Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi, For me the NAT traversal between Nokia client and strongSwan has always worked with out a problem. And it seems to be that you have configured the NAT traversal correctly in the phone, because the Nokia client is sending the NAT detection payloads. For me the certificates has been some times bit problematic. So in you case, I would first try to get the connection work with a preshared key and after that try to get the certificates to work. Btw, which version of the Nokia VPN client you are using? (You can see the exact version from the VPN log in the phone. Before each connection attempt the client writes the version string to the log. ) -Br Simo Quoting Dimitrij Hilt dimit...@dhilt.de: Hi All, it seems to be a trouble with NAT-T from Nokia and strongswan. If i make a tunnel from my PC and strongswan, i get without any Probleme. Nokia E71 on same access point does not works. And here is a difference im logfile on server: PC:Feb 28 16:54:04 gw-ipsec-mobile-eue charon: 10[NET] sending packet: from 87.106.225.59[4500] to 93.192.179.155[61030] MOBULE: Feb 28 16:54:26 gw-ipsec-mobile-eue charon: 12[NET] sending packet: from 87.106.225.59[500] to 93.192.179.155[61032] I do not (now) understand why stronswan sends to PC port 4500 and to Mobile port 500. I have old firmware (o2 sucks). Any ideas? Dou you have .pol file from Nokia? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE]
Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi All, i may be a bug in Nokia VPN with IKEv2. I'v tested wit strongswan client with linux from same DSL Account and it works out of the box. Nokia does not answer this packet: 01:53:11.565493 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 405) 87.106.225.59.500 82.113.121.1.41: isakmp 2.0 msgid cookie -: phase 1 R #34[]: [|#33] I will try with IKEv1 on weekend. Regards, Dimitrij Andreas Steffen schrieb: BTW - ModeCfg is IKE1v1 but you are currently running on IKEv2. If UDP port 4500 is open then the Nokia client - might not be able to find its private key or - a certificate from the CA matching the certificate request C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com is not found. In any error case the Nokia client should send an error notification back, which does not happen. This is why I thought about a blocked UDP 4500 port in the first place. Regards Andreas Dimitrij Hilt wrote: Hi Andreas, i'w tried trough WLAN+DSL and UMTS, so firewall may be not a problem. On Openswan tests a saw pakets to 4500 too, but ModCFG did't work. Any hints how configure Nokia? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)' state change: CREATED = CONNECTING Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is behind NAT Feb 22 18:59:10 gw-ipsec-mobile-eue
Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)' state change: CREATED = CONNECTING Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is behind NAT Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] sending cert request for C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] sending packet: from MY_EXTERNAL_IP[500] to 93.192.185.142[61076] Feb 22 18:59:40 gw-ipsec-mobile-eue charon: 10[JOB] deleting half open IKE_SA after timeout Nokia Policy was created by a new Tool as IKEv2. I'v tried to create policy with and without advanced settings, but noting works for me. How did you create a policy on you tests? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in order to help you we'd need your strongSwan ipsec.conf and a detailed log file. Regards Andreas Dimitrij Hilt wrote: Hi, dou you have more information about strongswan and Nokia configuration? I'v tried nokia E71 with openswan cert and PSK, then nokia E71 with strongswan, but nothing will work together. Dimitrij == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!
Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi Andreas, i'w tried trough WLAN+DSL and UMTS, so firewall may be not a problem. On Openswan tests a saw pakets to 4500 too, but ModCFG did't work. Any hints how configure Nokia? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)' state change: CREATED = CONNECTING Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is behind NAT Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] sending cert request for C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] sending packet: from MY_EXTERNAL_IP[500] to 93.192.185.142[61076] Feb 22 18:59:40 gw-ipsec-mobile-eue charon: 10[JOB] deleting half open IKE_SA after timeout Nokia Policy was created by a new Tool as IKEv2. I'v tried to create policy with and without advanced settings, but noting works for me. How did you create a policy on you tests? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in order to help you we'd need your strongSwan ipsec.conf and a detailed log file. Regards Andreas Dimitrij Hilt wrote: Hi, dou you have more information about strongswan and Nokia configuration? I'v tried nokia E71 with openswan cert and PSK, then nokia E71 with strongswan, but
Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi, I have also been able to use the Nokia E71 with strongSwan. I managed to get both the PSK and certificate authentication to work. It seems to be that you can check the status of the certificates and the private key by looking the policy details in the config UI: Menu - Tools - Settings - Connection - VPN - VPN Policies: Select your policy and then details from the options menu. Certificate status should state simply OK. The phone's VPN log may contain just some magic error codes. I found, that the error codes are documented in an error specification document, which is available at: http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php. Btw, be sure to use the client for S60 3rd Edition Feature Pack 1. If these does not help, may be you could also send the phone side policy to this mailing list also. (Nokia policy tool generates policy files with the .vpn extension, but the file is just a zipped bundle of text files and certs. The .pol file inside the .vpn is the relevant one.) Br Simo Quoting Andreas Steffen andreas.stef...@strongswan.org: BTW - ModeCfg is IKE1v1 but you are currently running on IKEv2. If UDP port 4500 is open then the Nokia client - might not be able to find its private key or - a certificate from the CA matching the certificate request C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com is not found. In any error case the Nokia client should send an error notification back, which does not happen. This is why I thought about a blocked UDP 4500 port in the first place. Regards Andreas Dimitrij Hilt wrote: Hi Andreas, i'w tried trough WLAN+DSL and UMTS, so firewall may be not a problem. On Openswan tests a saw pakets to 4500 too, but ModCFG did't work. Any hints how configure Nokia? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58