[strongSwan] ERROR 13801
Max Reinhard
max at reinhard.org
Sun Jul 17 01:12:30 CEST 2016
Hi Folks,I’m trying to setup an IPsec connection between my mobile devices
(smartphone, Tablet, Notebook) and my root server.
Unfortunately I’m failing to do so.
I’ve read a lot of tutorials including the strongswan wiki tutorials but
I’m still failing to connect.
My Goal is it to set up an IPsec IKEv2 with client certificates and
Credentials.
I have absolutely no idea what wrong… please help me out guys.
Thanks :-)
Server IP:
40.30.20.10
Server FQDN:
vpn.example.org
Client IP:
50.60.70.80
ipsec --version
========================= SNIP =========================
Linux strongSwan U5.2.1/K3.16.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
========================= SNAP =========================
/etc/ipsec.conf
========================= SNIP =========================
# ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids=never
charondebug=&cfg 2, dmn 2, ike 2, net 2&
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
#leftcert=vpnHostCert.pem
right=%any
rightdns=
8.8.8.8
,
8.8.4.4
rightsourceip=
172.16.16.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also=&IPSec-IKEv2&
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn TLS
also=&IPSec-IKEv2&
rightauth=eap-tls
rightauth2=eap-mschapv2
eap_identity=%any
========================= SNAP =========================
cat /etc/ipsec.secrets
========================= SNIP =========================
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf,
DNS,
# or configuration of other implementations, can be extracted
conveniently
# with &ipsec showhostkey&.
: RSA vpnHostKey.pem
user1 : EAP &test123&
========================= SNAP =========================
cat /etc/strongswan.conf
========================= SNIP =========================
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 2
# flush each line to disk
flush_line = yes
}
}
load_modular = yes
plugins {
eap-tls {
fragment_size = 512
}
include strongswan.d/charon/*.conf
}
}
========================= SNAP =========================
IPTables
========================= SNIP =========================
iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source
40.30.20.10
iptables -A INPUT -p udp --dport 500 --j ACCEPT
iptables -A INPUT -p udp --dport 4500 --j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -p esp -j ACCEPT
iptables -A FORWARD -p ah -j ACCEPT
iptables -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT
========================= SNAP =========================
CA certificate
========================= SNIP =========================
openssl genrsa -aes256 -out private/ca.key.pem 8192
openssl req -key private/ca.key.pem -new -x509 -days 1827 -sha256
-extensions v3_ca -out certs/ca.cert.pem
========================= SNAP =========================
VPN-Server certificate
========================= SNIP =========================
openssl genrsa -out private/srv.key.pem 4096
openssl req -key private/srv.key.pem -new -sha256 -out csr/srv.csr.pem
openssl ca -extensions vpn_server_cert -days 365 -notext -md sha256 -in
csr/srv.csr.pem -out certs/srv.cert.pem
========================= SNAP =========================
Client certificate
========================= SNIP =========================
openssl genrsa -out private/max.key.pem 4096
openssl req -key private/max.key.pem -new -sha256 -out csr/max.csr.pem
openssl ca -extensions vpn_usr_cert -days 365 -notext -md sha256 -in
csr/max.csr.pem -out certs/max.cert.pem
========================= SNAP =========================
/etc/ssl/openssl.cnf
========================= SNIP =========================
http://pastebin.com/xnThD6bR
========================= SNAP =========================
LOG
Startup
========================= SNIP =========================
http://pastebin.com/h9gUActY
========================= SNAP =========================
Connection attempt
========================= SNIP =========================
http://pastebin.com/dqjS2Gm1
========================= SNAP =========================
Sent from Nine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160717/f458120f/attachment-0001.html>
More information about the Users
mailing list