[strongSwan] Help with connecting to a cisco VPN system.

Noel Kuntze noel.kuntze at thermi.consulting
Wed Jul 17 21:27:44 CEST 2019


Hello Ben,

>     local_addrs  = %any    # use any local IP to connect to remote 

That's superfluous.

> ike-lanforge {
>   id = "C=US, CN=192.168.5.1" # use remote id specified in tunnel config
>   file = cert.key
>   secret = ""
> }

That's a PSK. You probably want an ecdsa key though, probably?

>      id = @C=US, CN=192.168.5.1.loc # An key identifier per connection, remote ID 

That's wrong. That specifies an ID of literally "@C=[...]". You probably want an FQDN though, probably or an KEYID type ID?
That depends entirely on what the other peer sends.


>         if_id_out = 4    # The xfrm interface ID, use VRF ID
>         if_id_in = 4    # The xfrm interface ID, use VRF ID 

No, that won't work with VRF devices, if they are local. They are not related to the remote peer's configuration.

> # cat local/etc/swanctl/peers-enabled/

You probably just want to store your stuff on swanctl/conf.d.

You are allowed to have several connections {} or secrets {} or authority {}, ..., sections spread over several files (I don't know if it works in a single file).

Just include swanctl/conf.d/*.conf from swanctl.conf and organize your configuration that way.

Right now, you are needlessly reinventing the wheel.

Kind regards

Noel

Kind regards

Noel

Am 17.07.19 um 18:55 schrieb Ben Greear:
> Hello,
>
> First, thanks for all the help so far.  I think I am getting close!
>
> I am hoping that someone can help with my problem below...
>
>
> Someone sent me instructions for how to connect to a cisco vpn concentrator
> with this information:
>
> "
> I added the following to the ipsec.conf:
>
> conn ciscoasa
>     right=192.168.5.1
>     rightid="C=US, CN=192.168.5.1"
>     rightsubnet=0.0.0.0/0
>     rightauth=pubkey
>     leftsourceip=%config
>     leftauth=pubkey
>     leftcert=cert.der
>     auto=add
>     esp=aes256gcm16-ecp384
>     ike=aes256gcm16-prfsha384-ecp384
>     keyexchange=ikev2
>
>
> And the following to the ipsec.secrets:
>
> : ECDSA cert.key
>
>
> The CA certificate must be placed in the /etc/strongswan/ipsec.d/cacerts/ directory.
>
> The user certificate 'cert.der' (as listed above in the ipsec.conf) must be placed in the /etc/strongswan/ipsec.d/certs/ directory.
>
> The user certificate private key 'cert.key' (as listed in the ipsec.secrets) must be placed in the /etc/strongswan/ipsec.d/private/ directory. The cert.key has been unencrypted and thus a password is not needed in the ipsec.secrets file.
> "
>
>
> I have been trying to convert this to (what is I assume) the newer strongswan config file API:
>
> # cat /home/lanforge/local/etc/swanctl/secrets.conf
> ike-lanforge {
>   id = "C=US, CN=192.168.5.1" # use remote id specified in tunnel config
>   file = cert.key
>   secret = ""
> }
>
> # cat local/etc/swanctl/peers-enabled/eth4.conf
>
> _vrf4 {
>     local_addrs  = %any    # use any local IP to connect to remote
>     remote_addrs = 192.168.5.1 # WAN Address of IPsec concentrator, may use DNS
>     unique = replace
>     local {
>      auth = pubkey
>      id = @lanforge.loc # An key identifier per connection, local ID
>     }
>     remote {
>      auth = pubkey
>      id = @C=US, CN=192.168.5.1.loc # An key identifier per connection, remote ID
>     }
>     children {
>      _vrf4_sa {
>         local_ts  = 0.0.0.0/0,::/0
>         remote_ts = 0.0.0.0/0,::/0
>         if_id_out = 4    # The xfrm interface ID, use VRF ID
>         if_id_in = 4    # The xfrm interface ID, use VRF ID
>
>         start_action = trap
>         life_time = 1h
>         rekey_time = 55m
>         esp_proposals = aes256gcm128-modp3072 # Optimized for throuput on Intel HW
>         dpd_action = trap
>      }
>         }
>     keyingtries = 0
>     dpd_delay = 30
>     version = 2
>     mobike = yes
>     rekey_time = 23h
>     over_time = 1h
>     proposals = aes256-sha256-modp3072,aes256gcm16-prfsha384-ecp384
> }
>
> # cat /home/lanforge/local/etc/swanctl/swanctl.conf
> connections {
>         include /home/lanforge/local/etc/swanctl/peers-enabled/*.conf
> }
>
> secrets {
>         include /home/lanforge/local/etc/swanctl/secrets.conf
> }
>
>
> These files are copied into place in the ./local/ directory structure:
>
> local/etc/ipsec.d/certs/cert.der
> local/etc/ipsec.d/private/cert.key
> local/etc/ipsec.d/cacerts/red-ca.cer
>
> -rw-r--r-- 1 lanforge lanforge 776 Jul 17 09:08 local/etc/ipsec.d/cacerts/red-ca.cer
> -rw-r--r-- 1 root root 513 Jul 17 09:28 local/etc/ipsec.d/private/cert.key
> -rw-r--r-- 1 lanforge lanforge 1143 Jul 17 09:08 local/etc/ipsec.d/certs/cert.der
>
>
> Here is some output from swanctl that makes me think it is at least somewhat working:
>
> # swanctl --list-conns
> _vrf4: IKEv2, no reauthentication, rekeying every 82800s, dpd delay 30s
>   local:  %any
>   remote: 192.168.5.1
>   local public key authentication:
>     id: lanforge.loc
>   remote public key authentication:
>     id: @C=US, CN=192.168.5.1.loc
>   _vrf4_sa: TUNNEL, rekeying every 3300s, dpd action is hold
>     local:  0.0.0.0/0 ::/0
>     remote: 0.0.0.0/0 ::/0
>
> But certainly not completely working:
>
> # swanctl --load-all
> loading shared secret failed: shared key data missing
> no authorities found, 0 unloaded
> no pools found, 0 unloaded
> loaded connection '_vrf4'
> successfully loaded 1 connections, 0 unloaded
>
>
> # swanctl --list-sas
>
>
> journalctl shows this when I try to start traffic on the xfrm interface:
>
> Jul 17 09:35:59 lf0313-63e7 ipsec[19850]: 12[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 14[KNL] interface x_eth4 deactivated
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 13[KNL] interface x_eth4 activated
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 02[KNL] fe80::e380:2a25:4bcc:6d45 appeared on x_eth4
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 12[NET] sending packet: from 192.168.5.4[500] to 192.168.5.1[500] (628 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[NET] received packet: from 192.168.5.1[500] to 192.168.5.4[500] (38 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] peer didn't accept DH group MODP_3072, it requested ECP_384
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[NET] sending packet: from 192.168.5.4[500] to 192.168.5.1[500] (340 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[NET] received packet: from 192.168.5.1[500] to 192.168.5.4[500] (431 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received Cisco Delete Reason vendor ID
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received Cisco Copyright (c) 2009 vendor ID
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received FRAGMENTATION vendor ID
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received cert request for "DC=local, DC=red, CN=RED-CA"
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] sending cert request for "DC=local, DC=red, CN=RED-CA"
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] no private key found for 'lanforge.loc'
>
> Any clues are welcome, and I will be happy to run more diagnostics if someone has suggestions.
>
> Thanks,
> Ben
>

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190717/9ebb98d3/attachment-0001.sig>


More information about the Users mailing list