[strongSwan] IPSEC/l2TP Chrome OS
Noel Kuntze
noel at familie-kuntze.de
Wed Feb 11 21:32:45 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Ilan,
Then I don't know what it could be. Maybe strongSwan uses a defective cert?
That might be worth checking.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 11.02.2015 um 19:47 schrieb Ilan Caspi:
> Thanks Noel but still no joy, I'm pretty sure that the rest of the l2tp is fine because it works with a shred secret but the certificates for some reason are still off the current ipsec.conf looks like this
>
> keyexchange=ikev1
>
> authby=rsasig
>
> rekey=yes
>
> keyingtries=2
>
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>
> leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>
> leftcert=server.pem
>
> leftprotoport="17/1701"
>
> right=%any
>
> rightid=%any
>
> rightprotoport="17/1701"
>
> type="transport"
>
> auto=add
>
> The connection fails with this message:
>
> IKE_SA chromebook[1] state change: CONNECTING => ESTABLISHED
>
> 09[IKE] scheduling reauthentication in 13531s
>
> 09[IKE] maximum IKE_SA lifetime 14071s
>
> 09[IKE] sending end entity cert "CN=do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com <http://do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com>, OU=DEV, O=pertino.com <http://pertino.com>, C=US"
>
> 09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino, C=US"
>
> 09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1, O=Pertino, C=US"
>
> 09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>
> 09[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> 03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> 02[NET] waiting for data on sockets
>
> 11[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> 11[ENC] invalid HASH_V1 payload length, decryption failed?
>
> 11[ENC] could not decrypt payloads
>
> 11[IKE] message parsing failed
>
> 11[IKE] ignore malformed INFORMATIONAL request
>
> 11[IKE] INFORMATIONAL_V1 request with message ID 2808853053 processing failed
>
> 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> 02[NET] waiting for data on sockets
>
> 12[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (1092 bytes)
>
> 12[IKE] received retransmit of request with ID 0, retransmitting response
>
> 12[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> 03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> 02[NET] waiting for data on sockets
>
> 13[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> 13[ENC] invalid HASH_V1 payload length, decryption failed?
>
> 13[ENC] could not decrypt payloads
>
> 13[IKE] message parsing failed
>
> 13[IKE] ignore malformed INFORMATIONAL request
>
>
> On Wed Feb 11 2015 at 10:29:31 AM Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Ilan,
>
> You are looking at a L2TP/IPsec configuration with certificate authentication and transport mode.
> The following config will be compatible:
>
> conn chromiumos
> ike="3des-sha1-modp1024"
> esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
> keyexchange="ikev1"
> rekey=yes
> left="%defaultroute"
> leftprotoport="17/1701"
> rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
> leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
> rightid="%any"
> right=%any
> rightprotoport="17/1701"
> type="transport"
> auto="add"
>
> You will need to adjust the leftca section or define the certificate manually using leftcert.
> You also need to run an l2tp daemon, like xl2tpd, as traffic will be tunneled using l2tp.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 11.02.2015 um 18:49 schrieb Ilan Caspi:
> > Maybe this will shed some light on the subject. The chrombook is using the following configuration:
>
> > ipsec.conf
>
> > ike="3des-sha1-modp1024"
>
> > esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
>
> > keyexchange="ikev1"
>
> > rekey=yes
>
> > left="%defaultroute"
>
> > leftcert="%smartcard1 at crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878"
>
> > leftprotoport="17/1701"
>
> > leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown"
>
> > right="162.243.137.92"
>
> > rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>
> > rightid="%any"
>
> > rightprotoport="17/1701"
>
> > type="transport"
>
> > auto="start"
>
> > strongswan.conf
>
> > libstrongswan {
>
> > plugins {
>
> > pkcs11 {
>
> > modules {
>
> > crypto_module {
>
> > path = /usr/lib/libchaps.so
>
> > }
>
> > }
>
> > }
>
> > }
>
> > }
>
> > charon {
>
> > accept_unencrypted_mainmode_messages = yes
>
> > ignore_routing_tables = 0
>
> > install_routes = no
>
> > routing_table = 0
>
> > }
>
>
> > ipsec.secrets
>
> > 10.0.1.135 162.243.137.92 : PIN %smartcard1 at crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878 "111111"
>
> > I'm trying to dig into the chromium code and understand if this the only config chromeos will generate but assuming that is the case how can I set the strongswan server to answer that client config?
>
> > Thanks again for all the help
>
> > Ilan
>
>
> > On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <ilan.caspi at gmail.com <mailto:ilan.caspi at gmail.com> <mailto:ilan.caspi at gmail.com <mailto:ilan.caspi at gmail.com>>> wrote:
>
> > Hi Noel,
>
> > Unfortunately that wasn't the ticket
>
> > 14[CFG] candidate "chromebook", match: 1/19/28 (me/other/ike)
>
> > 14[IKE] no peer config found
>
> > 14[IKE] queueing INFORMATIONAL task
>
> > 14[IKE] activating new tasks
>
> > 14[IKE] activating INFORMATIONAL task
>
> > 14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH N(AUTH_FAILED) ]
>
>
> > ipsec,conf
>
> > conn chromebook
>
> > keyexchange=ikev1
>
> > authby=rsasig
>
> > rekey=no
>
> > keyingtries=2
>
> > left=%defaultroute
>
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > leftprotoport=udp/l2tp
>
> > leftcert=server.pem
>
> > right=%any
>
> > rightprotoport=udp/%any
>
> > rightrsasigkey=%cert
>
> > rightid="CN=*, OU=1957, O=mydomain.com <http://mydomain.com> <http://mydomain.com>, C=US"
>
> > auto=add
>
> > aggressive=yes
>
>
> > On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> > Hello Ilan,
>
> > That could be the client trying to use agressive mode.
