[strongSwan] From OpenSWAN PubKey to StrongSWAN - Other side is Checkpoiint FW1

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Aug 7 17:38:43 CEST 2017


The peer's certificate is expired. You can not work around that. You need to get the administration of them to fix their certificate.

On 07.08.2017 17:11, Luca Arzeni wrote:
> Another small step:
> by adding the parameter:
> 
> ike=3des-sha1-modp1024
> 
> I got past to the previous problem. Now I got these logs (only relevant part is attached):
> 
> ===================================================
> 
> Mon, 2017-08-07 16:33 06[CFG] added configuration 'home'
> Mon, 2017-08-07 16:33 08[CFG] received stroke: initiate 'home'
> Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_VENDOR task
> Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task
> Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing MAIN_MODE task
> Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_CERT_POST task
> Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_NATD task
> Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing QUICK_MODE task
> Mon, 2017-08-07 16:33 08[IKE] <home|1> activating new tasks
> Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_VENDOR task
> Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_CERT_PRE task
> Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating MAIN_MODE task
> Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_CERT_POST task
> Mon, 2017-08-07 16:33 08[IKE] <home|1>   activating ISAKMP_NATD task
> Mon, 2017-08-07 16:33 08[IKE] <home|1> sending XAuth vendor ID
> Mon, 2017-08-07 16:33 08[IKE] <home|1> sending DPD vendor ID
> Mon, 2017-08-07 16:33 08[IKE] <home|1> sending FRAGMENTATION vendor ID
> Mon, 2017-08-07 16:33 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID
> Mon, 2017-08-07 16:33 08[IKE] <home|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Mon, 2017-08-07 16:33 08[IKE] <home|1> initiating Main Mode IKE_SA home[1] to CP_FW_IP_ADDRESS
> Mon, 2017-08-07 16:33 08[IKE] <home|1> IKE_SA home[1] state change: CREATED => CONNECTING
> Mon, 2017-08-07 16:33 08[CFG] <home|1> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
> Mon, 2017-08-07 16:33 08[ENC] <home|1> generating ID_PROT request 0 [ SA V V V V V ]
> Mon, 2017-08-07 16:33 08[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (236 bytes)
> Mon, 2017-08-07 16:33 10[NET] <home|1> received packet: from CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (80 bytes)
> Mon, 2017-08-07 16:33 10[ENC] <home|1> parsed ID_PROT response 0 [ SA ]
> Mon, 2017-08-07 16:33 10[CFG] <home|1> selecting proposal:
> Mon, 2017-08-07 16:33 10[CFG] <home|1>   proposal matches
> Mon, 2017-08-07 16:33 10[CFG] <home|1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Mon, 2017-08-07 16:33 10[CFG] <home|1> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
> Mon, 2017-08-07 16:33 10[CFG] <home|1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Mon, 2017-08-07 16:33 10[IKE] <home|1> reinitiating already active tasks
> Mon, 2017-08-07 16:33 10[IKE] <home|1>   ISAKMP_VENDOR task
> Mon, 2017-08-07 16:33 10[IKE] <home|1>   ISAKMP_CERT_PRE task
> Mon, 2017-08-07 16:33 10[IKE] <home|1>   MAIN_MODE task
> Mon, 2017-08-07 16:33 10[LIB] <home|1> size of DH secret exponent: 1023 bits
> Mon, 2017-08-07 16:33 10[ENC] <home|1> generating ID_PROT request 0 [ KE No ]
> Mon, 2017-08-07 16:33 10[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (196 bytes)
> Mon, 2017-08-07 16:33 05[NET] <home|1> received packet: from CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (305 bytes)
> Mon, 2017-08-07 16:33 05[ENC] <home|1> parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ CERTREQ ]
> Mon, 2017-08-07 16:33 05[IKE] <home|1> received cert request for 'O=my_ca'
> Mon, 2017-08-07 16:33 05[IKE] <home|1> received cert request for unknown ca 'O=another_ca'
> *Mon, 2017-08-07 16:33 05[IKE] <home|1> ANY CERTREQ not supported - ignored*
> Mon, 2017-08-07 16:33 05[IKE] <home|1> ignoring certificate request without data
> Mon, 2017-08-07 16:33 05[IKE] <home|1> reinitiating already active tasks
