[strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Christian Klugesherz christian.klugesherz at gmail.com
Tue Jul 19 14:22:17 CEST 2016


Hi Tobias,

I really appreciate your help
Below the syslog by setting cfg=2 in /etc/ipsec.conf
Nevertheless, by removing: `eap_identity` I got the same result.

On basis, I wanted to use StrongSwan as simple as possible without
certificates CA.
Does that mean that in any case, you have to set-up a CA in order to
use strongSwan ?
Even with a VPN IKEv2 with preshared Key ?
Also my config was based on
https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-rsa/
where a replaced : eap-md5-rsa by eap-mschapv2


Regards

Christian

                               +-------------+
                               |             |
     +---------------+ Private | NAT Gateway | Public +----------+
     |        192.168.1.254/24 |             | 78.229.20.105     |
     |                         +-------------+ ckl.freeboxos.fr  |
     +                                                           |
  XXXXXXXXXXXXXXXX                                               |
XX               XX                                              |
X  (Home Network) XX                                             +
XX 192.168.1.0/24 XX                                      XXXXXXXXXXXXXXX
 XXX            XXX                                    XXXXXXX          XXXX
   XXXXXXXXXXXXXX                                    XXX                   XX
         +                                           X                      XX
         |                                          XX        INTERNET       X
         |                                          XXX                      X
         +---+                                        XX                    XX
             |                                         XXXXX              XXX
             +                                             XXXXXXX+XXXXXXXX
       192.168.1.29                                               |
        +--------+                                               +++
        | VPN Pi |                                               | | Roadwarrior
        +-+------+                                               | | Mobile BB10
          ^                                                      | | 80.xx.xx.xx
          |                                                      +++
          |                                                       ^
          |     +----------------------------------------+        |
          +---> | VPN Network Tunnel Address 10.0.0.0/16 | <------+
                +----------------------------------------+


Jul 19 12:04:08 raspberrypi charon: 00[DMN] signal of type SIGINT
received. Shutting down
Jul 19 12:04:10 raspberrypi charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.0, Linux 4.4.13+, armv6l)
Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 19 12:04:10 raspberrypi charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Jul 19 12:04:10 raspberrypi charon: 00[CFG]   loaded IKE secret for %any
Jul 19 12:04:10 raspberrypi charon: 00[CFG]   loaded EAP secret for alice
Jul 19 12:04:10 raspberrypi charon: 00[LIB] loaded plugins: charon aes
des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc
cmac hmac attr kernel-netlink resolve socket-default stroke vici
updown eap-identity eap-md5 eap-mschapv2 eap-dynamic xauth-generic
dhcp
Jul 19 12:04:10 raspberrypi charon: 00[JOB] spawning 16 worker threads
Jul 19 12:04:10 raspberrypi charon: 05[CFG] received stroke: add
connection 'BB10'
Jul 19 12:04:10 raspberrypi charon: 05[CFG] conn BB10
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   left=%any
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   leftsubnet=192.168.1.0/24
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   leftid=@ckl.freeboxos.fr
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   leftupdown=ipsec _updown iptables
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   right=%any
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   rightsourceip=10.0.0.0/16
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   rightdns=192.168.1.254
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   rightauth=eap-mschapv2
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   ike=aes128-sha256-modp3072
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   esp=aes128-sha256
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   dpddelay=30
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   dpdtimeout=150
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   mediation=no
Jul 19 12:04:10 raspberrypi charon: 05[CFG]   keyexchange=ikev2
Jul 19 12:04:10 raspberrypi charon: 05[CFG] adding virtual IP address
pool 10.0.0.0/16
Jul 19 12:04:10 raspberrypi charon: 05[CFG] added configuration 'BB10'
Jul 19 12:04:35 raspberrypi charon: 06[NET] received packet: from
80.12.59.253[1011] to 192.168.1.29[500] (400 bytes)
Jul 19 12:04:35 raspberrypi charon: 06[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 19 12:04:35 raspberrypi charon: 06[CFG] looking for an ike config
for 192.168.1.29...80.12.59.253
Jul 19 12:04:35 raspberrypi charon: 06[CFG]   candidate: %any...%any, prio 28
Jul 19 12:04:35 raspberrypi charon: 06[CFG] found matching ike config:
%any...%any with prio 28
Jul 19 12:04:35 raspberrypi charon: 06[IKE] 80.12.59.253 is initiating an IKE_SA
Jul 19 12:04:35 raspberrypi charon: 06[CFG] selecting proposal:
Jul 19 12:04:35 raspberrypi charon: 06[CFG]   no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 19 12:04:35 raspberrypi charon: 06[CFG] selecting proposal:
Jul 19 12:04:35 raspberrypi charon: 06[CFG]   proposal matches
Jul 19 12:04:35 raspberrypi charon: 06[CFG] received proposals:
IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/MODP_1024/MODP_768
Jul 19 12:04:35 raspberrypi charon: 06[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Jul 19 12:04:35 raspberrypi charon: 06[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Jul 19 12:04:35 raspberrypi charon: 06[IKE] local host is behind NAT,
sending keep alives
Jul 19 12:04:35 raspberrypi charon: 06[IKE] remote host is behind NAT
Jul 19 12:04:35 raspberrypi charon: 06[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 19 12:04:35 raspberrypi charon: 06[NET] sending packet: from
192.168.1.29[500] to 80.12.59.253[1011] (312 bytes)
Jul 19 12:04:36 raspberrypi charon: 16[NET] received packet: from
80.12.59.253[64916] to 192.168.1.29[4500] (284 bytes)
Jul 19 12:04:36 raspberrypi charon: 16[ENC] parsed IKE_AUTH request 1
[ IDi CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jul 19 12:04:36 raspberrypi charon: 16[CFG] looking for peer configs
matching 192.168.1.29[%any]...80.12.59.253[alice]
Jul 19 12:04:36 raspberrypi charon: 16[CFG]   candidate "BB10", match:
1/1/28 (me/other/ike)
Jul 19 12:04:36 raspberrypi charon: 16[CFG] selected peer config 'BB10'
Jul 19 12:04:36 raspberrypi charon: 16[IKE] initiating EAP_MSCHAPV2
method (id 0x8C)
Jul 19 12:04:36 raspberrypi charon: 16[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 19 12:04:36 raspberrypi charon: 16[IKE] no private key found for
'ckl.freeboxos.fr'
Jul 19 12:04:36 raspberrypi charon: 16[ENC] generating IKE_AUTH
response 1 [ N(AUTH_FAILED) ]
Jul 19 12:04:36 raspberrypi charon: 16[NET] sending packet: from
192.168.1.29[4500] to 80.12.59.253[64916] (76 bytes)