> > Enable it in the conn section and see if it works with it.
>
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
> > > Hi,
>
> > > I'm trying to connect a chromebook to Linux strongSwan U5.1.2/K3.13.0-43-generic with not much luck.
>
> > > Using a secret the connection is just fine but when moving the authentication using a CA things are going wrong. The certs should be ok because they work with a different connection
>
> > > From reading the logs the authentication is going well but things are starting to go wrong here:
>
> > > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>
> > > 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> > > 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> > > 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> > > 03[NET] waiting for data on sockets
>
> > > 06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> > > 06[ENC] invalid HASH_V1 payload length, decryption failed?
>
> > > 06[ENC] could not decrypt payloads
>
> > > 06[IKE] message parsing failed
>
> > > 06[IKE] ignore malformed INFORMATIONAL request
>
> > > ipsec.conf
>
> > > config setup
>
> > > charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> > > uniqueids=never
>
> > > conn %default
>
> > > authby=rsasig
>
> > > leftrsasigkey=%cert
>
> > > rightrsasigkey=%cert
>
> > > keyingtries=1
>
> > > keylife=60m
>
> > > ikelifetime=240m
>
> > > rightdns=8.8.8.8
>
>
> > > conn ios
>
> > > keyexchange=ikev1
>
> > > xauth=server
>
> > > left=%defaultroute
>
> > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > leftcert=server.pem
>
> > > right=%any
>
> > > rightid="CN=*, OU=1957, O=secretdomain.com <http://secretdomain.com> <http://secretdomain.com> <http://pertino.com>, C=US"
>
> > > rightsourceip=172.27.0.0/16 <http://172.27.0.0/16> <http://172.27.0.0/16> <http://172.27.0.0/16>
>
> > > rightsubnet=172.27.0.0/16 <http://172.27.0.0/16> <http://172.27.0.0/16> <http://172.27.0.0/16>
>
> > > rightauth2=xauth-noauth
>
> > > ike=aes128-sha1-modp2048,3des-sha1-modp1536
>
> > > esp=aes128-sha1-modp2048,3des-sha1-modp1536
>
> > > rekey=no
>
> > > reauth=no
>
> > > dpddelay=10
>
> > > dpdtimeout=30
>
> > > dpdaction=clear
>
> > > auto=add
>
> > > fragmentation=yes
>
>
>
> > > conn chromebook
>
> > > keyexchange=ikev1
>
> > > authby=rsasig
>
> > > rekey=no
>
> > > keyingtries=2
>
> > > left=%defaultroute
>
> > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > leftprotoport=udp/l2tp
>
> > > leftcert=server.pem
>
> > > right=%any
>
> > > rightprotoport=udp/%any
>
> > > rightrsasigkey=%cert
>
> > > rightid="CN=*, OU=1957, O= secretdomain.com <http://secretdomain.com> <http://secretdomain.com> <http://pertino.com>, C=US"
>
> > > auto=add
>
> > > ipsec.secrets
>
> > > : RSA /etc/ipsec.d/private/newserverkey.pem
>
>
>
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users> <https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users> <https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJU27xrAAoJEDg5KY9j7GZYL90P/17G/OmCYE7QqLlniCvGbkF8
XVeDi+hvPiilDD/1pf1WIFZje+21G1jz2VX3e1XC4bhv3aqelNGZrK8Hk87WUYsF
+IlM6k0Q0RJcSjoJm402rR/VoD7BF9K76TiJjFHeoZv7rNzFwxrxyUy+tVY80UpE
2smwBoNBrr2wf+5ED9lvb3eQHinVOFDJYCaDeB2OCLiz+n5NcmrQC94a96r0ikcN
lW+obk0kcAz61qZdwKmYdWKkqGlerdQKcJzBCxCj3ROCmtVIG4gRe7l1UdHKr8DF
0/znlf1goRoqg/jQCIR2GqN3ysMuab+v18UdAMhiF1cDdqTqSHjvImWTduTI/044
CH6HJ3oFbYV3tLjdgb7bT0l9F74D0Ux34aTBK5sBkZ9gEiHuoiRTCt2urLMxgL7g
GJhSCNYZm+D2xkaGWyqnbCsteT8fua78W/2tj3WNjABbwl9TnCwayZplVyUZQBjl
/UzVjr5RMWhBxVgoXxthGkE3KHGIx6emNTe7cSZU+Umd8RQHmjqw6BGhg5OA4/2s
DWLFu07IaMf10NqVxMj4l9ackkaTR8E60N5eNxxTwVF5KrfIVkr1EN+PUgmTExi1
eLIfLIpZzaDRqcJ4v7Wu0W9Ay1NnhX7zz0Hn+4+TBZa2lu41llcuYpQmz1BILK/V
r8evGTFXJgJv5a1V9U9S
=W0X4
-----END PGP SIGNATURE-----
More information about the Users
mailing list