> Mon, 2017-08-07 16:33 05[IKE] <home|1>   ISAKMP_VENDOR task
> Mon, 2017-08-07 16:33 05[IKE] <home|1>   ISAKMP_CERT_PRE task
> Mon, 2017-08-07 16:33 05[IKE] <home|1>   MAIN_MODE task
> Mon, 2017-08-07 16:33 05[IKE] <home|1> sending cert request for "O=my_ca"
> Mon, 2017-08-07 16:33 05[IKE] <home|1> authentication of 'O=my_ca, OU=users, CN=my_name' (myself) successful
> Mon, 2017-08-07 16:33 05[IKE] <home|1> sending end entity cert "O=my_ca, OU=users, CN=my_name"
> Mon, 2017-08-07 16:33 05[ENC] <home|1> generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
> Mon, 2017-08-07 16:33 05[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (956 bytes)
> Mon, 2017-08-07 16:33 11[NET] <home|1> received packet: from CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (1084 bytes)
> Mon, 2017-08-07 16:33 11[ENC] <home|1> parsed ID_PROT response 0 [ ID CERT SIG ]
> Mon, 2017-08-07 16:33 11[IKE] <home|1> received end entity cert "O=my_ca, CN=cp_fw_certificate"
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   certificate "O=my_ca, CN=cp_fw_certificate" key: 1024 bit RSA
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   using trusted ca certificate "O=my_ca"
> *Mon, 2017-08-07 16:33 11[CFG] <home|1> subject certificate invalid (valid from Nov 08 09:59:53 2007 to Nov 07 09:59:53 2012)*
> *Mon, 2017-08-07 16:33 11[CFG] <home|1>   using certificate "O=my_ca, CN=cp_fw_certificate"*
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   certificate "O=my_ca, CN=cp_fw_certificate" key: 2048 bit RSA
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   using trusted ca certificate "O=my_ca"
> Mon, 2017-08-07 16:33 11[CFG] <home|1> checking certificate status of "O=my_ca, CN=cp_fw_certificate"
> Mon, 2017-08-07 16:33 11[CFG] <home|1> ocsp check skipped, no ocsp found
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   fetching crl from 'O=my_ca, CN=ICA_CRL4' ...
> Mon, 2017-08-07 16:33 11[LIB] <home|1> unable to fetch from O=my_ca, CN=ICA_CRL4, no capable fetcher found
> Mon, 2017-08-07 16:33 11[CFG] <home|1> crl fetching failed
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   fetching crl from 'http://managenetwork1:18264/ICA_CRL4.crl' ...
> Mon, 2017-08-07 16:33 11[LIB] <home|1>   sending request to 'http://managenetwork1:18264/ICA_CRL4.crl'...
> Mon, 2017-08-07 16:33 11[LIB] <home|1> libcurl request failed [6]: Could not resolve host: managenetwork1
> Mon, 2017-08-07 16:33 11[CFG] <home|1> crl fetching failed
> Mon, 2017-08-07 16:33 11[CFG] <home|1> certificate status is not available
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   certificate "O=my_ca" key: 1024 bit RSA
> Mon, 2017-08-07 16:33 11[CFG] <home|1>   reached self-signed root ca with a path length of 0
> Mon, 2017-08-07 16:33 11[IKE] <home|1> authentication of 'CP_FW_IP_ADDRESS' with RSA_EMSA_PKCS1_NULL successful
> *Mon, 2017-08-07 16:33 11[CFG] <home|1> constraint check failed: peer not authenticated with peer cert 'O=my_ca, CN=cp_fw_certificate'*
> Mon, 2017-08-07 16:33 11[IKE] <home|1> queueing ISAKMP_DELETE task
> Mon, 2017-08-07 16:33 11[IKE] <home|1> activating new tasks
> Mon, 2017-08-07 16:33 11[IKE] <home|1>   activating ISAKMP_DELETE task
> Mon, 2017-08-07 16:33 11[IKE] <home|1> deleting IKE_SA home[1] between 192.168.1.122[O=my_ca, OU=users, CN=my_name]...CP_FW_IP_ADDRESS[CP_FW_IP_ADDRESS]
> Mon, 2017-08-07 16:33 11[IKE] <home|1> sending DELETE for IKE_SA home[1]
> Mon, 2017-08-07 16:33 11[IKE] <home|1> IKE_SA home[1] state change: CONNECTING => DELETING
> Mon, 2017-08-07 16:33 11[ENC] <home|1> generating INFORMATIONAL_V1 request 2838696763 [ HASH D ]
> Mon, 2017-08-07 16:33 11[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (84 bytes)
> Mon, 2017-08-07 16:33 11[IKE] <home|1> IKE_SA home[1] state change: DELETING => DESTROYING
> 
> ===================================================
> 
> So, the problem now seems that the CP Firewall certificate is expired. I checked it with openssl I can confirm that the cert is expired. Is athere any way to skip this check and go on with the VPN?
