[strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi
Christian Klugesherz
christian.klugesherz at gmail.com
Mon Jul 18 00:08:36 CEST 2016
Sorry,
Finally I got it to compile with DH thanks to add in configure:
--disable-gmp --enable-openssl
Nevertheless I still have the same issue
EAP, config inacceptable
Could you please help
Many thanks
Christian
00[DMN] Starting IKE daemon (strongSwan 5.5.0, Linux 4.4.13+, armv6l)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
00[CFG] loaded IKE secret for %any
00[CFG] loaded EAP secret for alice
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic xauth-generic dhcp
00[JOB] spawning 16 worker threads
05[CFG] received stroke: add connection 'BB10'
05[CFG] adding virtual IP address pool 10.0.0.0/16
05[CFG] added configuration 'BB10'
07[NET] received packet: from 80.12.51.163[1011] to 192.168.1.29[500]
(400 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
07[IKE] 80.12.51.163 is initiating an IKE_SA
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
07[NET] sending packet: from 192.168.1.29[500] to 80.12.51.163[1011] (312 bytes)
16[NET] received packet: from 80.12.51.163[64916] to
192.168.1.29[4500] (284 bytes)
16[ENC] parsed IKE_AUTH request 1 [ IDi CPRQ(ADDR MASK DNS DNS NBNS
NBNS VER) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi
TSr ]
16[CFG] looking for peer configs matching
192.168.1.29[%any]...80.12.51.163[alice]
16[CFG] selected peer config 'BB10'
16[IKE] peer requested EAP, config inacceptable
16[CFG] no alternative config found
16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
16[NET] sending packet: from 192.168.1.29[4500] to 80.12.51.163[64916]
(76 bytes)
pi at raspberrypi:/etc/iptables $ sudo ipsec listall
List of registered IKE algorithms:
encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
RC2_CBC[rc2] CAMELLIA_CBC[openssl] CAST_CBC[openssl]
BLOWFISH_CBC[openssl] NULL[openssl]
integrity: HMAC_MD5_96[openssl] HMAC_MD5_128[openssl]
HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl]
HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl]
HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
AES_XCBC_96[xcbc] AES_CMAC_96[cmac]
aead: AES_GCM_16[openssl] AES_GCM_12[openssl] AES_GCM_8[openssl]
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2]
HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
HASH_MD4[openssl]
prf: PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl]
PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl]
PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
PRF_CAMELLIA128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
dh-group: ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl]
ECP_384_BP[openssl] ECP_512_BP[openssl]
ECP_224_BP[openssl] MODP_3072[openssl] MODP_4096[openssl]
MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl]
MODP_2048_224[openssl] MODP_2048_256[openssl]
MODP_1536[openssl] MODP_1024[openssl]
MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl]
random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
List of loaded Plugins:
charon:
CUSTOM:libcharon
NONCE_GEN
CUSTOM:libcharon-sa-managers
CUSTOM:libcharon-receiver
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
CUSTOM:libcharon-receiver
HASHER:HASH_SHA1
RNG:RNG_STRONG
CUSTOM:socket
CUSTOM:libcharon-sa-managers
HASHER:HASH_SHA1
RNG:RNG_WEAK
aes:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
des:
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
rc2:
CRYPTER:RC2_CBC-0
sha2:
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
sha1:
HASHER:HASH_SHA1
PRF:PRF_KEYED_SHA1
md5:
HASHER:HASH_MD5
random:
RNG:RNG_STRONG
RNG:RNG_TRUE
nonce:
NONCE_GEN
RNG:RNG_WEAK
x509:
CERT_ENCODE:X509
HASHER:HASH_SHA1
CERT_DECODE:X509
HASHER:HASH_SHA1
PUBKEY:ANY
CERT_ENCODE:X509_AC
CERT_DECODE:X509_AC
CERT_ENCODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_ENCODE:OCSP_REQUEST
HASHER:HASH_SHA1
RNG:RNG_WEAK
CERT_DECODE:OCSP_RESPONSE
CERT_ENCODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
revocation:
CUSTOM:revocation
CERT_ENCODE:OCSP_REQUEST (soft)
CERT_DECODE:OCSP_RESPONSE (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509 (soft)
FETCHER:(null) (soft)
constraints:
CUSTOM:constraints
CERT_DECODE:X509 (soft)
pubkey:
CERT_ENCODE:PUBKEY
CERT_DECODE:PUBKEY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
pkcs1:
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
PUBKEY:RSA
pkcs7:
CONTAINER_DECODE:PKCS7
CONTAINER_ENCODE:PKCS7_DATA
CONTAINER_ENCODE:PKCS7_SIGNED_DATA
CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
pkcs8:
PRIVKEY:ANY
PRIVKEY:RSA
PRIVKEY:ECDSA
pkcs12:
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS7
CERT_DECODE:X509 (soft)
PRIVKEY:ANY (soft)
HASHER:HASH_SHA1 (soft)
CRYPTER:3DES_CBC-24 (soft)
CRYPTER:RC2_CBC-0 (soft)
pgp:
PRIVKEY:ANY
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
CERT_DECODE:PGP
dnskey:
PUBKEY:ANY
PUBKEY:RSA
sshkey:
PUBKEY:ANY
CERT_DECODE:PUBKEY
pem:
PRIVKEY:ANY
PRIVKEY:ANY
HASHER:HASH_MD5 (soft)
PRIVKEY:RSA
PRIVKEY:RSA
HASHER:HASH_MD5 (soft)
PRIVKEY:ECDSA
PRIVKEY:ECDSA
HASHER:HASH_MD5 (soft)
PRIVKEY:DSA (not loaded)
PRIVKEY:DSA
HASHER:HASH_MD5 (soft)
PRIVKEY:BLISS (not loaded)
PRIVKEY:BLISS
PUBKEY:ANY
PUBKEY:ANY
PUBKEY:RSA
PUBKEY:RSA
PUBKEY:ECDSA
PUBKEY:ECDSA
PUBKEY:DSA (not loaded)
PUBKEY:DSA
PUBKEY:BLISS
CERT_DECODE:ANY
CERT_DECODE:X509 (soft)
CERT_DECODE:PGP (soft)
CERT_DECODE:X509
CERT_DECODE:X509
CERT_DECODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_DECODE:OCSP_REQUEST (not loaded)
CERT_DECODE:OCSP_REQUEST
CERT_DECODE:OCSP_RESPONSE
CERT_DECODE:OCSP_RESPONSE
CERT_DECODE:X509_AC
CERT_DECODE:X509_AC
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PUBKEY
CERT_DECODE:PUBKEY
CERT_DECODE:PGP
CERT_DECODE:PGP
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS12
openssl:
CUSTOM:openssl-threading
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
CRYPTER:CAMELLIA_CBC-16
CRYPTER:CAMELLIA_CBC-24
CRYPTER:CAMELLIA_CBC-32
CRYPTER:CAST_CBC-0
CRYPTER:BLOWFISH_CBC-0
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
CRYPTER:NULL-0
HASHER:HASH_MD4
HASHER:HASH_MD5
HASHER:HASH_SHA1
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
PRF:PRF_KEYED_SHA1
PRF:PRF_HMAC_MD5
PRF:PRF_HMAC_SHA1
PRF:PRF_HMAC_SHA2_256
PRF:PRF_HMAC_SHA2_384
PRF:PRF_HMAC_SHA2_512
SIGNER:HMAC_MD5_96
SIGNER:HMAC_MD5_128
SIGNER:HMAC_SHA1_96
SIGNER:HMAC_SHA1_128
SIGNER:HMAC_SHA1_160
SIGNER:HMAC_SHA2_256_128
SIGNER:HMAC_SHA2_256_256
SIGNER:HMAC_SHA2_384_192
SIGNER:HMAC_SHA2_384_384
SIGNER:HMAC_SHA2_512_256
SIGNER:HMAC_SHA2_512_512
AEAD:AES_GCM_16-16
AEAD:AES_GCM_16-24
AEAD:AES_GCM_16-32
AEAD:AES_GCM_12-16
AEAD:AES_GCM_12-24
AEAD:AES_GCM_12-32
AEAD:AES_GCM_8-16
AEAD:AES_GCM_8-24
