[strongSwan] CentOS 7.1 yum install strongswan [IOS8]
jinquan deng
jiobxn at gmail.com
Tue Jul 21 05:08:57 CEST 2015
Hi,
IOS8 VPN Connection: Could not validate the server certificate.
Windows connected properly.
####################-------------------Error
Messages----------------------#######################
LOG
Jul 21 10:07:28 localhost charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
V V V V V V V V V V V V ]
Jul 21 10:07:28 localhost charon: 04[CFG] looking for an ike config for
112.91.xx.209...112.96.173.55
Jul 21 10:07:28 localhost charon: 04[CFG] candidate: %any...%any, prio 28
Jul 21 10:07:28 localhost charon: 04[CFG] candidate: %any...%any, prio 28
Jul 21 10:07:28 localhost charon: 04[CFG] found matching ike config:
%any...%any with prio 28
Jul 21 10:07:28 localhost charon: 04[IKE] received NAT-T (RFC 3947) vendor
ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received XAuth vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received Cisco Unity vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received FRAGMENTATION vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received DPD vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] 112.96.173.55 is initiating a
Main Mode IKE_SA
Jul 21 10:07:28 localhost charon: 04[IKE] IKE_SA (unnamed)[11] state
change: CREATED => CONNECTING
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG] proposal matches
Jul 21 10:07:28 localhost charon: 04[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Jul 21 10:07:28 localhost charon: 04[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 21 10:07:28 localhost charon: 04[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jul 21 10:07:28 localhost charon: 04[IKE] sending XAuth vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] sending DPD vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] sending FRAGMENTATION vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
Jul 21 10:07:28 localhost charon: 04[ENC] generating ID_PROT response 0 [
SA V V V V ]
Jul 21 10:07:28 localhost strongswan: 07[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 21 10:07:28 localhost strongswan: 07[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jul 21 10:07:28 localhost strongswan: 07[IKE] sending XAuth vendor ID
Jul 21 10:07:28 localhost strongswan: 07[IKE] sending DPD vendor ID
Jul 21 10:07:28 localhost strongswan: 07[IKE] sending FRAGMENTATION vendor
ID
Jul 21 10:07:28 localhost strongswan: 07[IKE] sending NAT-T (RFC 3947)
vendor ID
Jul 21 10:07:28 localhost strongswan: 07[ENC] generating ID_PROT response 0
[ SA V V V V ]
Jul 21 10:07:28 localhost strongswan: 01[ENC] parsed ID_PROT request 0 [ KE
No NAT-D NAT-D ]
Jul 21 10:07:28 localhost strongswan: 01[IKE] remote host is behind NAT
Jul 21 10:07:28 localhost strongswan: 01[IKE] sending cert request for
"C=CH, O=strongSwan, CN=strongSwan CA"
Jul 21 10:07:28 localhost strongswan: 01[ENC] generating ID_PROT response 0
[ KE No CERTREQ NAT-D NAT-D ]
Jul 21 10:07:28 localhost strongswan: 03[ENC] parsed ID_PROT request 0 [
FRAG ]
Jul 21 10:07:28 localhost strongswan: 03[IKE] received fragment #1, waiting
for complete IKE message
Jul 21 10:07:28 localhost strongswan: 11[ENC] parsed ID_PROT request 0 [
FRAG ]
Jul 21 10:07:28 localhost strongswan: 11[IKE] received fragment #2,
reassembling fragmented IKE message
Jul 21 10:07:28 localhost strongswan: 11[ENC] parsed ID_PROT request 0 [ ID
CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Jul 21 10:07:28 localhost strongswan: 11[IKE] ignoring certificate request
without data
Jul 21 10:07:28 localhost strongswan: 11[IKE] received end entity cert
"C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:28 localhost strongswan: 11[CFG] looking for XAuthInitRSA peer
configs matching 112.91.xx.209...112.96.173.55[C=CH, O=strongSwan,
CN=112.91.xx.209]
Jul 21 10:07:28 localhost strongswan: 11[CFG] candidate "CiscoIPSec",
match: 1/1/28 (me/other/ike)
Jul 21 10:07:28 localhost strongswan: 11[CFG] candidate "XauthPsk",
match: 1/1/28 (me/other/ike)
Jul 21 10:07:28 localhost strongswan: 11[CFG] selected peer config
"CiscoIPSec"
Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH,
O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA
Jul 21 10:07:28 localhost strongswan: 11[CFG] using trusted ca
certificate "C=CH, O=strongSwan, CN=strongSwan CA"
Jul 21 10:07:28 localhost strongswan: 11[CFG] checking certificate status
of "C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:28 localhost strongswan: 11[CFG] ocsp check skipped, no ocsp
found
Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate status is not
available
Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH,