> 
> Thanks.
> larzeni
> 
> 
> On Mon, Aug 7, 2017 at 4:23 PM, Luca Arzeni <l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>> wrote:
> 
>     Hi Noel,
>     thanks for your help.
>     I've set a Debian 9 pc, so I am now using Strongswan 5.5.1-4 as you suggested. I cannot get 5.5.3 since is not available under debian. As a bonus, now my linux kernel is 4.9.0-3.
> 
>     This are my ipsec.conf (I followed your hints and semplified whatever I could) and charon_debug.log:
> 
>     === ipsec.conf  ======================
> 
>     config setup
>     # strictcrlpolicy=yes
>     # uniqueids = no
> 
>     conn home
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>     #
>     leftcert=my_crt.pem
>     leftsourceip=192.168.145.128 # CP-known client IP
>     leftfirewall=yes
>     #
>     right=CP_FW_IP
>     rightid=CP_FW_IP
>     rightsubnet= 192.168.2.0/24 <http://192.168.2.0/24>, 192.168.3.0/24 <http://192.168.3.0/24>
>     rightcert=cp_fw_crt.pem
>     #
>     auto=start
> 
>     === charon_debug.log ======================
> 
>     Mon, 2017-08-07 15:57 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64)
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'test-vectors': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'ldap': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs11': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'aesni': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'aes': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'rc2': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'sha2': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'sha1': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'md5': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'rdrand': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] detected RDRAND support, enabled
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'random': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'nonce': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'x509': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'revocation': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'constraints': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pubkey': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs1': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs7': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs8': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs12': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pgp': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'dnskey': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'sshkey': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'pem': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'openssl': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'gcrypt': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'af-alg': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'fips-prf': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'gmp': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'agent': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'xcbc': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'cmac': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'hmac': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'ctr': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'ccm': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'gcm': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'curl': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'attr': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'kernel-netlink': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'resolve': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'socket-default': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'connmark': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'farp': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'stroke': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'updown': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-identity': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-aka': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-md5': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-gtc': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-mschapv2': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-radius': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tls': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-ttls': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tnc': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-generic': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-eap': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-pam': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'tnc-tnccs': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'dhcp': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'ha': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'lookip': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'error-notify': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'certexpire': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'led': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'addrblock': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] plugin 'unity': loaded successfully
