[strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Christian Klugesherz christian.klugesherz at gmail.com
Wed Jul 20 15:29:12 CEST 2016


Hi Tobias,

There is some progress now :-)
(Also Meantime some help from Yuri )

I'm now getting following in syslog (see below) with

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
    charondebug="ike 1, cfg 2"
conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    eap_identity=%any
conn BB10
    leftid=78.229.20.105
    left=%defaultroute
    leftfirewall=yes
    leftauth=psk
    leftsubnet=192.168.1.0/24
    right=%any
    rightsourceip=10.0.0.0/16
    rightdns=192.168.1.254
    rightauth=eap-mschapv2
    rightsendcert=never
    auto=add

# /etc/ipsec.secrets
: PSK "123456#"             #(Gateway Preshared Key)
alice : EAP "alicep1234"    #(MSCHAPv2 Username + Password)


============================CONFIGURATION ON BB10===============================
-------------------
Profile Name             : home
Server Address           : 78.229.20.105
Gateway Type             : Generic IKEv2 VPN Server
Authentication Type      : EAP-MSCHAPv2
Authentication ID Type   : IPV4
ID Authentication        : alice            (not used can be enything)
MSCHAPv2 Username        : alice            (-->username in ipsec.secrets)
MSCHAPv2 Password        : alicep1234        (-->alice pasword in ipsec.secrets)
Gateway Auth Type        : PSK
Gateway Auth ID Type     : IPv4
Gateway Preshared Key    : 123456#    (-->PSK password in ipsec.secrets)