O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA
Jul 21 10:07:28 localhost strongswan: 11[CFG] reached self-signed root ca
with a path length of 0
Jul 21 10:07:28 localhost strongswan: 11[CFG] using trusted certificate
"C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:28 localhost strongswan: 11[IKE] signature validation failed,
looking for another key
Jul 21 10:07:28 localhost strongswan: 11[CFG] using certificate "C=CH,
O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH,
O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA
Jul 21 10:07:28 localhost strongswan: 11[CFG] using trusted ca
certificate "C=CH, O=strongSwan, CN=strongSwan CA"
Jul 21 10:07:28 localhost strongswan: 11[CFG] checking certificate status
of "C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:28 localhost strongswan: 11[CFG] ocsp check skipped, no ocsp
found
Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate status is not
available
Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH,
O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA
Jul 21 10:07:28 localhost strongswan: 11[CFG] reached self-signed root ca
with a path length of 0
Jul 21 10:07:28 localhost strongswan: 11[IKE] authentication of 'C=CH,
O=strongSwan, CN=112.91.xx.209' with RSA successful
Jul 21 10:07:28 localhost strongswan: 11[IKE] authentication of 'C=CH,
O=strongSwan, CN=112.91.xx.209' (myself) successful
Jul 21 10:07:28 localhost strongswan: 11[IKE] queueing XAUTH task
Jul 21 10:07:28 localhost strongswan: 11[IKE] sending end entity cert
"C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0
[ ID CERT SIG ]
Jul 21 10:07:28 localhost strongswan: 11[IKE] sending IKE message with
length of 1468 bytes in 3 fragments
Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0
[ FRAG ]
Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0
[ FRAG ]
Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0
[ FRAG ]
Jul 21 10:07:28 localhost strongswan: 11[IKE] activating new tasks
Jul 21 10:07:28 localhost strongswan: 11[IKE] activating XAUTH task
Jul 21 10:07:28 localhost strongswan: 11[ENC] generating TRANSACTION
request 2341071175 [ HASH CPRQ(X_USER X_PWD) ]
Jul 21 10:07:28 localhost strongswan: 16[ENC] invalid HASH_V1 payload
length, decryption failed?
Jul 21 10:07:28 localhost strongswan: 16[ENC] could not decrypt payloads
Jul 21 10:07:28 localhost strongswan: 16[IKE] message parsing failed
Jul 21 10:07:28 localhost strongswan: 16[IKE] ignore malformed
INFORMATIONAL request
Jul 21 10:07:28 localhost strongswan: 16[IKE] INFORMATIONAL_V1 request with
message ID 1611570210 processing failed
Jul 21 10:07:28 localhost strongswan: 14[IKE] sending retransmit 1 of
request message ID 2341071175, seq 1
Jul 21 10:07:28 localhost strongswan: 05[IKE] sending retransmit 2 of
request message ID 2341071175, seq 1
Jul 21 10:07:28 localhost strongswan: 04[ENC] parsed ID_PROT request 0 [ SA
V V V V V V V V V V V V V V ]
Jul 21 10:07:28 localhost strongswan: 04[CFG] looking for an ike config for
112.91.xx.209...112.96.173.55
Jul 21 10:07:28 localhost strongswan: 04[CFG] candidate: %any...%any,
prio 28
Jul 21 10:07:28 localhost strongswan: 04[CFG] candidate: %any...%any,
prio 28
Jul 21 10:07:28 localhost strongswan: 04[CFG] found matching ike config:
%any...%any with prio 28
Jul 21 10:07:28 localhost strongswan: 04[IKE] received NAT-T (RFC 3947)
vendor ID
Jul 21 10:07:28 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Jul 21 10:07:28 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 21 10:07:28 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jul 21 10:07:28 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jul 21 10:07:28 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jul 21 10:07:29 localhost charon: 09[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Jul 21 10:07:29 localhost charon: 09[IKE] remote host is behind NAT
Jul 21 10:07:29 localhost charon: 09[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
Jul 21 10:07:29 localhost charon: 09[ENC] generating ID_PROT response 0 [
KE No CERTREQ NAT-D NAT-D ]
Jul 21 10:07:29 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] received XAuth vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] received Cisco Unity vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] received FRAGMENTATION vendor
ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] received DPD vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] 112.96.173.55 is initiating a
Main Mode IKE_SA
Jul 21 10:07:29 localhost strongswan: 04[IKE] IKE_SA (unnamed)[11] state
change: CREATED => CONNECTING
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal:
Jul 21 10:07:29 localhost strongswan: 04[CFG] proposal matches