>     Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
>     Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
>     Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS
>     Mon, 2017-08-07 15:57 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
>     Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
>     Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
>     Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
>     Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
>     Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
>     Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
>     Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
>     Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
>     Mon, 2017-08-07 15:57 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>     Mon, 2017-08-07 15:57 00[CFG]   loaded ca certificate "O=my_ca" from '/etc/ipsec.d/cacerts/ca_crt.pem'
>     Mon, 2017-08-07 15:57 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>     Mon, 2017-08-07 15:57 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>     Mon, 2017-08-07 15:57 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>     Mon, 2017-08-07 15:57 00[CFG] loading crls from '/etc/ipsec.d/crls'
>     Mon, 2017-08-07 15:57 00[CFG] loading secrets from '/etc/ipsec.secrets'
>     Mon, 2017-08-07 15:57 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/my_key.der'
>     Mon, 2017-08-07 15:57 00[CFG] loaded 0 RADIUS server configurations
>     Mon, 2017-08-07 15:57 00[CFG] HA config misses local/remote address
>     Mon, 2017-08-07 15:57 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load
>     Mon, 2017-08-07 15:57 00[LIB] unloading plugin 'ha' without loaded features
>     Mon, 2017-08-07 15:57 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
>     Mon, 2017-08-07 15:57 00[LIB] unable to load 13 plugin features (12 due to unmet dependencies)
>     Mon, 2017-08-07 15:57 00[LIB] dropped capabilities, running as uid 0, gid 0
>     Mon, 2017-08-07 15:57 00[JOB] spawning 16 worker threads
>     Mon, 2017-08-07 15:57 01[LIB] created thread 01 [2935]
>     Mon, 2017-08-07 15:57 02[LIB] created thread 02 [2936]
>     Mon, 2017-08-07 15:57 03[LIB] created thread 03 [2937]
>     Mon, 2017-08-07 15:57 04[LIB] created thread 04 [2938]
>     Mon, 2017-08-07 15:57 05[LIB] created thread 05 [2939]
>     Mon, 2017-08-07 15:57 06[LIB] created thread 06 [2940]
>     Mon, 2017-08-07 15:57 07[LIB] created thread 07 [2941]
>     Mon, 2017-08-07 15:57 08[LIB] created thread 08 [2942]
>     Mon, 2017-08-07 15:57 09[LIB] created thread 09 [2943]
>     Mon, 2017-08-07 15:57 10[LIB] created thread 10 [2944]
>     Mon, 2017-08-07 15:57 11[LIB] created thread 11 [2945]
>     Mon, 2017-08-07 15:57 12[LIB] created thread 12 [2946]
>     Mon, 2017-08-07 15:57 13[LIB] created thread 13 [2947]
>     Mon, 2017-08-07 15:57 14[LIB] created thread 14 [2948]
>     Mon, 2017-08-07 15:57 15[LIB] created thread 15 [2949]
>     Mon, 2017-08-07 15:57 16[LIB] created thread 16 [2950]
>     Mon, 2017-08-07 15:57 07[CFG] received stroke: add connection 'home'
>     Mon, 2017-08-07 15:57 07[CFG] conn home
>     Mon, 2017-08-07 15:57 07[CFG]   left=%any
>     Mon, 2017-08-07 15:57 07[CFG]   leftsourceip=192.168.145.128
>     Mon, 2017-08-07 15:57 07[CFG]   leftcert=my_crt.pem
>     Mon, 2017-08-07 15:57 07[CFG]   leftupdown=ipsec _updown iptables
>     Mon, 2017-08-07 15:57 07[CFG]   right=CP_FW_IP
>     Mon, 2017-08-07 15:57 07[CFG]   rightsubnet=192.168.2.0/24 <http://192.168.2.0/24>, 192.168.3.0/24 <http://192.168.3.0/24>
>     Mon, 2017-08-07 15:57 07[CFG]   rightid=CP_FW_IP
>     Mon, 2017-08-07 15:57 07[CFG]   rightcert=cp_fw_crt.pem
>     Mon, 2017-08-07 15:57 07[CFG]   ike=aes128-sha256-modp3072
>     Mon, 2017-08-07 15:57 07[CFG]   esp=aes128-sha256
>     Mon, 2017-08-07 15:57 07[CFG]   dpddelay=30
>     Mon, 2017-08-07 15:57 07[CFG]   dpdtimeout=150
>     Mon, 2017-08-07 15:57 07[CFG]   mediation=no
>     Mon, 2017-08-07 15:57 07[CFG]   keyexchange=ikev1
>     Mon, 2017-08-07 15:57 07[CFG]   loaded certificate "O=my_ca, OU=users, CN=my_name" from 'my_crt.pem'
>     Mon, 2017-08-07 15:57 07[CFG]   id '%any' not confirmed by certificate, defaulting to 'O=my_ca, OU=users, CN=my_name'
>     Mon, 2017-08-07 15:57 07[CFG]   loaded certificate "O=my_ca, OU=users, CN=cp_fw_cert" from 'cp_fw_crt.pem'
>     Mon, 2017-08-07 15:57 07[CFG] added configuration 'home'
>     Mon, 2017-08-07 15:57 08[CFG] received stroke: initiate 'home'
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_VENDOR task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing MAIN_MODE task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_POST task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_NATD task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing QUICK_MODE task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> activating new tasks
>     Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_VENDOR task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_CERT_PRE task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating MAIN_MODE task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_CERT_POST task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1>   activating ISAKMP_NATD task
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> sending XAuth vendor ID
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> sending DPD vendor ID
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> sending FRAGMENTATION vendor ID
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> initiating Main Mode IKE_SA home[1] to CP_FW_IP
>     Mon, 2017-08-07 15:57 08[IKE] <home|1> IKE_SA home[1] state change: CREATED => CONNECTING
>     Mon, 2017-08-07 15:57 08[CFG] <home|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
>     IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
>     Mon, 2017-08-07 15:57 08[ENC] <home|1> generating ID_PROT request 0 [ SA V V V V V ]
>     Mon, 2017-08-07 15:57 08[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP[500] (240 bytes)
>     Mon, 2017-08-07 15:57 10[NET] <home|1> received packet: from CP_FW_IP[500] to 192.168.1.122[500] (40 bytes)
>     Mon, 2017-08-07 15:57 10[ENC] <home|1> parsed INFORMATIONAL_V1 request 111406742 [ N(NO_PROP) ]
>     Mon, 2017-08-07 15:57 10[IKE] <home|1> received NO_PROPOSAL_CHOSEN error notify
>     Mon, 2017-08-07 15:57 10[IKE] <home|1> IKE_SA home[1] state change: CONNECTING => DESTROYING
> 
>     =======================================
> 
>     So now the problems seems to be that no proposal is choosen... any hint?
> 
>     Thanks,
>     larzeni
> 
> 
>     On Sat, Aug 5, 2017 at 11:20 AM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>> wrote:
> 
>         Hi,
> 
>         On 05.08.2017 02:27, Luca Arzeni wrote:
>         > [...]
>         > I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to StrongSWAN 5.2.1
>         You better get 5.5.3 right away. 5.2.1 is already pretty old.
> 
>         > [...]
>         > ==============================================================
>         >
>         > Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to connect.
>         > This is my StrongSWAN ipsec.conf:
>         >
>         > ==============================================================
>         >
>         > # ipsec.conf - strongSwan IPsec configuration file
>         >
>         > config setup
>         > # strictcrlpolicy=yes
>         > # uniqueids = no
>         > charondebug =  dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn 0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2
>         Remove that. Use the logger configuration from the HelpRequests[1] page instead and pastebin us that, after you made the following changes.
>         >
>         > conn home
>         >         ikelifetime=60m
>         >         keylife=20m
>         >         rekeymargin=3m
>         >         keyingtries=1
>         >         keyexchange=ikev1
>         > #
>         > left=%any
>         Remove left. It is unnecessary.
>         > leftcert=my_cert.pem
>         > leftrsasigkey=%cert
>         > leftid="my certificate subject"
>         leftrsasigkey and leftid are unnecessary, if not counterproductive.
> 
>         > #leftauth=pubkey
>         >         leftfirewall=yes
>         > #
>         > leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list
>         > leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list
>         Remove leftsubnet.
>         > #
>         > rightcert=fwncest_2012-11-07_cert.pem
>         > rightrsasigkey=%cert
>         Remove rightrsasigkey.
>         >         right=X.Y.Z.W (FW1_IP_ADDESS)
>         >         rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use the firewall public IP)
>         >         rightsubnet= 192.168.1.0/24 <http://192.168.1.0/24> <http://192.168.1.0/24>, 192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24>, ecc...
>         >         rightcert=firewall_cert.pem
>         >         rightrsasigkey=%cert
>         Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway.
>         > #
>         > auto=start
>         Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the remote peer deletes them. This behaves differently than openswan.
> 
>         >         # after establishing the vpn, run these script to allow routes from my client to server behind the firevall
>         >         #
>         >         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 <http://192.168.1.0/24> <http://192.168.1.0/24> -j SNAT --to my_ip
>         >         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> -j SNAT --to my_ip
>         >
>         > include /var/lib/strongswan/ipsec.conf.inc
>         Remove the include.
> 
>         > ===========================================================================
>         >
>         > But this setup is not working.
> 
>         Provide all the information from the HelpRequests[1] page, please.
> 
>         Kind regards
> 
>         Noel
> 
>         [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests <https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>
> 
> 
> 
> 
>     -- 
>     Luca Arzeni
> 
> 
> 
> 
> -- 
> Luca Arzeni

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170807/f963bc49/attachment-0001.sig>


More information about the Users mailing list