AEAD:AES_GCM_8-32
DH:ECP_256
DH:ECP_384
DH:ECP_521
DH:ECP_224
DH:ECP_192
DH:ECP_256_BP
DH:ECP_384_BP
DH:ECP_512_BP
DH:ECP_224_BP
DH:MODP_3072
DH:MODP_4096
DH:MODP_6144
DH:MODP_8192
DH:MODP_2048
DH:MODP_2048_224
DH:MODP_2048_256
DH:MODP_1536
DH:MODP_1024
DH:MODP_1024_160
DH:MODP_768
DH:MODP_CUSTOM
PRIVKEY:RSA
PRIVKEY:ANY
PRIVKEY_GEN:RSA
PUBKEY:RSA
PUBKEY:ANY
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
CERT_DECODE:X509
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_DECODE:X509_CRL
CONTAINER_DECODE:PKCS7
CONTAINER_DECODE:PKCS12
PRIVKEY:ECDSA
PRIVKEY_GEN:ECDSA
PUBKEY:ECDSA
PRIVKEY_SIGN:ECDSA_WITH_NULL
PUBKEY_VERIFY:ECDSA_WITH_NULL
PRIVKEY_SIGN:ECDSA_WITH_SHA1_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA1_DER
PRIVKEY_SIGN:ECDSA_WITH_SHA256_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA256_DER
PRIVKEY_SIGN:ECDSA-256
PUBKEY_VERIFY:ECDSA-256
PRIVKEY_SIGN:ECDSA_WITH_SHA384_DER
PRIVKEY_SIGN:ECDSA_WITH_SHA512_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA384_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA512_DER
PRIVKEY_SIGN:ECDSA-384
PRIVKEY_SIGN:ECDSA-521
PUBKEY_VERIFY:ECDSA-384
PUBKEY_VERIFY:ECDSA-521
RNG:RNG_STRONG
RNG:RNG_WEAK
fips-prf:
PRF:PRF_FIPS_SHA1_160
PRF:PRF_KEYED_SHA1
xcbc:
PRF:PRF_AES128_XCBC
CRYPTER:AES_CBC-16
PRF:PRF_CAMELLIA128_XCBC
CRYPTER:CAMELLIA_CBC-16
SIGNER:CAMELLIA_XCBC_96
CRYPTER:CAMELLIA_CBC-16
SIGNER:AES_XCBC_96
CRYPTER:AES_CBC-16
cmac:
PRF:PRF_AES128_CMAC
CRYPTER:AES_CBC-16
SIGNER:AES_CMAC_96
CRYPTER:AES_CBC-16
hmac:
PRF:PRF_HMAC_SHA1
HASHER:HASH_SHA1
PRF:PRF_HMAC_MD5
HASHER:HASH_MD5
PRF:PRF_HMAC_SHA2_256
HASHER:HASH_SHA256
PRF:PRF_HMAC_SHA2_384
HASHER:HASH_SHA384
PRF:PRF_HMAC_SHA2_512
HASHER:HASH_SHA512
SIGNER:HMAC_SHA1_96
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_128
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_160
HASHER:HASH_SHA1
SIGNER:HMAC_MD5_96
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
HASHER:HASH_MD5
SIGNER:HMAC_SHA2_256_128
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_256_256
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_384_192
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_384_384
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_512_256
HASHER:HASH_SHA512
SIGNER:HMAC_SHA2_512_512
HASHER:HASH_SHA512
attr:
CUSTOM:attr
kernel-netlink:
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
resolve:
CUSTOM:resolve
socket-default:
CUSTOM:socket
CUSTOM:kernel-ipsec (soft)
stroke:
CUSTOM:stroke
PRIVKEY:RSA (soft)
PRIVKEY:ECDSA (soft)
PRIVKEY:DSA (soft)
PRIVKEY:BLISS (soft)
CERT_DECODE:ANY (soft)
CERT_DECODE:X509 (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509_AC (soft)
CERT_DECODE:PUBKEY (soft)
vici:
CUSTOM:vici
updown:
CUSTOM:updown
eap-identity:
EAP_SERVER:ID
EAP_CLIENT:ID
eap-md5:
EAP_SERVER:MD5
HASHER:HASH_MD5
RNG:RNG_WEAK
EAP_CLIENT:MD5
HASHER:HASH_MD5
RNG:RNG_WEAK
eap-mschapv2:
EAP_SERVER:MSCHAPV2
CRYPTER:DES_ECB-8
HASHER:HASH_MD4
HASHER:HASH_SHA1
RNG:RNG_WEAK
EAP_CLIENT:MSCHAPV2
CRYPTER:DES_ECB-8
HASHER:HASH_MD4
HASHER:HASH_SHA1
RNG:RNG_WEAK
eap-dynamic:
EAP_SERVER:DYN
xauth-generic:
XAUTH_SERVER:generic
XAUTH_CLIENT:generic
dhcp:
CUSTOM:dhcp
RNG:RNG_WEAK
2016-07-17 9:57 GMT+02:00 Christian Klugesherz <christian.klugesherz at gmail.com>:
> Hi Tobias
>
> It is really, really difficult to get rid of the situation.