Jul 21 10:07:29 localhost strongswan: 04[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Jul 21 10:07:29 localhost strongswan: 04[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 21 10:07:29 localhost strongswan: 04[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jul 21 10:07:29 localhost strongswan: 04[IKE] sending XAuth vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] sending DPD vendor ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] sending FRAGMENTATION vendor
ID
Jul 21 10:07:29 localhost strongswan: 04[IKE] sending NAT-T (RFC 3947)
vendor ID
Jul 21 10:07:29 localhost strongswan: 04[ENC] generating ID_PROT response 0
[ SA V V V V ]
Jul 21 10:07:29 localhost strongswan: 09[ENC] parsed ID_PROT request 0 [ KE
No NAT-D NAT-D ]
Jul 21 10:07:29 localhost strongswan: 09[IKE] remote host is behind NAT
Jul 21 10:07:29 localhost charon: 01[ENC] parsed ID_PROT request 0 [ FRAG ]
Jul 21 10:07:29 localhost charon: 01[IKE] received fragment #1, waiting for
complete IKE message
Jul 21 10:07:29 localhost charon: 03[ENC] parsed ID_PROT request 0 [ FRAG ]
Jul 21 10:07:29 localhost charon: 03[IKE] received fragment #2,
reassembling fragmented IKE message
Jul 21 10:07:29 localhost charon: 03[ENC] parsed ID_PROT request 0 [ ID
CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Jul 21 10:07:29 localhost charon: 03[IKE] ignoring certificate request
without data
Jul 21 10:07:29 localhost charon: 03[IKE] received end entity cert "C=CH,
O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:29 localhost charon: 03[CFG] looking for XAuthInitRSA peer
configs matching 112.91.xx.209...112.96.173.55[C=CH, O=strongSwan,
CN=112.91.xx.209]
Jul 21 10:07:29 localhost charon: 03[CFG] candidate "CiscoIPSec", match:
1/1/28 (me/other/ike)
Jul 21 10:07:29 localhost charon: 03[CFG] candidate "XauthPsk", match:
1/1/28 (me/other/ike)
Jul 21 10:07:29 localhost charon: 03[CFG] selected peer config "CiscoIPSec"
Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH,
O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA
Jul 21 10:07:29 localhost charon: 03[CFG] using trusted ca certificate
"C=CH, O=strongSwan, CN=strongSwan CA"
Jul 21 10:07:29 localhost charon: 03[CFG] checking certificate status of
"C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:29 localhost charon: 03[CFG] ocsp check skipped, no ocsp found
Jul 21 10:07:29 localhost charon: 03[CFG] certificate status is not
available
Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH,
O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA
Jul 21 10:07:29 localhost charon: 03[CFG] reached self-signed root ca
with a path length of 0
Jul 21 10:07:29 localhost charon: 03[CFG] using trusted certificate
"C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:29 localhost charon: 03[IKE] signature validation failed,
looking for another key
Jul 21 10:07:29 localhost charon: 03[CFG] using certificate "C=CH,
O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH,
O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA
Jul 21 10:07:29 localhost charon: 03[CFG] using trusted ca certificate
"C=CH, O=strongSwan, CN=strongSwan CA"
Jul 21 10:07:29 localhost charon: 03[CFG] checking certificate status of
"C=CH, O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:29 localhost charon: 03[CFG] ocsp check skipped, no ocsp found
Jul 21 10:07:29 localhost charon: 03[CFG] certificate status is not
available
Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH,
O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA
Jul 21 10:07:29 localhost charon: 03[CFG] reached self-signed root ca
with a path length of 0
Jul 21 10:07:29 localhost charon: 03[IKE] authentication of 'C=CH,
O=strongSwan, CN=112.91.xx.209' with RSA successful
Jul 21 10:07:29 localhost charon: 03[IKE] authentication of 'C=CH,
O=strongSwan, CN=112.91.xx.209' (myself) successful
Jul 21 10:07:29 localhost charon: 03[IKE] queueing XAUTH task
Jul 21 10:07:29 localhost charon: 03[IKE] sending end entity cert "C=CH,
O=strongSwan, CN=112.91.xx.209"
Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [
ID CERT SIG ]
Jul 21 10:07:29 localhost charon: 03[IKE] sending IKE message with length
of 1468 bytes in 3 fragments
Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [
FRAG ]
Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [
FRAG ]
Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [
FRAG ]
Jul 21 10:07:29 localhost charon: 03[IKE] activating new tasks
Jul 21 10:07:29 localhost charon: 03[IKE] activating XAUTH task
Jul 21 10:07:29 localhost charon: 03[ENC] generating TRANSACTION request
1278118635 [ HASH CPRQ(X_USER X_PWD) ]
Jul 21 10:07:29 localhost charon: 14[ENC] invalid HASH_V1 payload length,
decryption failed?
