Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi All, i may be a bug in Nokia VPN with IKEv2. I'v tested wit strongswan client with linux from same DSL Account and it works out of the box. Nokia does not answer this packet: 01:53:11.565493 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 405) 87.106.225.59.500 82.113.121.1.41: isakmp 2.0 msgid cookie -: phase 1 R #34[]: [|#33] I will try with IKEv1 on weekend. Regards, Dimitrij Andreas Steffen schrieb: BTW - ModeCfg is IKE1v1 but you are currently running on IKEv2. If UDP port 4500 is open then the Nokia client - might not be able to find its private key or - a certificate from the CA matching the certificate request C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com is not found. In any error case the Nokia client should send an error notification back, which does not happen. This is why I thought about a blocked UDP 4500 port in the first place. Regards Andreas Dimitrij Hilt wrote: Hi Andreas, i'w tried trough WLAN+DSL and UMTS, so firewall may be not a problem. On Openswan tests a saw pakets to 4500 too, but ModCFG did't work. Any hints how configure Nokia? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)' state change: CREATED = CONNECTING Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is behind NAT Feb 22 18:59:10 gw-ipsec-mobile-eue
Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi Andreas, i'w tried trough WLAN+DSL and UMTS, so firewall may be not a problem. On Openswan tests a saw pakets to 4500 too, but ModCFG did't work. Any hints how configure Nokia? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)' state change: CREATED = CONNECTING Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is behind NAT Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] sending cert request for C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] sending packet: from MY_EXTERNAL_IP[500] to 93.192.185.142[61076] Feb 22 18:59:40 gw-ipsec-mobile-eue charon: 10[JOB] deleting half open IKE_SA after timeout Nokia Policy was created by a new Tool as IKEv2. I'v tried to create policy with and without advanced settings, but noting works for me. How did you create a policy on you tests? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in order to help you we'd need your strongSwan ipsec.conf and a detailed log file. Regards Andreas Dimitrij Hilt wrote: Hi, dou you have more information about strongswan and Nokia configuration? I'v tried nokia E71 with openswan cert and PSK, then nokia E71 with strongswan