[strongSwan] IPSEC/l2TP Chrome OS

Noel Kuntze noel at familie-kuntze.de
Wed Feb 11 21:32:45 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Ilan,

Then I don't know what it could be. Maybe strongSwan uses a defective cert?
That might be worth checking.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 11.02.2015 um 19:47 schrieb Ilan Caspi:
> Thanks Noel but still no joy, I'm pretty sure that the rest of the l2tp is fine because it works with a shred secret but the certificates for some reason are still off the current ipsec.conf looks like this
>
> keyexchange=ikev1
>
>     authby=rsasig
>
>     rekey=yes
>
>     keyingtries=2
>
>     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>
>     leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>
>     leftcert=server.pem
>
>     leftprotoport="17/1701"
>
>     right=%any
>
>     rightid=%any
>
>     rightprotoport="17/1701"
>
>     type="transport"
>
>     auto=add
>
> The connection fails with this message:
>
> IKE_SA chromebook[1] state change: CONNECTING => ESTABLISHED
>
> 09[IKE] scheduling reauthentication in 13531s
>
> 09[IKE] maximum IKE_SA lifetime 14071s
>
> 09[IKE] sending end entity cert "CN=do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com <http://do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com>, OU=DEV, O=pertino.com <http://pertino.com>, C=US"
>
> 09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino, C=US"
>
> 09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1, O=Pertino, C=US"
>
> 09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>
> 09[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> 03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> 02[NET] waiting for data on sockets
>
> 11[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> 11[ENC] invalid HASH_V1 payload length, decryption failed?
>
> 11[ENC] could not decrypt payloads
>
> 11[IKE] message parsing failed
>
> 11[IKE] ignore malformed INFORMATIONAL request
>
> 11[IKE] INFORMATIONAL_V1 request with message ID 2808853053 processing failed
>
> 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> 02[NET] waiting for data on sockets
>
> 12[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (1092 bytes)
>
> 12[IKE] received retransmit of request with ID 0, retransmitting response
>
> 12[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> 03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> 02[NET] waiting for data on sockets
>
> 13[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> 13[ENC] invalid HASH_V1 payload length, decryption failed?
>
> 13[ENC] could not decrypt payloads
>
> 13[IKE] message parsing failed
>
> 13[IKE] ignore malformed INFORMATIONAL request
>
>
> On Wed Feb 11 2015 at 10:29:31 AM Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Ilan,
>
> You are looking at a L2TP/IPsec configuration with certificate authentication and transport mode.
> The following config will be compatible:
>
> conn chromiumos
>         ike="3des-sha1-modp1024"
>         esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
>         keyexchange="ikev1"
>         rekey=yes
>         left="%defaultroute"
>         leftprotoport="17/1701"
>         rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>         leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>         rightid="%any"
>         right=%any
>         rightprotoport="17/1701"
>         type="transport"
>         auto="add"
>
> You will need to adjust the leftca section or define the certificate manually using leftcert.
> You also need to run an l2tp daemon, like xl2tpd, as traffic will be tunneled using l2tp.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 11.02.2015 um 18:49 schrieb Ilan Caspi:
> > Maybe this will shed some light on the subject. The chrombook is using the following configuration:
>
> > ipsec.conf
>
> > ike="3des-sha1-modp1024"
>
> >         esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5"
>
> >         keyexchange="ikev1"
>
> >         rekey=yes
>
> >         left="%defaultroute"
>
> >         leftcert="%smartcard1 at crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878"
>
> >         leftprotoport="17/1701"
>
> >         leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown"
>
> >         right="162.243.137.92"
>
> >         rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US"
>
> >         rightid="%any"
>
> >         rightprotoport="17/1701"
>
> >         type="transport"
>
> >         auto="start"
>
> > strongswan.conf
>
> > libstrongswan {
>
> >   plugins {
>
> >     pkcs11 {
>
> >       modules {
>
> >         crypto_module {
>
> >           path = /usr/lib/libchaps.so
>
> >         }
>
> >       }
>
> >     }
>
> >   }
>
> > }
>
> > charon {
>
> >   accept_unencrypted_mainmode_messages = yes
>
> >   ignore_routing_tables = 0
>
> >   install_routes = no
>
> >   routing_table = 0
>
> > }
>
>
> > ipsec.secrets
>
> > 10.0.1.135 162.243.137.92 : PIN %smartcard1 at crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878 "111111"
>
> > I'm trying to dig into the chromium code and understand if this the only config chromeos will generate but assuming that is the case how can I set the strongswan server to answer that client config?
>
> > Thanks again for all the help
>
> > Ilan
>
>
> > On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <ilan.caspi at gmail.com <mailto:ilan.caspi at gmail.com> <mailto:ilan.caspi at gmail.com <mailto:ilan.caspi at gmail.com>>> wrote:
>
> >     Hi Noel,
>
> >     Unfortunately that wasn't the ticket
>
> >     14[CFG]   candidate "chromebook", match: 1/19/28 (me/other/ike)
>
> >     14[IKE] no peer config found
>
> >     14[IKE] queueing INFORMATIONAL task
>
> >     14[IKE] activating new tasks
>
> >     14[IKE]   activating INFORMATIONAL task
>
> >     14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH N(AUTH_FAILED) ]
>
>
> >     ipsec,conf
>
> >     conn chromebook
>
> >         keyexchange=ikev1
>
> >         authby=rsasig
>
> >         rekey=no
>
> >         keyingtries=2
>
> >         left=%defaultroute
>
> >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >         leftprotoport=udp/l2tp
>
> >         leftcert=server.pem
>
> >         right=%any
>
> >         rightprotoport=udp/%any
>
> >         rightrsasigkey=%cert
>
> >         rightid="CN=*, OU=1957, O=mydomain.com <http://mydomain.com> <http://mydomain.com>, C=US"
>
> >         auto=add
>
> >         aggressive=yes
>
>
> >     On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> > Hello Ilan,
>
> > That could be the client trying to use agressive mode.
> > Enable it in the conn section and see if it works with it.
>
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > Am 05.02.2015 um 19:17 schrieb Ilan Caspi:
> > > Hi,
>
> > > I'm trying to connect a chromebook to Linux strongSwan U5.1.2/K3.13.0-43-generic with not much luck.
>
> > > Using a secret the connection is just fine but when moving the authentication using a CA things are going wrong. The certs should be ok because they work with a different connection
>
> > > From reading the logs the authentication is going well but things are starting to go wrong here:
>
> > > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>
> > > 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] (2092 bytes)
>
> > > 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500]
>
> > > 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500]
>
> > > 03[NET] waiting for data on sockets
>
> > > 06[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] (68 bytes)
>
> > > 06[ENC] invalid HASH_V1 payload length, decryption failed?
>
> > > 06[ENC] could not decrypt payloads
>
> > > 06[IKE] message parsing failed
>
> > > 06[IKE] ignore malformed INFORMATIONAL request
>
> > > ipsec.conf
>
> > > config setup
>
> > >     charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> > >     uniqueids=never
>
> > > conn %default
>
> > > authby=rsasig
>
> > >  leftrsasigkey=%cert
>
> > >  rightrsasigkey=%cert
>
> > >  keyingtries=1
>
> > >  keylife=60m
>
> > >  ikelifetime=240m
>
> > > rightdns=8.8.8.8
>
>
> > > conn ios
>
> > >     keyexchange=ikev1
>
> > >     xauth=server
>
> > >     left=%defaultroute
>
> > >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > >     leftcert=server.pem
>
> > >     right=%any
>
> > >     rightid="CN=*, OU=1957, O=secretdomain.com <http://secretdomain.com> <http://secretdomain.com> <http://pertino.com>, C=US"
>
> > >     rightsourceip=172.27.0.0/16 <http://172.27.0.0/16> <http://172.27.0.0/16> <http://172.27.0.0/16>
>
> > >     rightsubnet=172.27.0.0/16 <http://172.27.0.0/16> <http://172.27.0.0/16> <http://172.27.0.0/16>
>
> > >     rightauth2=xauth-noauth
>
> > >     ike=aes128-sha1-modp2048,3des-sha1-modp1536
>
> > >     esp=aes128-sha1-modp2048,3des-sha1-modp1536
>
> > >     rekey=no
>
> > >     reauth=no
>
> > >     dpddelay=10
>
> > >     dpdtimeout=30
>
> > >     dpdaction=clear
>
> > >     auto=add
>
> > >     fragmentation=yes
>
>
>
> > > conn chromebook
>
> > >     keyexchange=ikev1
>
> > >     authby=rsasig
>
> > >     rekey=no
>
> > >     keyingtries=2
>
> > >     left=%defaultroute
>
> > >     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > >     leftprotoport=udp/l2tp
>
> > >     leftcert=server.pem
>
> > >     right=%any
>
> > >     rightprotoport=udp/%any
>
> > >     rightrsasigkey=%cert
>
> > >     rightid="CN=*, OU=1957, O= secretdomain.com <http://secretdomain.com> <http://secretdomain.com> <http://pertino.com>, C=US"
>
> > >     auto=add
>
> > > ipsec.secrets
>
> > > : RSA /etc/ipsec.d/private/newserverkey.pem
>
>
>
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users> <https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>>
>
>
> >         _______________________________________________
> >         Users mailing list
> >         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> >         https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users> <https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU27xrAAoJEDg5KY9j7GZYL90P/17G/OmCYE7QqLlniCvGbkF8
XVeDi+hvPiilDD/1pf1WIFZje+21G1jz2VX3e1XC4bhv3aqelNGZrK8Hk87WUYsF
+IlM6k0Q0RJcSjoJm402rR/VoD7BF9K76TiJjFHeoZv7rNzFwxrxyUy+tVY80UpE
2smwBoNBrr2wf+5ED9lvb3eQHinVOFDJYCaDeB2OCLiz+n5NcmrQC94a96r0ikcN
lW+obk0kcAz61qZdwKmYdWKkqGlerdQKcJzBCxCj3ROCmtVIG4gRe7l1UdHKr8DF
0/znlf1goRoqg/jQCIR2GqN3ysMuab+v18UdAMhiF1cDdqTqSHjvImWTduTI/044
CH6HJ3oFbYV3tLjdgb7bT0l9F74D0Ux34aTBK5sBkZ9gEiHuoiRTCt2urLMxgL7g
GJhSCNYZm+D2xkaGWyqnbCsteT8fua78W/2tj3WNjABbwl9TnCwayZplVyUZQBjl
/UzVjr5RMWhBxVgoXxthGkE3KHGIx6emNTe7cSZU+Umd8RQHmjqw6BGhg5OA4/2s
DWLFu07IaMf10NqVxMj4l9ackkaTR8E60N5eNxxTwVF5KrfIVkr1EN+PUgmTExi1
eLIfLIpZzaDRqcJ4v7Wu0W9Ay1NnhX7zz0Hn+4+TBZa2lu41llcuYpQmz1BILK/V
r8evGTFXJgJv5a1V9U9S
=W0X4
-----END PGP SIGNATURE-----



More information about the Users mailing list