2016-07-19 12:10 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Christian,
>
>> Below the result I got by activating the loglevel "cfg 2"
>
> You set it via stroke, which is a bit late as some of the interesting
> bits would have been the messages after "received stroke: add connection
> 'BB10'", which list the settings of the loaded config.  Either set the
> log level via `charondebug` or strongswan.conf (see [1]).
>
> But since you added `eap_identity` the immediate problem is now a
> different one anyway:
>
>> Jul 18 16:05:17 raspberrypi charon: 09[IKE] no private key found for
>> 'ckl.freeboxos.fr'
>> Jul 18 16:05:17 raspberrypi charon: 09[ENC] generating IKE_AUTH
>> response 1 [ N(AUTH_FAILED) ]
>
> Which makes sense as there is no certificate or private key loaded
> during startup:
>
>> Jul 18 16:04:49 raspberrypi charon: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Jul 18 16:04:49 raspberrypi charon: 00[CFG] expanding file expression
>> '/var/lib/strongswan/ipsec.secrets.inc' failed
>> Jul 18 16:04:49 raspberrypi charon: 00[CFG]   loaded IKE secret for %any
>> Jul 18 16:04:49 raspberrypi charon: 00[CFG]   loaded EAP secret for alice
>> ...
>> Jul 18 16:04:49 raspberrypi charon: 09[CFG] received stroke: add
>> connection 'BB10'
>> Jul 18 16:04:49 raspberrypi charon: 09[CFG] adding virtual IP address
>> pool 10.0.0.0/16
>> Jul 18 16:04:49 raspberrypi charon: 09[CFG] added configuration 'BB10'
>
> Refer to [2] for an example using a similar setup (with configs and logs
> etc. to compare to, but please read [3]).  The how-to at [4] describes a
> simple way to create keys and certificates, if you haven't done so yet.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
> [2] https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-rsa/
> [3]
> https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamplesNotes
> [4] https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>


More information about the Users mailing list