=============================================================

Jul 20 13:26:19 raspberrypi charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.0, Linux 4.4.13+, armv6l)
Jul 20 13:26:19 raspberrypi charon: 00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
Jul 20 13:26:19 raspberrypi charon: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
Jul 20 13:26:19 raspberrypi charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jul 20 13:26:19 raspberrypi charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jul 20 13:26:19 raspberrypi charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 20 13:26:19 raspberrypi charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 20 13:26:19 raspberrypi charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Jul 20 13:26:19 raspberrypi charon: 00[CFG]   loaded IKE secret for %any
Jul 20 13:26:19 raspberrypi charon: 00[CFG]   loaded EAP secret for alice
Jul 20 13:26:19 raspberrypi charon: 00[LIB] loaded plugins: charon aes
des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc
cmac hmac attr kernel-netlink resolve socket-default stroke vici
updown eap-identity eap-md5 eap-mschapv2 eap-dynamic xauth-generic
dhcp
Jul 20 13:26:19 raspberrypi charon: 00[JOB] spawning 16 worker threads
Jul 20 13:26:19 raspberrypi charon: 05[CFG] received stroke: add
connection 'BB10'
Jul 20 13:26:19 raspberrypi charon: 05[CFG] conn BB10
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   left=%any
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   leftsubnet=192.168.1.0/24
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   leftauth=psk
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   leftid=78.229.20.105
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   leftupdown=ipsec _updown iptables
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   right=%any
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   rightsourceip=10.0.0.0/16
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   rightdns=192.168.1.254
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   rightauth=eap-mschapv2
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   eap_identity=%any
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   ike=aes128-sha256-modp3072
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   esp=aes128-sha256
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   dpddelay=30
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   dpdtimeout=150
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   mediation=no
Jul 20 13:26:19 raspberrypi charon: 05[CFG]   keyexchange=ikev2
Jul 20 13:26:19 raspberrypi charon: 05[CFG] adding virtual IP address
pool 10.0.0.0/16
Jul 20 13:26:19 raspberrypi charon: 05[CFG] added configuration 'BB10'
Jul 20 13:26:24 raspberrypi charon: 10[NET] received packet: from
80.12.59.15[1011] to 192.168.1.29[500] (400 bytes)
Jul 20 13:26:24 raspberrypi rsyslogd-2007: action 'action 17'
suspended, next retry is Wed Jul 20 13:26:54 2016 [try
http://www.rsyslog.com/e/2007 ]
Jul 20 13:26:24 raspberrypi charon: 10[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 13:26:24 raspberrypi charon: 10[CFG] looking for an ike config
for 192.168.1.29...80.12.59.15
Jul 20 13:26:24 raspberrypi charon: 10[CFG]   candidate: %any...%any, prio 28
Jul 20 13:26:24 raspberrypi charon: 10[CFG] found matching ike config:
%any...%any with prio 28
Jul 20 13:26:24 raspberrypi charon: 10[IKE] 80.12.59.15 is initiating an IKE_SA
Jul 20 13:26:24 raspberrypi charon: 10[CFG] selecting proposal:
Jul 20 13:26:24 raspberrypi charon: 10[CFG]   no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 20 13:26:24 raspberrypi charon: 10[CFG] selecting proposal:
Jul 20 13:26:24 raspberrypi charon: 10[CFG]   proposal matches
Jul 20 13:26:24 raspberrypi charon: 10[CFG] received proposals:
IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/MODP_1024/MODP_768
Jul 20 13:26:24 raspberrypi charon: 10[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Jul 20 13:26:24 raspberrypi charon: 10[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Jul 20 13:26:24 raspberrypi charon: 10[IKE] local host is behind NAT,
sending keep alives
Jul 20 13:26:24 raspberrypi charon: 10[IKE] remote host is behind NAT
Jul 20 13:26:24 raspberrypi charon: 10[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 20 13:26:24 raspberrypi charon: 10[NET] sending packet: from
192.168.1.29[500] to 80.12.59.15[1011] (312 bytes)
Jul 20 13:26:25 raspberrypi charon: 07[NET] received packet: from
80.12.59.15[64916] to 192.168.1.29[4500] (284 bytes)
Jul 20 13:26:25 raspberrypi charon: 07[ENC] parsed IKE_AUTH request 1
[ IDi CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jul 20 13:26:25 raspberrypi charon: 07[CFG] looking for peer configs
matching 192.168.1.29[%any]...80.12.59.15[10.143.11.15]
Jul 20 13:26:25 raspberrypi charon: 07[CFG]   candidate "BB10", match:
1/1/28 (me/other/ike)
Jul 20 13:26:25 raspberrypi charon: 07[CFG] selected peer config 'BB10'
Jul 20 13:26:25 raspberrypi charon: 07[IKE] initiating EAP_IDENTITY
method (id 0x00)
Jul 20 13:26:25 raspberrypi charon: 07[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 20 13:26:25 raspberrypi charon: 07[IKE] authentication of
'78.229.20.105' (myself) with pre-shared key
Jul 20 13:26:25 raspberrypi charon: 07[ENC] generating IKE_AUTH
response 1 [ IDr AUTH EAP/REQ/ID ]
Jul 20 13:26:25 raspberrypi charon: 07[NET] sending packet: from
192.168.1.29[4500] to 80.12.59.15[64916] (108 bytes)
Jul 20 13:26:25 raspberrypi charon: 06[NET] received packet: from
80.12.59.15[64916] to 192.168.1.29[4500] (76 bytes)
Jul 20 13:26:25 raspberrypi charon: 06[ENC] parsed IKE_AUTH request 2
[ EAP/RES/ID ]
Jul 20 13:26:25 raspberrypi charon: 06[IKE] received EAP identity 'alice'
Jul 20 13:26:25 raspberrypi charon: 06[IKE] initiating EAP_MSCHAPV2
method (id 0x0F)
Jul 20 13:26:25 raspberrypi charon: 06[ENC] generating IKE_AUTH
response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 20 13:26:25 raspberrypi charon: 06[NET] sending packet: from
192.168.1.29[4500] to 80.12.59.15[64916] (108 bytes)
Jul 20 13:26:26 raspberrypi charon: 13[NET] received packet: from
80.12.59.15[64916] to 192.168.1.29[4500] (140 bytes)
Jul 20 13:26:26 raspberrypi charon: 13[ENC] parsed IKE_AUTH request 3
[ EAP/RES/MSCHAPV2 ]
Jul 20 13:26:26 raspberrypi charon: 13[IKE] EAP-MS-CHAPv2 verification
failed, retry (1)
Jul 20 13:26:28 raspberrypi charon: 13[ENC] generating IKE_AUTH
response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 20 13:26:28 raspberrypi charon: 13[NET] sending packet: from
192.168.1.29[4500] to 80.12.59.15[64916] (124 bytes)
Jul 20 13:26:48 raspberrypi charon: 09[IKE] sending keep alive to
80.12.59.15[64916]
Jul 20 13:26:54 raspberrypi charon: 11[JOB] deleting half open IKE_SA
after timeout

2016-07-20 15:06 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Christian,
>
>> Configuration on my BB10.
>> Profile Name             : home
>> Server Address           : 78.229.20.105
>> Gateway Type             : Generic IKEv2 VPN Server
>> Authentication Type      : EAP-MSCHAPv2
>> Authentication ID Type   : email
>> ID Authentication        : alice            (not used can be enything)
>> MSCHAPv2 EAP Identity    : alice            (not used can be enything)
>> MSCHAPv2 Username        : alice            (-->username in ipsec.secrets)
>> MSCHAPv2 Password        : alicep        (-->alice pasword in ipsec.secrets)
>> Gateway Auth Type        : PSK
>> Gateway Auth ID Type     : IPv4
>> Gateway Preshared Key    : 123456#    (-->PSK password in ipsec.secrets)
>
> With this client configuration you don't need any certificates.  It
> actually seems that BB10 supports the combination of PSK and EAP, so you
> could try configuring `leftauth=psk` and `rightauth=eap-mschapv2`.
>
> Regards,
> Tobias
>


More information about the Users mailing list