Hi, I'm using strongswan-5.0.0 and Apple Mountain Lion. I'm trying to setup a VPN using Certificates only.
So far I had the VPN working in a hybrid mode where strongswan
authenicates itself using its certificate and my Mac authenticates with
username/groupname.
When trying to authenticate the Mac with a signature, I get the
following errors :
Sep 3 10:35:40 vpn-test charon: 15[NET] received packet: from
158.64.1.176[500] to 158.64.1.13[500]
Sep 3 10:35:40 vpn-test charon: 15[ENC] parsed ID_PROT request 0 [ SA V
V V V V V V V V V V V V V ]
Sep 3 10:35:40 vpn-test charon: 15[IKE] received NAT-T (RFC 3947) vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received XAuth vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] received Cisco Unity vendor ID
Sep 3 10:35:40 vpn-test charon: 15[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Sep 3 10:35:40 vpn-test charon: 15[IKE] received DPD vendor ID
Sep 3 10:35:40 vpn-test charon: 15[IKE] 158.64.1.176 is initiating a
Main Mode IKE_SA
Sep 3 10:35:40 vpn-test charon: 15[IKE] 158.64.1.176 is initiating a
Main Mode IKE_SA
Sep 3 10:35:40 vpn-test charon: 15[ENC] generating ID_PROT response 0 [
SA V V V ]
Sep 3 10:35:40 vpn-test charon: 15[NET] sending packet: from
158.64.1.13[500] to 158.64.1.176[500]
Sep 3 10:35:40 vpn-test charon: 16[NET] received packet: from
158.64.1.176[500] to 158.64.1.13[500]
Sep 3 10:35:40 vpn-test charon: 16[ENC] parsed ID_PROT request 0 [ KE
No NAT-D NAT-D ]
Sep 3 10:35:40 vpn-test charon: 16[IKE] sending cert request for "C=LU,
ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA VPN CA,
E=ad...@restena.lu"
Sep 3 10:35:40 vpn-test charon: 16[ENC] generating ID_PROT response 0 [
KE No CERTREQ NAT-D NAT-D ]
Sep 3 10:35:40 vpn-test charon: 16[NET] sending packet: from
158.64.1.13[500] to 158.64.1.176[500]
Sep 3 10:35:40 vpn-test charon: 18[NET] received packet: from
158.64.1.176[500] to 158.64.1.13[500]
Sep 3 10:35:40 vpn-test charon: 18[ENC] decryption failed, invalid length
Sep 3 10:35:40 vpn-test charon: 18[ENC] could not decrypt payloads
Sep 3 10:35:40 vpn-test charon: 18[IKE] integrity check failed
My ipsec.conf is the following:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
ca vpnca
cacert=VPNCA-cacert.pem
crluri=VPNCA-crl.pem
auto=add
config setup
charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1,
enc 1, lib 1"
strictcrlpolicy=yes
uniqueids=no
conn %default
ikelifetime=60m
ike=aes256-sha1-modp2048-modp1536-modp1024
esp=aes256-sha1
dpdaction=clear
dpddelay=60s
dpdtimeout=300s
keyingtries=1
inactivity=4h
left=%any
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=vpn.restena.lu-cert.pem
leftid=@vpn-test.restena.lu
eap_identity=%identity
right=%any
rekey=no
reauth=no
mobike=no
auto=add
# Add connections here.
conn IKEv1
keyexchange=ikev1
aggressive=yes
rightauth=xauth-eap
rightsourceip=%ikev1
conn IKEv2
keyexchange=ikev2
rightauth=eap-radius
rightsourceip=%ikev2
rightsendcert=never
conn RESTENA
keyexchange=ikev1
rightauth=pubkey
rightsourceip=%ikev1
And the certificate I'm using on the client side is the following:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12 (0xc)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA,
CN=RESTENA VPN CA/emailAddress=ad...@restena.lu
Validity
Not Before: Oct 29 08:41:38 2010 GMT
Not After : Oct 28 08:41:38 2015 GMT
Subject: C=LU, L=Luxembourg, O=Fondation RESTENA,
CN=ctompers/emailAddress=claude.tomp...@restena.lu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e6:be:81:bd:a6:a4:3a:22:38:e1:11:4d:ef:c6:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
RESTENA VPN Client Certificate
X509v3 Subject Key Identifier:
57:50:91:24:6B:0F:19:9A:76:78:B1:5E:6F:8B:D0:D4:93:A8:1A:16
X509v3 Authority Key Identifier:
keyid:F8:FD:2F:DA:23:BE:EE:8B:B4:FD:2B:D0:98:5C:C1:5F:1E:5B:74:AC
DirName:/C=LU/ST=n/a/L=Luxembourg/O=Fondation
RESTENA/CN=RESTENA VPN CA/emailAddress=ad...@restena.lu
serial:8D:CC:1F:4A:8D:C6:FA:CE
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
email:claude.tomp...@restena.lu
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
26:04:db:59:d8:bb:ea:fc:1a:78:8a:06:7f:bb:dc:b2:db:03:
...
It seems to me that my Mac does not respond with the certificate
correctly. Am I right about that ?
What can I do to fix this ?
kind regards,
Claude
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
