[strongSwan] IDr problems...

Michael Nightingale mike at mike-nightingale.co.uk
Sun Jan 1 21:11:53 CET 2017 

It's taken me hours but I've finally made this to work with ipvanish, I 
spent a long time trying the same things you did before I noticed an L2TP 
guide on ipvanish which said to use the PSK "ipvanish" so I gave it a go.

/etc/ipsec.conf
keyexchange=ikev2
left=%defaultroute
leftsourceip=%config
leftauth=eap-mschapv2
leftid=USERNAME
right=nqt-c01.ipvanish.com
rightauth=psk
rightsubnet=0.0.0.0/0
auto=start

/etc/ipsec.secrets
: PSK "ipvanish"
USERNAME : EAP "PASSWORD"


Hope it helps,
Mike

On Sunday, November 27, 2016 at 1:24:37 AM UTC, Carson Gaspar wrote:
>
> I'm trying to set up IKEv2 to ipvanish.com's VPN service. I can't manage 
> to get past authenticating their server. Log excerpt (I have a full 
> decrypted packet trace if more info would be helpful):
>
> generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr 
> N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.1.69[4500] to 81.171.97.38[4500] (476 bytes)
> received packet: from 81.171.97.38[4500] to 192.168.1.69[4500] (1708 bytes)
> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
> received end entity cert "OU=Domain Control Validated, 
> CN=*.vpn.ipvanish.com"
> no trusted RSA public key found for '81.171.97.38'
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>
> The packet dump show them sending an IDr of ID_IPV4_ADDR: 81.171.97.38. 
> Sadly, their cert is missing a SAN for that, as a dump of their cert shows:
>
>          Subject: OU=Domain Control Validated, CN=*.vpn.ipvanish.com
>              X509v3 Subject Alternative Name:
>                  DNS:*.vpn.ipvanish.com, DNS:vpn.ipvanish.com
>
> Is there any way to override the IDr they send in my strongswan config? 
> I've tried everything I can think of in rightid/rightcert/rightsigkey 
> and always get the "no trusted RSA public key" error. I'm a strongswan 
> n00b, so apologies if I'm missing something obvious.
>
> The only IKEv2 client they officially support is iOS, so there's really 
> no chance of getting them to fix their end :-(
>
> -- 
> Carson
>
> _______________________________________________
> Users mailing list
> Us... at lists.strongswan.org <javascript:>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170101/c38220d9/attachment.html>

More information about the Users mailing list