[strongSwan] Setting upp strongSwan U5.1.2 <-> Openswan IPsec U2.6.37
abi
abi at abinet.ru
Wed May 27 20:53:34 CEST 2015
The following flags used for client
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9F:65:08:93:F3:CC:4E:32:78:37:47:4C:8B:9C:13:DA:A3:94:0D:B0
X509v3 Subject Alternative Name:
DNS:XXXXXXXXXXX
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Thia one for server
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9F:65:08:93:F3:CC:4E:32:78:37:47:4C:8B:9C:13:DA:A3:94:0D:B0
X509v3 Subject Alternative Name:
DNS:XXXXXXXXXXXX
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Still no luck without ignore-ipsec-keyusage, but now I suspect server
cert. ASA is complaining about Certificate validation failed. Peer
certificate key usage is invalid, serial number: 1577E3E8F6F3AD90,
subject name: cn=xxxxxxxxxx,o=xxxxxxxx,c=RU.
Server is generated with --flag serverAuth --flag ikeIntermediate --san
xxxxxxxxx options. I took them from StrongSwan wiki
On 27/05/2015 00:10, Richard Huber wrote:
> Hello,
>
> I am trying to connect strongswan with openswan.
> It works for 60 seconds, then it all dies until I restart ipsec, then
> it works for another 60 seconds...
>
> $ sudo ipsec status
> Security Associations (1 up, 0 connecting):
> hub[1]: ESTABLISHED 17 seconds ago, x[x]...y[y]
> hub{1}: INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
> hub{1}: 192.168.45.0/24 === 10.193.160.0/23
>
> Fine, connection is up and running!
>
> After one minute this happens:
>
> $ sudo ipsec status
> Security Associations (2 up, 0 connecting):
> hub[2]: ESTABLISHED 11 seconds ago, x[x]...y[y]
> hub[1]: DELETING, x[x]...y[y]
> hub{1}: INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
> hub{1}: 192.168.45.0/24 === 10.193.160.0/23
>
> Log entry in auth.log
> May 26 22:49:27 toto charon: 08[IKE] y is initiating a Main Mode IKE_SA
> May 26 22:49:27 toto charon: 15[IKE] deleting IKE_SA hub[1] between
> x[x]...y[y]
>
> Then all trafic is dead:
>
> $ sudo ipsec status
> Security Associations (1 up, 0 connecting):
> hub[2]: ESTABLISHED 2 minutes ago, x[x]...y[y]
>
> Here are the logs from the openswan server:
>
> $ sudo ipsec auto --status | grep hub
> 000 "hub":
> 10.193.160.0/23===y<y>[+S=C]...x<x>[+S=C]===192.168.45.0/24; erouted;
> eroute owner: #76
> 000 "hub": myip=unset; hisip=unset;
> 000 "hub": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "hub": policy:
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
> 23,24; interface: eth0;
> 000 "hub": newest ISAKMP SA: #77; newest IPsec SA: #76;
> 000 "hub": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
> 000 "hub": ESP algorithms wanted: 3DES(3)_000-MD5(1)_1024;
> flags=-strict
> 000 "hub": ESP algorithms loaded: 3DES(3)_192-MD5(1)_1024
> 000 "hub": ESP algorithm newest: 3DES_192-HMAC_MD5; pfsgroup=<Phase1>
> 000 #98: "hub":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle;
> import:admin initiate
> 000 #77: "hub":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 1907s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
> idle; import:admin initiate
> 000 #76: "hub":500 STATE_PARENT_R2 (received v2I2, PARENT SA
> established); EVENT_SA_REPLACE in 27535s; newest IPSEC; eroute owner;
> nodpd; idle; import:respond to stranger
>
> conn hub
> right=y
> rightsubnet=10.193.160.0/23
> left=x
> leftsubnet=192.168.45.0/24
> auto=start
> authby=secret
> esp=3des-md5-1024
> pfs=yes
> #keyexchange = ike
>
> What have I done wrong? :-)
>
> /Richard
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list