Jul 21 10:07:29 localhost charon: 14[ENC] could not decrypt payloads
Jul 21 10:07:29 localhost charon: 14[IKE] message parsing failed
Jul 21 10:07:29 localhost charon: 14[IKE] ignore malformed INFORMATIONAL
request
Jul 21 10:07:29 localhost charon: 14[IKE] INFORMATIONAL_V1 request with
message ID 3171526170 processing failed
####################-------------------Configuration----------------------#####################
#INSTALL
yum -y install strongswan
#CA
cd /etc/strongswan/ipsec.d
strongswan pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
chmod 600 ca-key.pem
strongswan pki --self --ca --lifetime 730 --in ca-key.pem --type rsa --dn
"C=CH, O=strongSwan, CN=strongSwan CA" --outform pem > ca-cert.pem
#Server
strongswan pki --gen --type rsa --size 2048 --outform pem > server-key.pem
chmod 600 server-key.pem
strongswan pki --pub --in server-key.pem --type rsa | strongswan pki
--issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=CH,
O=strongSwan, CN=x.x.x.x" --san "x.x.x.x" --flag serverAuth --flag
ikeIntermediate --outform pem > server-cert.pem
#Client
strongswan pki --gen --type rsa --size 2048 --outform pem > client-key.pem
chmod 600 client-key.pem
strongswan pki --pub --in client-key.pem --type rsa | strongswan pki
--issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=CH,
O=strongSwan, CN=john" --san "john at example.com" --outform pem >
client-cert.pem
openssl pkcs12 -export -inkey client-key.pem -in client-cert.pem -name
"John's VPN Certificate" -certfile ca-cert.pem -caname "strongSwan CA" -out
john.p12 -password "pass:123"
#copy
\cp ca-key.pem /etc/strongswan/ipsec.d/private/ca.key
\cp ca-cert.pem /etc/strongswan/ipsec.d/cacerts/ca.crt
\cp server-key.pem /etc/strongswan/ipsec.d/private/server.key
\cp server-cert.pem /etc/strongswan/ipsec.d/certs/server.crt
\cp client-key.pem /etc/strongswan/ipsec.d/private/client.key
\cp client-cert.pem /etc/strongswan/ipsec.d/certs/client.crt
\cp john.p12 /usr/local/nginx/html/docs/
cd ~
#--->ipsec.conf<---#
cat >/etc/strongswan/ipsec.conf<<EOF
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 0"
conn %default
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=server.crt
right=%any
rightsourceip=10.11.0.5/24
conn CiscoIPSec
keyexchange=ikev1
fragmentation=yes
rightauth=pubkey
rightauth2=xauth
leftsendcert=always
rekey=no
auto=add
conn XauthPsk
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
auto=add
conn IpsecIKEv2
keyexchange=ikev2
leftauth=pubkey
rightauth=pubkey
leftsendcert=always
auto=add
conn IpsecIKEv2-EAP
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftsendcert=always
rightauth=eap-mschapv2
eap_identity=%any
auto=add
EOF
#--->strongswan.conf<---#
cat >/etc/strongswan/strongswan.conf<<EOF
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
EOF
#--->ipsec.secrets<---#
cat >/etc/strongswan/ipsec.secrets<<EOF
: RSA server.key
: PSK "123"
john %any : EAP "password"
john %any : XAUTH "password"
EOF
systemctl enable strongswan.service
systemctl start strongswan.service
iptables -I INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
Is not it wrong certificate configuration
Thanks
Cheer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150721/886c7802/attachment-0001.html>
More information about the Users
mailing list