[strongSwan] Help with connecting to a cisco VPN system.
Noel Kuntze
noel.kuntze at thermi.consulting
Wed Jul 17 21:27:44 CEST 2019
Hello Ben,
> local_addrs = %any # use any local IP to connect to remote
That's superfluous.
> ike-lanforge {
> id = "C=US, CN=192.168.5.1" # use remote id specified in tunnel config
> file = cert.key
> secret = ""
> }
That's a PSK. You probably want an ecdsa key though, probably?
> id = @C=US, CN=192.168.5.1.loc # An key identifier per connection, remote ID
That's wrong. That specifies an ID of literally "@C=[...]". You probably want an FQDN though, probably or an KEYID type ID?
That depends entirely on what the other peer sends.
> if_id_out = 4 # The xfrm interface ID, use VRF ID
> if_id_in = 4 # The xfrm interface ID, use VRF ID
No, that won't work with VRF devices, if they are local. They are not related to the remote peer's configuration.
> # cat local/etc/swanctl/peers-enabled/
You probably just want to store your stuff on swanctl/conf.d.
You are allowed to have several connections {} or secrets {} or authority {}, ..., sections spread over several files (I don't know if it works in a single file).
Just include swanctl/conf.d/*.conf from swanctl.conf and organize your configuration that way.
Right now, you are needlessly reinventing the wheel.
Kind regards
Noel
Kind regards
Noel
Am 17.07.19 um 18:55 schrieb Ben Greear:
> Hello,
>
> First, thanks for all the help so far. I think I am getting close!
>
> I am hoping that someone can help with my problem below...
>
>
> Someone sent me instructions for how to connect to a cisco vpn concentrator
> with this information:
>
> "
> I added the following to the ipsec.conf:
>
> conn ciscoasa
> right=192.168.5.1
> rightid="C=US, CN=192.168.5.1"
> rightsubnet=0.0.0.0/0
> rightauth=pubkey
> leftsourceip=%config
> leftauth=pubkey
> leftcert=cert.der
> auto=add
> esp=aes256gcm16-ecp384
> ike=aes256gcm16-prfsha384-ecp384
> keyexchange=ikev2
>
>
> And the following to the ipsec.secrets:
>
> : ECDSA cert.key
>
>
> The CA certificate must be placed in the /etc/strongswan/ipsec.d/cacerts/ directory.
>
> The user certificate 'cert.der' (as listed above in the ipsec.conf) must be placed in the /etc/strongswan/ipsec.d/certs/ directory.
>
> The user certificate private key 'cert.key' (as listed in the ipsec.secrets) must be placed in the /etc/strongswan/ipsec.d/private/ directory. The cert.key has been unencrypted and thus a password is not needed in the ipsec.secrets file.
> "
>
>
> I have been trying to convert this to (what is I assume) the newer strongswan config file API:
>
> # cat /home/lanforge/local/etc/swanctl/secrets.conf
> ike-lanforge {
> id = "C=US, CN=192.168.5.1" # use remote id specified in tunnel config
> file = cert.key
> secret = ""
> }
>
> # cat local/etc/swanctl/peers-enabled/eth4.conf
>
> _vrf4 {
> local_addrs = %any # use any local IP to connect to remote
> remote_addrs = 192.168.5.1 # WAN Address of IPsec concentrator, may use DNS
> unique = replace
> local {
> auth = pubkey
> id = @lanforge.loc # An key identifier per connection, local ID
> }
> remote {
> auth = pubkey
> id = @C=US, CN=192.168.5.1.loc # An key identifier per connection, remote ID
> }
> children {
> _vrf4_sa {
> local_ts = 0.0.0.0/0,::/0
> remote_ts = 0.0.0.0/0,::/0
> if_id_out = 4 # The xfrm interface ID, use VRF ID
> if_id_in = 4 # The xfrm interface ID, use VRF ID
>
> start_action = trap
> life_time = 1h
> rekey_time = 55m
> esp_proposals = aes256gcm128-modp3072 # Optimized for throuput on Intel HW
> dpd_action = trap
> }
> }
> keyingtries = 0
> dpd_delay = 30
> version = 2
> mobike = yes
> rekey_time = 23h
> over_time = 1h
> proposals = aes256-sha256-modp3072,aes256gcm16-prfsha384-ecp384
> }
>
> # cat /home/lanforge/local/etc/swanctl/swanctl.conf
> connections {
> include /home/lanforge/local/etc/swanctl/peers-enabled/*.conf
> }
>
> secrets {
> include /home/lanforge/local/etc/swanctl/secrets.conf
> }
>
>
> These files are copied into place in the ./local/ directory structure:
>
> local/etc/ipsec.d/certs/cert.der
> local/etc/ipsec.d/private/cert.key
> local/etc/ipsec.d/cacerts/red-ca.cer
>
> -rw-r--r-- 1 lanforge lanforge 776 Jul 17 09:08 local/etc/ipsec.d/cacerts/red-ca.cer
> -rw-r--r-- 1 root root 513 Jul 17 09:28 local/etc/ipsec.d/private/cert.key
> -rw-r--r-- 1 lanforge lanforge 1143 Jul 17 09:08 local/etc/ipsec.d/certs/cert.der
>
>
> Here is some output from swanctl that makes me think it is at least somewhat working:
>
> # swanctl --list-conns
> _vrf4: IKEv2, no reauthentication, rekeying every 82800s, dpd delay 30s
> local: %any
> remote: 192.168.5.1
> local public key authentication:
> id: lanforge.loc
> remote public key authentication:
> id: @C=US, CN=192.168.5.1.loc
> _vrf4_sa: TUNNEL, rekeying every 3300s, dpd action is hold
> local: 0.0.0.0/0 ::/0
> remote: 0.0.0.0/0 ::/0
>
> But certainly not completely working:
>
> # swanctl --load-all
> loading shared secret failed: shared key data missing
> no authorities found, 0 unloaded
> no pools found, 0 unloaded
> loaded connection '_vrf4'
> successfully loaded 1 connections, 0 unloaded
>
>
> # swanctl --list-sas
>
>
> journalctl shows this when I try to start traffic on the xfrm interface:
>
> Jul 17 09:35:59 lf0313-63e7 ipsec[19850]: 12[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 14[KNL] interface x_eth4 deactivated
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 13[KNL] interface x_eth4 activated
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 02[KNL] fe80::e380:2a25:4bcc:6d45 appeared on x_eth4
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 12[NET] sending packet: from 192.168.5.4[500] to 192.168.5.1[500] (628 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[NET] received packet: from 192.168.5.1[500] to 192.168.5.4[500] (38 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] peer didn't accept DH group MODP_3072, it requested ECP_384
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[IKE] initiating IKE_SA _vrf4[7] to 192.168.5.1
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 01[NET] sending packet: from 192.168.5.4[500] to 192.168.5.1[500] (340 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[NET] received packet: from 192.168.5.1[500] to 192.168.5.4[500] (431 bytes)
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received Cisco Delete Reason vendor ID
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received Cisco Copyright (c) 2009 vendor ID
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received FRAGMENTATION vendor ID
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] received cert request for "DC=local, DC=red, CN=RED-CA"
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] sending cert request for "DC=local, DC=red, CN=RED-CA"
> Jul 17 09:35:59 lf0313-63e7 charon[19856]: 09[IKE] no private key found for 'lanforge.loc'
>
> Any clues are welcome, and I will be happy to run more diagnostics if someone has suggestions.
>
> Thanks,
> Ben
>
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190717/9ebb98d3/attachment-0001.sig>
More information about the Users
mailing list