[strongSwan] From OpenSWAN PubKey to StrongSWAN - Other side is Checkpoiint FW1

Luca Arzeni l.arzeni at gmail.com
Mon Aug 7 17:11:52 CEST 2017


Another small step:
by adding the parameter:

ike=3des-sha1-modp1024

I got past to the previous problem. Now I got these logs (only relevant
part is attached):

===================================================

Mon, 2017-08-07 16:33 06[CFG] added configuration 'home'
Mon, 2017-08-07 16:33 08[CFG] received stroke: initiate 'home'
Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_VENDOR task
Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task
Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing MAIN_MODE task
Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_CERT_POST task
Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_NATD task
Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing QUICK_MODE task
Mon, 2017-08-07 16:33 08[IKE] <home|1> activating new tasks
Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_VENDOR task
Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_CERT_PRE task
Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating MAIN_MODE task
Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_CERT_POST task
Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_NATD task
Mon, 2017-08-07 16:33 08[IKE] <home|1> sending XAuth vendor ID
Mon, 2017-08-07 16:33 08[IKE] <home|1> sending DPD vendor ID
Mon, 2017-08-07 16:33 08[IKE] <home|1> sending FRAGMENTATION vendor ID
Mon, 2017-08-07 16:33 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID
Mon, 2017-08-07 16:33 08[IKE] <home|1> sending
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mon, 2017-08-07 16:33 08[IKE] <home|1> initiating Main Mode IKE_SA home[1]
to CP_FW_IP_ADDRESS
Mon, 2017-08-07 16:33 08[IKE] <home|1> IKE_SA home[1] state change: CREATED
=> CONNECTING
Mon, 2017-08-07 16:33 08[CFG] <home|1> configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Mon, 2017-08-07 16:33 08[ENC] <home|1> generating ID_PROT request 0 [ SA V
V V V V ]
Mon, 2017-08-07 16:33 08[NET] <home|1> sending packet: from
192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (236 bytes)
Mon, 2017-08-07 16:33 10[NET] <home|1> received packet: from
CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (80 bytes)
Mon, 2017-08-07 16:33 10[ENC] <home|1> parsed ID_PROT response 0 [ SA ]
Mon, 2017-08-07 16:33 10[CFG] <home|1> selecting proposal:
Mon, 2017-08-07 16:33 10[CFG] <home|1>   proposal matches
Mon, 2017-08-07 16:33 10[CFG] <home|1> received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mon, 2017-08-07 16:33 10[CFG] <home|1> configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Mon, 2017-08-07 16:33 10[CFG] <home|1> selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mon, 2017-08-07 16:33 10[IKE] <home|1> reinitiating already active tasks
Mon, 2017-08-07 16:33 10[IKE] <home|1>   ISAKMP_VENDOR task
Mon, 2017-08-07 16:33 10[IKE] <home|1>   ISAKMP_CERT_PRE task
Mon, 2017-08-07 16:33 10[IKE] <home|1>   MAIN_MODE task
Mon, 2017-08-07 16:33 10[LIB] <home|1> size of DH secret exponent: 1023 bits
Mon, 2017-08-07 16:33 10[ENC] <home|1> generating ID_PROT request 0 [ KE No
]
Mon, 2017-08-07 16:33 10[NET] <home|1> sending packet: from
192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (196 bytes)
Mon, 2017-08-07 16:33 05[NET] <home|1> received packet: from
CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (305 bytes)
Mon, 2017-08-07 16:33 05[ENC] <home|1> parsed ID_PROT response 0 [ KE No
CERTREQ CERTREQ CERTREQ CERTREQ ]
Mon, 2017-08-07 16:33 05[IKE] <home|1> received cert request for 'O=my_ca'
Mon, 2017-08-07 16:33 05[IKE] <home|1> received cert request for unknown ca
'O=another_ca'
*Mon, 2017-08-07 16:33 05[IKE] <home|1> ANY CERTREQ not supported - ignored*
Mon, 2017-08-07 16:33 05[IKE] <home|1> ignoring certificate request without
data
Mon, 2017-08-07 16:33 05[IKE] <home|1> reinitiating already active tasks
Mon, 2017-08-07 16:33 05[IKE] <home|1>   ISAKMP_VENDOR task
