[strongSwan] Help with connecting to a cisco VPN system.
Ben Greear
greearb at candelatech.com
Wed Jul 17 18:55:12 CEST 2019
Hello,
First, thanks for all the help so far. I think I am getting close!
I am hoping that someone can help with my problem below...
Someone sent me instructions for how to connect to a cisco vpn concentrator
with this information:
"
I added the following to the ipsec.conf:
conn ciscoasa
right=192.168.5.1
rightid="C=US, CN=192.168.5.1"
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftauth=pubkey
leftcert=cert.der
auto=add
esp=aes256gcm16-ecp384
ike=aes256gcm16-prfsha384-ecp384
keyexchange=ikev2
And the following to the ipsec.secrets:
: ECDSA cert.key
The CA certificate must be placed in the /etc/strongswan/ipsec.d/cacerts/ directory.
The user certificate 'cert.der' (as listed above in the ipsec.conf) must be placed in the /etc/strongswan/ipsec.d/certs/ directory.
The user certificate private key 'cert.key' (as listed in the ipsec.secrets) must be placed in the /etc/strongswan/ipsec.d/private/ directory. The cert.key has
been unencrypted and thus a password is not needed in the ipsec.secrets file.
"
I have been trying to convert this to (what is I assume) the newer strongswan config file API:
# cat /home/lanforge/local/etc/swanctl/secrets.conf
ike-lanforge {
id = "C=US, CN=192.168.5.1" # use remote id specified in tunnel config
file = cert.key
secret = ""
}
# cat local/etc/swanctl/peers-enabled/eth4.conf
_vrf4 {
local_addrs = %any # use any local IP to connect to remote
remote_addrs = 192.168.5.1 # WAN Address of IPsec concentrator, may use DNS
unique = replace
local {
auth = pubkey
id = @lanforge.loc # An key identifier per connection, local ID
}
remote {
auth = pubkey
id = @C=US, CN=192.168.5.1.loc # An key identifier per connection, remote ID
}
children {
_vrf4_sa {
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
if_id_out = 4 # The xfrm interface ID, use VRF ID
if_id_in = 4 # The xfrm interface ID, use VRF ID
start_action = trap
life_time = 1h
rekey_time = 55m
esp_proposals = aes256gcm128-modp3072 # Optimized for throuput on Intel HW
dpd_action = trap
}
}
keyingtries = 0
dpd_delay = 30
version = 2
mobike = yes
rekey_time = 23h
over_time = 1h
proposals = aes256-sha256-modp3072,aes256gcm16-prfsha384-ecp384
}
# cat /home/lanforge/local/etc/swanctl/swanctl.conf
connections {
include /home/lanforge/local/etc/swanctl/peers-enabled/*.conf
}
secrets {
include /home/lanforge/local/etc/swanctl/secrets.conf
}
These files are copied into place in the ./local/ directory structure:
local/etc/ipsec.d/certs/cert.der
local/etc/ipsec.d/private/cert.key
local/etc/ipsec.d/cacerts/red-ca.cer
-rw-r--r-- 1 lanforge lanforge 776 Jul 17 09:08 local/etc/ipsec.d/cacerts/red-ca.cer
-rw-r--r-- 1 root root 513 Jul 17 09:28 local/etc/ipsec.d/private/cert.key
-rw-r--r-- 1 lanforge lanforge 1143 Jul 17 09:08 local/etc/ipsec.d/certs/cert.der
Here is some output from swanctl that makes me think it is at least somewhat working:
# swanctl --list-conns
_vrf4: IKEv2, no reauthentication, rekeying every 82800s, dpd delay 30s
local: %any
remote: 192.168.5.1
local public key authentication:
id: lanforge.loc
remote public key authentication:
id: @C=US, CN=192.168.5.1.loc
_vrf4_sa: TUNNEL, rekeying every 3300s, dpd action is hold
local: 0.0.0.0/0 ::/0
remote: 0.0.0.0/0 ::/0
But certainly not completely working:
# swanctl --load-all
loading shared secret failed: shared key data missing
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection '_vrf4'
successfully loaded 1 connections, 0 unloaded
# swanctl --list-sas
journalctl shows this when I try to start traffic on the xfrm interface:
Jul 17 09:35:59 lf0313-63e7 ipsec[19850]: 12[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 14[KNL] interface x_eth4 deactivated
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 13[KNL] interface x_eth4 activated
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 02[KNL] fe80::e380:2a25:4bcc:6d45 appeared on x_eth4
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 12[NET] sending packet: from 192.168.5.4[500] to 192.168.5.1[500] (628 bytes)
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[NET] received packet: from 192.168.5.1[500] to 192.168.5.4[500] (38 bytes)
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] peer didn't accept DH group MODP_3072, it requested ECP_384
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[NET] sending packet: from 192.168.5.4[500] to 192.168.5.1[500] (340 bytes)
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[NET] received packet: from 192.168.5.1[500] to 192.168.5.4[500] (431 bytes)
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received Cisco Delete Reason vendor ID
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received Cisco Copyright (c) 2009 vendor ID
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received FRAGMENTATION vendor ID
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received cert request for "DC=local, DC=red, CN=RED-CA"
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] sending cert request for "DC=local, DC=red, CN=RED-CA"
Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] no private key found for 'lanforge.loc'
Any clues are welcome, and I will be happy to run more diagnostics if someone has suggestions.
Thanks,
Ben
--
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the Users
mailing list