> Relative to the objective, explained in this post, I have now compiled
> strongswan on my raspberry.
>
> Unfortunately there is still something which is missing, not working :-(
> What I understood / syslog, is that the Received SA from my BB10,
> didn't match with the SA from Strongswan
>
> Is that linked to DES/DH ?
> If yes, how to activate: Diffie-Hellman groups / DES: through
> configure --enable ?
> If the issue is comming form somewhere else ?
>
> Many Thanks
>
> Christian
>
> PS: Configuration fails if I try to add: gmp or gcrypt
> configure: error: gcrypt library not found
>
>
> Received proposals:
> ================
> IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/MODP_1024/MODP_768
>
> Configured proposals:
> =================
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/HMAC_MD5_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/PRF_HMAC_MD5
>
> Difference
> ========
> By comparison what is missing
> DES_CBC/MODP_1024/MODP_768
>
> My configure
> ==========
> $ ./configure --enable-aes --enable-des --enable-sha1 --enable-md4
> --enable-md5 --enable-eap-md5 --enable-eap-identity --enable-hmac
> --disable-gmp --enable-kernel-libipsec --enable-dhcp
> --enable-eap-mschapv2 --enable-eap-dynamic --enable-kernel-netlink
> --enable-dnskey --enable-attr --enable-resolve --enable-socket-default
> --prefix=/usr --sysconfdir=/etc
>
> 2016-07-14 19:57 GMT+02:00 Christian Klugesherz
> <christian.klugesherz at gmail.com>:
>> Hi Tobias,
>>
>> Great help.
>> I will compile strongswan on raspberry and will revert to you.
>>
>> Merci
>>
>> Christian
>>
>>
>> Message d'origine
>> De: Tobias Brunner
>> Envoyé: jeudi 14 juillet 2016 11:23
>> À: Christian Klugesherz
>> Cc: Users at lists.strongswan.org
>> Objet: Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi
>>
>> Hi Christian,
>>
>>> No I don't have any error on the startup
>>
>> I was not referring to the console output. Did you check the log?
>>
>>> !! Your strongswan.conf contains manual plugin load options for charon.
>>> !! This is recommended for experts only, see
>>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>>
>> Did you read the above document?
>>
>>> I guess that : eap-mschapv2 is not loaded, even I have require it in
>>> strongswan.conf
>>> How can I fix it ?
>>
>> It can't be loaded if it's not available. And according to `ipsec
>> listall` MD4 and DES are both missing, which are required to implement
>> the EAP-MSCHAPv2 protocol. So even if the plugin would be available it
>> can't be used. These algorithms are provided by the `des` and `md4`
>> plugins or one of the crypto wrappers i.e. `openssl` or `gcrypt` - none
>> of these are currently loaded on your system. Neither is the
>> eap-identity plugin, which has no other dependencies.
>>
>> If you built strongSwan yourself you have to rebuild it with the
>> appropriate `--enable-...` options (run `make clean` before rebuilding).
>> If you installed strongSwan from distribution packages you might have
>> to install additional packages that provide these plugins.
>>
>> Regards,
>> Tobias
>>
More information about the Users
mailing list