Mon, 2017-08-07 16:33 05[IKE] <home|1>   ISAKMP_CERT_PRE task
Mon, 2017-08-07 16:33 05[IKE] <home|1>   MAIN_MODE task
Mon, 2017-08-07 16:33 05[IKE] <home|1> sending cert request for "O=my_ca"
Mon, 2017-08-07 16:33 05[IKE] <home|1> authentication of 'O=my_ca,
OU=users, CN=my_name' (myself) successful
Mon, 2017-08-07 16:33 05[IKE] <home|1> sending end entity cert "O=my_ca,
OU=users, CN=my_name"
Mon, 2017-08-07 16:33 05[ENC] <home|1> generating ID_PROT request 0 [ ID
CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Mon, 2017-08-07 16:33 05[NET] <home|1> sending packet: from
192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (956 bytes)
Mon, 2017-08-07 16:33 11[NET] <home|1> received packet: from
CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (1084 bytes)
Mon, 2017-08-07 16:33 11[ENC] <home|1> parsed ID_PROT response 0 [ ID CERT
SIG ]
Mon, 2017-08-07 16:33 11[IKE] <home|1> received end entity cert "O=my_ca,
CN=cp_fw_certificate"
Mon, 2017-08-07 16:33 11[CFG] <home|1>   certificate "O=my_ca,
CN=cp_fw_certificate" key: 1024 bit RSA
Mon, 2017-08-07 16:33 11[CFG] <home|1>   using trusted ca certificate
"O=my_ca"
*Mon, 2017-08-07 16:33 11[CFG] <home|1> subject certificate invalid (valid
from Nov 08 09:59:53 2007 to Nov 07 09:59:53 2012)*
*Mon, 2017-08-07 16:33 11[CFG] <home|1>   using certificate "O=my_ca,
CN=cp_fw_certificate"*
Mon, 2017-08-07 16:33 11[CFG] <home|1>   certificate "O=my_ca,
CN=cp_fw_certificate" key: 2048 bit RSA
Mon, 2017-08-07 16:33 11[CFG] <home|1>   using trusted ca certificate
"O=my_ca"
Mon, 2017-08-07 16:33 11[CFG] <home|1> checking certificate status of
"O=my_ca, CN=cp_fw_certificate"
Mon, 2017-08-07 16:33 11[CFG] <home|1> ocsp check skipped, no ocsp found
Mon, 2017-08-07 16:33 11[CFG] <home|1>   fetching crl from 'O=my_ca,
CN=ICA_CRL4' ...
Mon, 2017-08-07 16:33 11[LIB] <home|1> unable to fetch from O=my_ca,
CN=ICA_CRL4, no capable fetcher found
Mon, 2017-08-07 16:33 11[CFG] <home|1> crl fetching failed
Mon, 2017-08-07 16:33 11[CFG] <home|1>   fetching crl from '
http://managenetwork1:18264/ICA_CRL4.crl' ...
Mon, 2017-08-07 16:33 11[LIB] <home|1>   sending request to '
http://managenetwork1:18264/ICA_CRL4.crl'...
Mon, 2017-08-07 16:33 11[LIB] <home|1> libcurl request failed [6]: Could
not resolve host: managenetwork1
Mon, 2017-08-07 16:33 11[CFG] <home|1> crl fetching failed
Mon, 2017-08-07 16:33 11[CFG] <home|1> certificate status is not available
Mon, 2017-08-07 16:33 11[CFG] <home|1>   certificate "O=my_ca" key: 1024
bit RSA
Mon, 2017-08-07 16:33 11[CFG] <home|1>   reached self-signed root ca with a
path length of 0
Mon, 2017-08-07 16:33 11[IKE] <home|1> authentication of 'CP_FW_IP_ADDRESS'
with RSA_EMSA_PKCS1_NULL successful
*Mon, 2017-08-07 16:33 11[CFG] <home|1> constraint check failed: peer not
authenticated with peer cert 'O=my_ca, CN=cp_fw_certificate'*
Mon, 2017-08-07 16:33 11[IKE] <home|1> queueing ISAKMP_DELETE task
Mon, 2017-08-07 16:33 11[IKE] <home|1> activating new tasks
Mon, 2017-08-07 16:33 11[IKE] <home|1>   activating ISAKMP_DELETE task
Mon, 2017-08-07 16:33 11[IKE] <home|1> deleting IKE_SA home[1] between
192.168.1.122[O=my_ca, OU=users,
CN=my_name]...CP_FW_IP_ADDRESS[CP_FW_IP_ADDRESS]
Mon, 2017-08-07 16:33 11[IKE] <home|1> sending DELETE for IKE_SA home[1]
Mon, 2017-08-07 16:33 11[IKE] <home|1> IKE_SA home[1] state change:
CONNECTING => DELETING
Mon, 2017-08-07 16:33 11[ENC] <home|1> generating INFORMATIONAL_V1 request
2838696763 [ HASH D ]
Mon, 2017-08-07 16:33 11[NET] <home|1> sending packet: from
192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (84 bytes)
Mon, 2017-08-07 16:33 11[IKE] <home|1> IKE_SA home[1] state change:
DELETING => DESTROYING

===================================================

So, the problem now seems that the CP Firewall certificate is expired. I
checked it with openssl I can confirm that the cert is expired. Is athere
any way to skip this check and go on with the VPN?

Thanks.
larzeni


On Mon, Aug 7, 2017 at 4:23 PM, Luca Arzeni <l.arzeni at gmail.com> wrote:

> Hi Noel,
> thanks for your help.
> I've set a Debian 9 pc, so I am now using Strongswan 5.5.1-4 as you
> suggested. I cannot get 5.5.3 since is not available under debian. As a
> bonus, now my linux kernel is 4.9.0-3.
>
> This are my ipsec.conf (I followed your hints and semplified whatever I
> could) and charon_debug.log:
>
> === ipsec.conf  ======================
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> conn home
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev1
> #
> leftcert=my_crt.pem
> leftsourceip=192.168.145.128 # CP-known client IP
> leftfirewall=yes
> #
> right=CP_FW_IP
> rightid=CP_FW_IP
> rightsubnet= 192.168.2.0/24, 192.168.3.0/24
> rightcert=cp_fw_crt.pem
> #
> auto=start
>
> === charon_debug.log ======================
>
> Mon, 2017-08-07 15:57 00[DMN] Starting IKE charon daemon (strongSwan
> 5.5.1, Linux 4.9.0-3-amd64, x86_64)
> Mon, 2017-08-07 15:57 00[LIB] plugin 'test-vectors': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'ldap': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs11': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'aesni': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'aes': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'rc2': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'sha2': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'sha1': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'md5': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'rdrand': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] detected RDRAND support, enabled
> Mon, 2017-08-07 15:57 00[LIB] plugin 'random': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'nonce': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'x509': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'revocation': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'constraints': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pubkey': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs1': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs7': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs8': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs12': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pgp': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'dnskey': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'sshkey': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'pem': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'openssl': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'gcrypt': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'af-alg': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'fips-prf': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'gmp': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'agent': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'xcbc': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'cmac': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'hmac': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'ctr': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'ccm': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'gcm': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'curl': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'attr': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'kernel-netlink': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'resolve': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'socket-default': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'connmark': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'farp': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'stroke': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'updown': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-identity': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-aka': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-md5': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-gtc': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-mschapv2': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-radius': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tls': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-ttls': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tnc': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-generic': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-eap': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-pam': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'tnc-tnccs': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'dhcp': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'ha': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'lookip': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'error-notify': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'certexpire': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'led': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'addrblock': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] plugin 'unity': loaded successfully
> Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet
> dependency: PUBKEY:DSA
> Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has
> unmet dependency: PRIVKEY:DSA
> Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has
> unmet dependency: PRIVKEY:BLISS
> Mon, 2017-08-07 15:57 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin
> 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
> Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
> Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
> Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
> Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
> Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
> Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
> Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
> Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512
> in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
> Mon, 2017-08-07 15:57 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Mon, 2017-08-07 15:57 00[CFG]   loaded ca certificate "O=my_ca" from
> '/etc/ipsec.d/cacerts/ca_crt.pem'
> Mon, 2017-08-07 15:57 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Mon, 2017-08-07 15:57 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> Mon, 2017-08-07 15:57 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
> Mon, 2017-08-07 15:57 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Mon, 2017-08-07 15:57 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Mon, 2017-08-07 15:57 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/my_key.der'
> Mon, 2017-08-07 15:57 00[CFG] loaded 0 RADIUS server configurations
> Mon, 2017-08-07 15:57 00[CFG] HA config misses local/remote address
> Mon, 2017-08-07 15:57 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to
> load
> Mon, 2017-08-07 15:57 00[LIB] unloading plugin 'ha' without loaded features
> Mon, 2017-08-07 15:57 00[LIB] loaded plugins: charon test-vectors ldap
> pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509 revocation
> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr
> kernel-netlink resolve socket-default connmark farp stroke updown
> eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls
> eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip
> error-notify certexpire led addrblock unity
> Mon, 2017-08-07 15:57 00[LIB] unable to load 13 plugin features (12 due to
> unmet dependencies)
> Mon, 2017-08-07 15:57 00[LIB] dropped capabilities, running as uid 0, gid 0
> Mon, 2017-08-07 15:57 00[JOB] spawning 16 worker threads
> Mon, 2017-08-07 15:57 01[LIB] created thread 01 [2935]
> Mon, 2017-08-07 15:57 02[LIB] created thread 02 [2936]
> Mon, 2017-08-07 15:57 03[LIB] created thread 03 [2937]
> Mon, 2017-08-07 15:57 04[LIB] created thread 04 [2938]
> Mon, 2017-08-07 15:57 05[LIB] created thread 05 [2939]
> Mon, 2017-08-07 15:57 06[LIB] created thread 06 [2940]
> Mon, 2017-08-07 15:57 07[LIB] created thread 07 [2941]
> Mon, 2017-08-07 15:57 08[LIB] created thread 08 [2942]
> Mon, 2017-08-07 15:57 09[LIB] created thread 09 [2943]
> Mon, 2017-08-07 15:57 10[LIB] created thread 10 [2944]
> Mon, 2017-08-07 15:57 11[LIB] created thread 11 [2945]
> Mon, 2017-08-07 15:57 12[LIB] created thread 12 [2946]
> Mon, 2017-08-07 15:57 13[LIB] created thread 13 [2947]
> Mon, 2017-08-07 15:57 14[LIB] created thread 14 [2948]
> Mon, 2017-08-07 15:57 15[LIB] created thread 15 [2949]
> Mon, 2017-08-07 15:57 16[LIB] created thread 16 [2950]
> Mon, 2017-08-07 15:57 07[CFG] received stroke: add connection 'home'
> Mon, 2017-08-07 15:57 07[CFG] conn home
> Mon, 2017-08-07 15:57 07[CFG]   left=%any
> Mon, 2017-08-07 15:57 07[CFG]   leftsourceip=192.168.145.128
> Mon, 2017-08-07 15:57 07[CFG]   leftcert=my_crt.pem
> Mon, 2017-08-07 15:57 07[CFG]   leftupdown=ipsec _updown iptables
> Mon, 2017-08-07 15:57 07[CFG]   right=CP_FW_IP
> Mon, 2017-08-07 15:57 07[CFG]   rightsubnet=192.168.2.0/24, 192.168.3.0/24
> Mon, 2017-08-07 15:57 07[CFG]   rightid=CP_FW_IP
> Mon, 2017-08-07 15:57 07[CFG]   rightcert=cp_fw_crt.pem
> Mon, 2017-08-07 15:57 07[CFG]   ike=aes128-sha256-modp3072
> Mon, 2017-08-07 15:57 07[CFG]   esp=aes128-sha256
> Mon, 2017-08-07 15:57 07[CFG]   dpddelay=30
> Mon, 2017-08-07 15:57 07[CFG]   dpdtimeout=150
> Mon, 2017-08-07 15:57 07[CFG]   mediation=no
> Mon, 2017-08-07 15:57 07[CFG]   keyexchange=ikev1
> Mon, 2017-08-07 15:57 07[CFG]   loaded certificate "O=my_ca, OU=users,
> CN=my_name" from 'my_crt.pem'
> Mon, 2017-08-07 15:57 07[CFG]   id '%any' not confirmed by certificate,
> defaulting to 'O=my_ca, OU=users, CN=my_name'
> Mon, 2017-08-07 15:57 07[CFG]   loaded certificate "O=my_ca, OU=users,
> CN=cp_fw_cert" from 'cp_fw_crt.pem'
> Mon, 2017-08-07 15:57 07[CFG] added configuration 'home'
> Mon, 2017-08-07 15:57 08[CFG] received stroke: initiate 'home'
> Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_VENDOR task
> Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task
> Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing MAIN_MODE task
> Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_POST task
> Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_NATD task
> Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing QUICK_MODE task
> Mon, 2017-08-07 15:57 08[IKE] <home|1> activating new tasks
> Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_VENDOR task
> Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_CERT_PRE task
> Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating MAIN_MODE task
> Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_CERT_POST task
> Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_NATD task
> Mon, 2017-08-07 15:57 08[IKE] <home|1> sending XAuth vendor ID
> Mon, 2017-08-07 15:57 08[IKE] <home|1> sending DPD vendor ID
> Mon, 2017-08-07 15:57 08[IKE] <home|1> sending FRAGMENTATION vendor ID
> Mon, 2017-08-07 15:57 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID
> Mon, 2017-08-07 15:57 08[IKE] <home|1> sending
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Mon, 2017-08-07 15:57 08[IKE] <home|1> initiating Main Mode IKE_SA home[1]
> to CP_FW_IP
> Mon, 2017-08-07 15:57 08[IKE] <home|1> IKE_SA home[1] state change:
> CREATED => CONNECTING
> Mon, 2017-08-07 15:57 08[CFG] <home|1> configured proposals:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_
> CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/
> CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_
> CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/
> HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_
> SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/
> PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_
> HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_
> 512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_
> 128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/
> CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_
> CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_
> CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_
> GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/
> CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/
> CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/
> PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_
> HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/
> ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_
> 4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
> Mon, 2017-08-07 15:57 08[ENC] <home|1> generating ID_PROT request 0 [ SA V
> V V V V ]
> Mon, 2017-08-07 15:57 08[NET] <home|1> sending packet: from
> 192.168.1.122[500] to CP_FW_IP[500] (240 bytes)
> Mon, 2017-08-07 15:57 10[NET] <home|1> received packet: from CP_FW_IP[500]
> to 192.168.1.122[500] (40 bytes)
> Mon, 2017-08-07 15:57 10[ENC] <home|1> parsed INFORMATIONAL_V1 request
> 111406742 [ N(NO_PROP) ]
> Mon, 2017-08-07 15:57 10[IKE] <home|1> received NO_PROPOSAL_CHOSEN error
> notify
> Mon, 2017-08-07 15:57 10[IKE] <home|1> IKE_SA home[1] state change:
> CONNECTING => DESTROYING
>
> =======================================
>
> So now the problems seems to be that no proposal is choosen... any hint?
>
> Thanks,
> larzeni
>
>
> On Sat, Aug 5, 2017 at 11:20 AM, Noel Kuntze <
> noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>> Hi,
>>
>> On 05.08.2017 02:27, Luca Arzeni wrote:
>> > [...]
>> > I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to
>> StrongSWAN 5.2.1
>> You better get 5.5.3 right away. 5.2.1 is already pretty old.
>>
>> > [...]
>> > ==============================================================
>> >
>> > Now I'm trying to use StrongSWAN to setup a connection, but I'm not
>> able to connect.
>> > This is my StrongSWAN ipsec.conf:
>> >
>> > ==============================================================
>> >
>> > # ipsec.conf - strongSwan IPsec configuration file
>> >
>> > config setup
>> > # strictcrlpolicy=yes
>> > # uniqueids = no
>> > charondebug =  dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2,
>> asn 0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2
>> Remove that. Use the logger configuration from the HelpRequests[1] page
>> instead and pastebin us that, after you made the following changes.
>> >
>> > conn home
>> >         ikelifetime=60m
>> >         keylife=20m
>> >         rekeymargin=3m
>> >         keyingtries=1
>> >         keyexchange=ikev1
>> > #
>> > left=%any
>> Remove left. It is unnecessary.
>> > leftcert=my_cert.pem
>> > leftrsasigkey=%cert
>> > leftid="my certificate subject"
>> leftrsasigkey and leftid are unnecessary, if not counterproductive.
>>
>> > #leftauth=pubkey
>> >         leftfirewall=yes
>> > #
>> > leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I
>> need to set it because I'm using also a "rightsubnets" list
>> > leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I
>> need to set it because I'm using also a "rightsubnets" list
>> Remove leftsubnet.
>> > #
>> > rightcert=fwncest_2012-11-07_cert.pem
>> > rightrsasigkey=%cert
>> Remove rightrsasigkey.
>> >         right=X.Y.Z.W (FW1_IP_ADDESS)
>> >         rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST
>> use the firewall public IP)
>> >         rightsubnet= 192.168.1.0/24 <http://192.168.1.0/24>,
>> 192.168.2.0/24 <http://192.168.2.0/24>, ecc...
>> >         rightcert=firewall_cert.pem
>> >         rightrsasigkey=%cert
>> Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway.
>> > #
>> > auto=start
>> Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the
>> remote peer deletes them. This behaves differently than openswan.
>>
>> >         # after establishing the vpn, run these script to allow routes
>> from my client to server behind the firevall
>> >         #
>> >         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 <
>> http://192.168.1.0/24> -j SNAT --to my_ip
>> >         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 <
>> http://192.168.2.0/24> -j SNAT --to my_ip
>> >
>> > include /var/lib/strongswan/ipsec.conf.inc
>> Remove the include.
>>
>> > ============================================================
>> ===============
>> >
>> > But this setup is not working.
>>
>> Provide all the information from the HelpRequests[1] page, please.
>>
>> Kind regards
>>
>> Noel
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>
>>
>
>
> --
> Luca Arzeni
>



-- 
Luca Arzeni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170807/c442ba5a/attachment-0001.html>


More information about the Users mailing list