Re: [strongSwan] Configuration Error: received message ID 0, expected 1. Ignored

2018-02-23 Thread Jafar Al-Gharaibeh 
From the logs, box1 received "Auth Failed" response from box 2. You 
have to inspect the logs on box 2 to see why it is failing to 
authenticate box 1.


--Jafar


On 2/23/2018 4:26 AM, Anne Ambe wrote:

Hi,
I have been struggling for the past week to configure an ipsec tunnel 
between two fedora19 boxes using strongswan version  5.1.3
I tried to follow the configuration for net2net with PSK found on this 
link 
https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/index.html.

Here is my configuration:

*Box1: *
*ipsec.conf:

*config setup
conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    authby=secret
    keyexchange=ikev2
    mobike=no

conn fed1_fed2
    left=192.168.aa.bb
    leftsubnet=192.168.x.0/24
    leftid=@fed1
    leftfirewall=no
    right=192.168.aa.cc
    rightsubnet=192.168.y.0/24
    rightid=@fed2
    auto=add*
Box 2:

ipsec.conf

*config setup*
*conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    authby=secret
    keyexchange=ikev2
    mobike=no

conn fed1_fed2
    left=192.168.aa.cc
    leftsubnet=192.168.y.0/24
    leftid=@fed2
    leftfirewall=no
    right=192.168.aa.bb
    rightsubnet=192.168.x.0/24
    rightid=@fed1
    auto=add*

Common on box1 and box 2

strongswan.conf
*charon {
  load = random nonce aes sha1 sha2 gmp curve25519 hmac stroke 
kernel-netlink socket-default updown

  multiple_authentication = no
}*
*
**ipsec.secret
**@fed1 @fed2 : PSK 0sblahblahblah**

when i try to bring  up this tunnel from box1 this i get this error
**initiating IKE_SA fed1_fed2[1] to 192.168.aa.cc
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.aa.bb[500] to 192.168.aa.cc[500] (652 bytes)
received packet: from 192.168.aa.cc[500] to 192.168.aa.bb[500] (376 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V ]
received unknown vendor ID: 4f:45:76:79:5c:6b:67:7a:57:71:5c:73
authentication of 'fed1' (myself) with pre-shared key
establishing CHILD_SA fed1_fed2
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(EAP_ONLY) ]

sending packet: from 192.168.aa.bb[500] to 192.168.aa.cc[500] (364 bytes)
received packet: from 192.168.aa.cc[500] to 192.168.aa.bb[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(AUTH_FAILED) ]
*received message ID 0, expected 1. Ignored***

**I am very new to strongswan.Please any guidance will be very much 
appreciated.**


Thanks

Anne
**

 
	Virus-free. www.avast.com 
 



<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: [strongSwan] how to send/request the intermediate CAs?

2018-02-23 Thread Tobias Brunner 
Hi Harri,

> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
> would help, but apparently it doesn't.

strongSwan reads only the first certificate from PEM encoded files.  So
put them in separate files.

Regards,
Tobias

Re: [strongSwan] multiple remote_ts with ikev1 file format

2018-02-23 Thread Marco Berizzi 
Rich Lafferty  wrote:

> > Is there a way to not write in every section the parameters
> > common to all the children sections (rekey_time, esp_proposals…)?

> I wasn’t able to find a way to set defaults, but I’ve put my common 
> parameters in /etc/swanctl/swanctl-ipsec.conf and then > done
>  "include swanctl-ipsec.conf” in each child config. If someone else knows a 
> better way, though, I’m all ears!

Thanks a lot Rich for the tips.

[strongSwan] how to send/request the intermediate CAs?

2018-02-23 Thread Harald Dunkel 

Hi folks,

Question: How can I tell charon to send or request intermediate
certificates to/from the peer?

Sample case would be a common root CA, one or two intermediate CAs,
and a client certificate for each peer. Both are using strongswan.

IMU charon has to trust the root CA to verify the whole chain up to
the client certs. The root cert has to go to /etc/ipsec.d/cacerts,
but the intermediate CAs could be provided by the peer. Are they?
They don't show up in the log file (asn = 2).

I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
would help, but apparently it doesn't.


Every insightful comment is highly appreciated.

Regards
Harri

[strongSwan] Configuration Error: received message ID 0, expected 1. Ignored

2018-02-23 Thread Anne Ambe 

Hi,
I have been struggling for the past week to configure an ipsec tunnel 
between two fedora19 boxes using strongswan version  5.1.3
I tried to follow the configuration for net2net with PSK found on this 
link 
https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/index.html.

Here is my configuration:

*Box1: *
*ipsec.conf:

*config setup
conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    authby=secret
    keyexchange=ikev2
    mobike=no

conn fed1_fed2
    left=192.168.aa.bb
    leftsubnet=192.168.x.0/24
    leftid=@fed1
    leftfirewall=no
    right=192.168.aa.cc
    rightsubnet=192.168.y.0/24
    rightid=@fed2
    auto=add*
Box 2:

ipsec.conf

*config setup*
*conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    authby=secret
    keyexchange=ikev2
    mobike=no

conn fed1_fed2
    left=192.168.aa.cc
    leftsubnet=192.168.y.0/24
    leftid=@fed2
    leftfirewall=no
    right=192.168.aa.bb
    rightsubnet=192.168.x.0/24
    rightid=@fed1
    auto=add*

Common on box1 and box 2

strongswan.conf
*charon {
  load = random nonce aes sha1 sha2 gmp curve25519 hmac stroke 
kernel-netlink socket-default updown

  multiple_authentication = no
}*
*
**ipsec.secret
**@fed1 @fed2 : PSK 0sblahblahblah**

when i try to bring  up this tunnel from box1 this i get this error
**initiating IKE_SA fed1_fed2[1] to 192.168.aa.cc
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.aa.bb[500] to 192.168.aa.cc[500] (652 bytes)
received packet: from 192.168.aa.cc[500] to 192.168.aa.bb[500] (376 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V ]
received unknown vendor ID: 4f:45:76:79:5c:6b:67:7a:57:71:5c:73
authentication of 'fed1' (myself) with pre-shared key
establishing CHILD_SA fed1_fed2
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(EAP_ONLY) ]

sending packet: from 192.168.aa.bb[500] to 192.168.aa.cc[500] (364 bytes)
received packet: from 192.168.aa.cc[500] to 192.168.aa.bb[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(AUTH_FAILED) ]
*received message ID 0, expected 1. Ignored***

**I am very new to strongswan.Please any guidance will be very much 
appreciated.**


Thanks

Anne
**


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus