rightprotoport=udp/%any
> >
> > rightrsasigkey=%cert
> >
> > rightid="CN=*, OU=1957, O=mydomain.com <http://mydomain.com>,
> C=US"
> >
> > auto=add
> >
> > aggressive=yes
> >
> >
> > On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Ilan,
> >
> > That could be the client trying to use agressive mode.
> > Enable it in the conn section and see if it works with it.
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
> > > Hi,
> >
> > > I'm trying to connect a chromebook to Linux strongSwan
> U5.1.2/K3.13.0-43-generic with not much luck.
> >
> > > Using a secret the connection is just fine but when moving the
> authentication using a CA things are going wrong. The certs should be ok
> because they work with a different connection
> >
> > > From reading the logs the authentication is going well but things are
> starting to go wrong here:
> >
> > > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
> >
> > > 15[NET] sending packet: from 162.243.137.92[4500] to
> 50.204.245.210[4500] (2092 bytes)
> >
> > > 04[NET] sending packet: from 162.243.137.92[4500] to
> 50.204.245.210[4500]
> >
> > > 03[NET] received packet: from 50.204.245.210[4500] to
> 162.243.137.92[4500]
> >
> > > 03[NET] waiting for data on sockets
> >
> > > 06[NET] received packet: from 50.204.245.210[4500] to
> 162.243.137.92[4500] (68 bytes)
> >
> > > 06[ENC] invalid HASH_V1 payload length, decryption failed?
> >
> > > 06[ENC] could not decrypt payloads
> >
> > > 06[IKE] message parsing failed
> >
> > > 06[IKE] ignore malformed INFORMATIONAL request
> >
> > > ipsec.conf
> >
> > > config setup
> >
> > > charondebug="cfg 2, dmn 2, ike 2, net 2"
> >
> > > uniqueids=never
> >
> > > conn %default
> >
> > > authby=rsasig
> >
> > > leftrsasigkey=%cert
> >
> > > rightrsasigkey=%cert
> >
> > > keyingtries=1
> >
> > > keylife=60m
> >
> > > ikelifetime=240m
> >
> > > rightdns=8.8.8.8
> >
> >
> > > conn ios
> >
> > > keyexchange=ikev1
> >
> > > xauth=server
> >
> > > left=%defaultroute
> >
> > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > leftcert=server.pem
> >
> > > right=%any
> >
> > > rightid="CN=*, OU=1957, O=secretdomain.com <
> http://secretdomain.com> <http://pertino.com>, C=US"
> >
> > > rightsourceip=172.27.0.0/16 <http://172.27.0.0/16> <
> http://172.27.0.0/16>
> >
> > > rightsubnet=172.27.0.0/16 <http://172.27.0.0/16> <
> http://172.27.0.0/16>
> >
> > > rightauth2=xauth-noauth
> >
> > > ike=aes128-sha1-modp2048,3des-sha1-modp1536
> >
> > > esp=aes128-sha1-modp2048,3des-sha1-modp1536
> >
> > > rekey=no
> >
> > > reauth=no
> >
> > > dpddelay=10
> >
> > > dpdtimeout=30
> >
> > > dpdaction=clear
> >
> > > auto=add
> >
> > > fragmentation=yes
> >
> >
> >
> > > conn chromebook
> >
> > > keyexchange=ikev1
> >
> > > authby=rsasig
> >
> > > rekey=no
> >
> > > keyingtries=2
> >
> > > left=%defaultroute
> >
> > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > leftprotoport=udp/l2tp
> >
> > > leftcert=server.pem
> >
> > > right=%any
> >
> > > rightprotoport=udp/%any
> >
> > > rightrsasigkey=%cert
> >
> > > rightid="CN=*, OU=1957, O= secretdomain.com <
> http://secretdomain.com> <http://pertino.com>, C=US"
> >
> > > auto=add
> >
> > > ipsec.secrets
> >
> > > : RSA /etc/ipsec.d/private/newserverkey.pem
> >
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJU25+DAAoJEDg5KY9j7GZY42YP+wVonlB3zuNYLZ3X4w9AQ+Eg
> UAh6xcvMYQC35lqJ+zpAXboP/TdRuSSDY2ldxq/xep/MuOijEvkKUeidJoO7y+oN
> u9ZYQ9hh9XvpkdLZUp+h55bUjMjZfRwDGoB6HUyfO787HDJ4htpKMxSEUu+EhvkF
> vGl0yj/4D5XkljdN+xq559RbP4Rd3RhynaRC/o5gEgD295vH8v0JpBYcXf9hDE9d
> j3/mNYgsAmWDMUEmSUsUYup4i233DFdAQL2xPsW37GJtJ9wPbfeyxponKT3XpU0F
> a88LIUHvxMk7+sZAovj1aRwOQt9LkQFULZ5YIq0JEkoVT+mcDK/i3pI/Ilr4Vrsi
> 9cStKIdvEiowsG7w60nLYgINvtw00pg1HBVwuWh1wdCeO5G2eRGruZYmQ5IMUQS5
> ZyHorULoRJi7K5lH842skik7I9w+P8mUEI1GSznubyM8xOV0oD8QZxnBNWxf+6HH
> BfNmOIC8lluQElRpGfmTEm8yVMVrAEWIT22G0IL0Y8vJsDKoODYSTUtNZFNn7tVE
> mUPxiqzf9z0tm8IJtSzHa7wQtLtNBuMzVMX/uHOLnjsrsm8FCh+ZULyxPSUNmiaA
> e5sPtGBaM5ENnKKcAagQC0F2SizclvcfIP0jJx88wFjeyVMCZrjc8nCK8Lm3Vz9r
> Tl4yNZzKysGnZqj5SwjK
> =IEwR
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150211/716b754b/attachment-0001.html>
More information about the Users
mailing list